T1204.005 CrowdStrike LogScale · LogScale

Detect Malicious Library in CrowdStrike LogScale

Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors upload malware to package managers such as NPM and PyPI, or backdoor existing popular libraries through supply chain compromise. Users install these libraries without realizing they are malicious, bypassing initial access controls. Execution occurs via setup.py install-time scripts (Python), postinstall/preinstall lifecycle hooks (NPM/yarn), or malicious code embedded in library modules that executes on import. Common delivery vectors include typosquatting (e.g., 'reqeusts' vs 'requests'), dependency confusion attacks, compromised maintainer accounts, and first-use namespace squatting. Threat actors including Contagious Interview have leveraged malicious NPM and Python packages published to public registries to deliver infostealers, remote access tools, and BeaverTail/InvisibleFerret malware targeting software developers.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.005 Malicious Library
Canonical reference
https://attack.mitre.org/techniques/T1204/005/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Branch 1: Package manager spawning suspicious Windows LOLBins (install-time hook abuse)
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(pip\.exe|pip3\.exe|python\.exe|python3\.exe|node\.exe|npm\.cmd)$/i
  OR ParentCommandLine = /pip\s+install|pip3\s+install|npm\s+install|npm\s+ci|yarn\s+add|setup\.py/i
| FileName = /^(cmd\.exe|powershell\.exe|pwsh\.exe|mshta\.exe|rundll32\.exe|certutil\.exe|bitsadmin\.exe|wscript\.exe|cscript\.exe|regsvr32\.exe|msiexec\.exe|schtasks\.exe|at\.exe|sc\.exe|reg\.exe|net\.exe|netsh\.exe)$/i
| "PackageInstallSpawnedSuspiciousProcess" as DetectionBranch
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionBranch])

union

// Branch 2: Python/Node C2 callback on non-standard ports to public IPs
#event_simpleName=NetworkConnectIP4
| ImageFileName = /\\(python\.exe|python3\.exe|node\.exe)$/i
| RemotePort != 80 AND RemotePort != 443 AND RemotePort != 8080 AND RemotePort != 8443
| !cidr(RemoteIP, subnet=["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","127.0.0.0/8"])
| !RemoteIP = /^(pypi\.org|files\.pythonhosted\.org|npmjs\.com|registry\.npmjs\.org|github\.com|raw\.githubusercontent\.com|yarnpkg\.com|anaconda\.com)$/i
| "MaliciousLibraryC2Callback" as DetectionBranch
| concat([RemoteIP, ":", RemotePort], str="") as NetworkDest
| table([timestamp, ComputerName, ImageFileName, CommandLine, NetworkDest, DetectionBranch])

union

// Branch 3: Package runtime dropping executable/script in sensitive filesystem locations
#event_simpleName=PeFileWritten OR #event_simpleName=ScriptFileWritten
| ImageFileName = /\\(python\.exe|python3\.exe|node\.exe|pip\.exe|pip3\.exe)$/i
| TargetFileName = /\.(exe|dll|bat|ps1|vbs|scr)$/i
| TargetFileName = /\\(Startup\\|AppData\\Local\\Temp\\|Windows\\Temp\\|System32\\|SysWOW64\\|ProgramData\\)/i
| "PackageInstallerDroppedExecutable" as DetectionBranch
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, DetectionBranch])

| sort(timestamp, order=desc)
high severity high confidence

Three-branch CrowdStrike LogScale CQL detection for T1204.005 using Falcon endpoint telemetry. Branch 1 uses ProcessRollup2 events to detect package manager parents (pip, npm, node, python) spawning Windows LOLBins — a signature of malicious setup.py install-time scripts or NPM postinstall/preinstall hook abuse (as used by Contagious Interview BeaverTail campaigns). Branch 2 uses NetworkConnectIP4 events to identify Python or Node processes beaconing to public IPs on non-standard ports after library import, excluding known-safe package registry infrastructure. Branch 3 uses PeFileWritten and ScriptFileWritten events to catch package runtimes dropping PE or script payloads into persistence-relevant paths (Startup, System32, SysWOW64, ProgramData, Temp directories).

