T1204.005 Google Chronicle · YARA-L

Detect Malicious Library in Google Chronicle

Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors upload malware to package managers such as NPM and PyPI, or backdoor existing popular libraries through supply chain compromise. Users install these libraries without realizing they are malicious, bypassing initial access controls. Execution occurs via setup.py install-time scripts (Python), postinstall/preinstall lifecycle hooks (NPM/yarn), or malicious code embedded in library modules that executes on import. Common delivery vectors include typosquatting (e.g., 'reqeusts' vs 'requests'), dependency confusion attacks, compromised maintainer accounts, and first-use namespace squatting. Threat actors including Contagious Interview have leveraged malicious NPM and Python packages published to public registries to deliver infostealers, remote access tools, and BeaverTail/InvisibleFerret malware targeting software developers.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.005 Malicious Library
Canonical reference
https://attack.mitre.org/techniques/T1204/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule malicious_library_execution_t1204_005 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects malicious library execution via package manager install-time hooks spawning LOLBins, C2 callbacks from Python/Node on non-standard ports, and package runtimes dropping executables in sensitive paths. Covers supply chain compromise, typosquatting, and dependency confusion attacks (T1204.005)."
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204.005"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1204/005/"

  events:
    // Branch 1: Package manager spawning suspicious child process
    (
      $branch1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($branch1.principal.process.file.full_path, `(?i)(pip\.exe|pip3\.exe|python\.exe|python3\.exe|node\.exe|npm\.cmd)$`)
        or re.regex($branch1.principal.process.command_line, `(?i)(pip install|pip3 install|npm install|npm ci|yarn add|setup\.py)`)
      )
      and re.regex($branch1.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msiexec\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe|net\.exe|netsh\.exe)$`)
    )
    or
    // Branch 2: Python/Node making C2 callback on non-standard port to public IP
    (
      $branch2.metadata.event_type = "NETWORK_CONNECTION"
      and re.regex($branch2.principal.process.file.full_path, `(?i)(python\.exe|python3\.exe|node\.exe)$`)
      and not net.ip_in_range_cidr($branch2.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($branch2.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($branch2.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($branch2.target.ip, "127.0.0.0/8")
      and not re.regex($branch2.target.hostname, `(?i)(pypi\.org|pythonhosted\.org|npmjs\.com|github\.com|githubusercontent\.com|anaconda\.com|yarnpkg\.com|rubygems\.org|pkg\.go\.dev)$`)
      and $branch2.target.port != 80
      and $branch2.target.port != 443
      and $branch2.target.port != 8080
      and $branch2.target.port != 8443
    )
    or
    // Branch 3: Package runtime dropping executable or script in sensitive path
    (
      $branch3.metadata.event_type = "FILE_CREATION"
      and re.regex($branch3.principal.process.file.full_path, `(?i)(python\.exe|python3\.exe|node\.exe|pip\.exe|pip3\.exe)$`)
      and re.regex($branch3.target.file.full_path, `(?i)\.(exe|dll|bat|ps1|vbs|scr)$`)
      and re.regex($branch3.target.file.full_path, `(?i)(\\Startup\\|AppData\\Local\\Temp\\|Windows\\Temp\\|Windows\\System32\\|Windows\\SysWOW64\\|\\ProgramData\\)`)
    )

  condition:
    $branch1 or $branch2 or $branch3
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1204.005 Malicious Library execution across three behavioral branches using UDM event model. Branch 1 correlates PROCESS_LAUNCH events where a package manager or install-time runtime (pip, npm, node, python) is the principal process and a Windows LOLBin is the target process — indicating setup.py or postinstall hook abuse. Branch 2 targets NETWORK_CONNECTION events from Python or Node to public non-RFC1918 IPs on non-HTTP ports, excluding known-good package registries — a C2 beacon pattern consistent with BeaverTail/InvisibleFerret malware embedded in malicious packages. Branch 3 catches FILE_CREATION events where package runtimes write executable or script files to persistence-relevant directories.

Data Sources

Google Chronicle UDM (Unified Data Model)Microsoft Defender for Endpoint via Chronicle connectorSysmon logs ingested into Chronicle via Bindplane or Chronicle forwarderCrowdStrike Falcon data ingested into ChronicleChronicle Windows Event Log parser

Required Tables

UDM events: PROCESS_LAUNCHUDM events: NETWORK_CONNECTIONUDM events: FILE_CREATION

False Positives & Tuning

  • Packages that compile C extensions during installation (cryptography, numpy, pillow) will spawn cl.exe, link.exe, or cmake on Windows via distutils/setuptools. These share the pip/python parent process pattern. Add exclusions for known compiler executables (cl.exe, link.exe, ninja.exe, cmake.exe) in Branch 1.
  • Development pipelines using node-gyp to compile native Node.js addons will invoke cmd.exe and PowerShell during npm install. Scope exclusions to CI/CD service accounts or machine asset groups tagged as build infrastructure.
  • Python-based monitoring agents or observability tools that legitimately make outbound connections on non-standard telemetry ports (e.g., 4317 for OpenTelemetry GRPC, 8125 for StatsD) will match Branch 2. Maintain an approved-ports reference list for known monitoring agents.
  • Legitimate Python package post-install scripts that generate compiled .pyc/.pyd files in site-packages subdirectories under ProgramData may superficially match Branch 3. Tighten the path match to exclude known site-packages paths.
Download portable Sigma rule (.yml)

Other platforms for T1204.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Malicious Python Package via Local pip install (setup.py subprocess spawn)

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=python.exe (pip runner), Image=cmd.exe, CommandLine containing 'whoami'. DeviceProcessEvents: InitiatingProcessFileName=python.exe with CommandLine containing 'setup.py', FileName=cmd.exe. The process tree root will be pip.exe -> python.exe -> cmd.exe.

  2. Test 2Malicious NPM Package with Postinstall Hook (Linux/macOS)

    Expected signal: Sysmon for Linux or auditd: process creation with parent=node (npm runner), child=sh, CommandLine containing 'id > /tmp/npm_postinstall_test.txt'. If Sysmon for Linux is deployed: EventID=1, ParentImage path contains node, Image=/bin/sh. Linux audit log: execve syscall with parent node process.

  3. Test 3Python Library C2 Callback Simulation (Non-Standard Port)

    Expected signal: Sysmon Event ID 3: Network Connection with Image=python.exe, DestinationIp=127.0.0.1, DestinationPort=4444. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemotePort=4444. The connection will fail with ECONNREFUSED but the outbound attempt is still logged.

  4. Test 4Malicious Python Library Dropping Persistence Script to Startup Folder

    Expected signal: Sysmon Event ID 11: File Create with Image=python.exe, TargetFilename=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\df00tech_test_persistence.vbs. DeviceFileEvents: InitiatingProcessFileName=python.exe, FileName=df00tech_test_persistence.vbs, FolderPath contains Startup.

  5. Test 5Simulated Typosquat Package Python Credential Harvester

    Expected signal: Sysmon Event ID 15 (FileCreateStreamHash) or Event ID 11 if file is created. DeviceFileEvents: InitiatingProcessFileName=python.exe accessing FolderPath containing 'Google\Chrome\User Data'. This also fires the hunting query for credential store access.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.004Malicious Copy and Paste

Related Techniques

T1204User ExecutionT1195.001Compromise Software Dependencies and Development ToolsT1059.007JavaScriptT1059.006PythonT1547.001Registry Run Keys / Startup FolderT1053.005Scheduled TaskT1105Ingress Tool TransferT1552.001Credentials In FilesT1056.001KeyloggingT1608.001Upload Malware

Same Tactic: Execution

Popular Detections