Data Sources

CrowdStrike Falcon Endpoint Protection — ProcessRollup2 eventsCrowdStrike Falcon Endpoint Protection — NetworkConnectIP4 eventsCrowdStrike Falcon Endpoint Protection — PeFileWritten eventsCrowdStrike Falcon Endpoint Protection — ScriptFileWritten eventsCrowdStrike Falcon Data Replicator (FDR) or LogScale Falcon SIEM Connector

Required Tables

ProcessRollup2 (#event_simpleName)NetworkConnectIP4 (#event_simpleName)PeFileWritten (#event_simpleName)ScriptFileWritten (#event_simpleName)

False Positives & Tuning

  • Native Python extension compilation via pip (e.g., installing cryptography, numpy, or psutil with no pre-built wheel) will invoke cl.exe or link.exe on Windows, generating Branch 1 hits. Tune by excluding known compiler binaries from FileName matches or by allowlisting build machine sensor groups.
  • Node.js applications using node-gyp for native module compilation will spawn cmd.exe during npm install/rebuild operations. These are especially common in development environments with C++ addon dependencies. Suppress by device group or user directory context.
  • Legitimate Python-based administrative tools (Ansible-pull, SaltStack Minion, Puppet agent running Python scripts) that write configuration scripts (ps1, bat) as part of normal operation will match Branch 3. Create an exclusion based on known service account SIDs or process hash allowlisting in Falcon's Custom IOA rules.
  • Security testing and red team tooling written in Python (Impacket, Metasploit Python stagers, BloodHound collection scripts) making intentional non-standard port connections during authorized pen-test windows. Cross-reference with change management data or scheduled maintenance windows before alerting.
Download portable Sigma rule (.yml)

Other platforms for T1204.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Malicious Python Package via Local pip install (setup.py subprocess spawn)

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=python.exe (pip runner), Image=cmd.exe, CommandLine containing 'whoami'. DeviceProcessEvents: InitiatingProcessFileName=python.exe with CommandLine containing 'setup.py', FileName=cmd.exe. The process tree root will be pip.exe -> python.exe -> cmd.exe.

  2. Test 2Malicious NPM Package with Postinstall Hook (Linux/macOS)

    Expected signal: Sysmon for Linux or auditd: process creation with parent=node (npm runner), child=sh, CommandLine containing 'id > /tmp/npm_postinstall_test.txt'. If Sysmon for Linux is deployed: EventID=1, ParentImage path contains node, Image=/bin/sh. Linux audit log: execve syscall with parent node process.

  3. Test 3Python Library C2 Callback Simulation (Non-Standard Port)

    Expected signal: Sysmon Event ID 3: Network Connection with Image=python.exe, DestinationIp=127.0.0.1, DestinationPort=4444. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemotePort=4444. The connection will fail with ECONNREFUSED but the outbound attempt is still logged.

  4. Test 4Malicious Python Library Dropping Persistence Script to Startup Folder

    Expected signal: Sysmon Event ID 11: File Create with Image=python.exe, TargetFilename=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\df00tech_test_persistence.vbs. DeviceFileEvents: InitiatingProcessFileName=python.exe, FileName=df00tech_test_persistence.vbs, FolderPath contains Startup.

  5. Test 5Simulated Typosquat Package Python Credential Harvester

    Expected signal: Sysmon Event ID 15 (FileCreateStreamHash) or Event ID 11 if file is created. DeviceFileEvents: InitiatingProcessFileName=python.exe accessing FolderPath containing 'Google\Chrome\User Data'. This also fires the hunting query for credential store access.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.004Malicious Copy and Paste

Related Techniques

T1204User ExecutionT1195.001Compromise Software Dependencies and Development ToolsT1059.007JavaScriptT1059.006PythonT1547.001Registry Run Keys / Startup FolderT1053.005Scheduled TaskT1105Ingress Tool TransferT1552.001Credentials In FilesT1056.001KeyloggingT1608.001Upload Malware

Same Tactic: Execution

Popular Detections