T1204.005 Sumo Logic CSE · Sumo

Detect Malicious Library in Sumo Logic CSE

Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors upload malware to package managers such as NPM and PyPI, or backdoor existing popular libraries through supply chain compromise. Users install these libraries without realizing they are malicious, bypassing initial access controls. Execution occurs via setup.py install-time scripts (Python), postinstall/preinstall lifecycle hooks (NPM/yarn), or malicious code embedded in library modules that executes on import. Common delivery vectors include typosquatting (e.g., 'reqeusts' vs 'requests'), dependency confusion attacks, compromised maintainer accounts, and first-use namespace squatting. Threat actors including Contagious Interview have leveraged malicious NPM and Python packages published to public registries to deliver infostealers, remote access tools, and BeaverTail/InvisibleFerret malware targeting software developers.

MITRE ATT&CK

Tactic
Execution
Technique
T1204 User Execution
Sub-technique
T1204.005 Malicious Library
Canonical reference
https://attack.mitre.org/techniques/T1204/005/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Branch 1: Package manager spawning suspicious child processes
(_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
| where EventID = 1
| parse "<ParentImage><![CDATA[*]]></ParentImage>" as ParentImage nodrop
| parse "<ParentCommandLine><![CDATA[*]]></ParentCommandLine>" as ParentCommandLine nodrop
| parse "<Image><![CDATA[*]]></Image>" as ChildImage nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as ChildCommandLine nodrop
| parse "<User><![CDATA[*]]></User>" as Username nodrop
| where (
    ParentImage matches "*\\pip.exe" OR ParentImage matches "*\\pip3.exe" OR
    ParentImage matches "*\\python.exe" OR ParentImage matches "*\\python3.exe" OR
    ParentImage matches "*\\node.exe" OR ParentImage matches "*\\npm.cmd" OR
    ParentCommandLine matches "*pip install*" OR ParentCommandLine matches "*pip3 install*" OR
    ParentCommandLine matches "*npm install*" OR ParentCommandLine matches "*npm ci*" OR
    ParentCommandLine matches "*yarn add*" OR ParentCommandLine matches "*setup.py*"
  )
| where (
    ChildImage matches "*\\cmd.exe" OR ChildImage matches "*\\powershell.exe" OR
    ChildImage matches "*\\pwsh.exe" OR ChildImage matches "*\\mshta.exe" OR
    ChildImage matches "*\\rundll32.exe" OR ChildImage matches "*\\certutil.exe" OR
    ChildImage matches "*\\bitsadmin.exe" OR ChildImage matches "*\\wscript.exe" OR
    ChildImage matches "*\\cscript.exe" OR ChildImage matches "*\\regsvr32.exe" OR
    ChildImage matches "*\\msiexec.exe" OR ChildImage matches "*\\schtasks.exe" OR
    ChildImage matches "*\\sc.exe" OR ChildImage matches "*\\reg.exe"
  )
| "PackageInstallSpawnedSuspiciousProcess" as DetectionBranch
| fields _messageTime, _sourceHost, Username, ChildImage, ChildCommandLine, ParentImage, ParentCommandLine, DetectionBranch

// Branch 2: Python/Node C2 callback on non-standard ports
| union [
  (_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
  | where EventID = 3
  | parse "<Image><![CDATA[*]]></Image>" as Image nodrop
  | parse "<DestinationIp>*</DestinationIp>" as DestIP nodrop
  | parse "<DestinationPort>*</DestinationPort>" as DestPort nodrop
  | parse "<DestinationHostname>*</DestinationHostname>" as DestHost nodrop
  | parse "<CommandLine><![CDATA[*]]></CommandLine>" as CommandLine nodrop
  | parse "<User><![CDATA[*]]></User>" as Username nodrop
  | where Image matches "*\\python.exe" OR Image matches "*\\python3.exe" OR Image matches "*\\node.exe"
  | where num(DestPort) != 80 AND num(DestPort) != 443 AND num(DestPort) != 8080 AND num(DestPort) != 8443
  | where !(DestIP matches "10.*" OR DestIP matches "172.1[6-9].*" OR DestIP matches "172.2[0-9].*" OR DestIP matches "172.3[0-1].*" OR DestIP matches "192.168.*" OR DestIP matches "127.*")
  | where !(DestHost matches "*pypi.org" OR DestHost matches "*pythonhosted.org" OR DestHost matches "*npmjs.com" OR DestHost matches "*github.com" OR DestHost matches "*githubusercontent.com" OR DestHost matches "*anaconda.com" OR DestHost matches "*yarnpkg.com")
  | "MaliciousLibraryC2Callback" as DetectionBranch
  | concat(DestIP, ":", DestPort) as NetworkDest
  | fields _messageTime, _sourceHost, Username, Image as ChildImage, CommandLine as ChildCommandLine, NetworkDest, DetectionBranch
]

// Branch 3: Package installer dropping executable/script into sensitive locations
| union [
  (_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
  | where EventID = 11
  | parse "<Image><![CDATA[*]]></Image>" as Image nodrop
  | parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as DroppedFile nodrop
  | parse "<CommandLine><![CDATA[*]]></CommandLine>" as CommandLine nodrop
  | parse "<User><![CDATA[*]]></User>" as Username nodrop
  | where Image matches "*\\python.exe" OR Image matches "*\\python3.exe" OR Image matches "*\\node.exe" OR Image matches "*\\pip.exe" OR Image matches "*\\pip3.exe"
  | where DroppedFile matches "*.exe" OR DroppedFile matches "*.dll" OR DroppedFile matches "*.bat" OR DroppedFile matches "*.ps1" OR DroppedFile matches "*.vbs" OR DroppedFile matches "*.scr"
  | where DroppedFile matches "*\\Startup\\*" OR DroppedFile matches "*AppData\\Local\\Temp\\*" OR DroppedFile matches "*Windows\\Temp\\*" OR DroppedFile matches "*System32\\*" OR DroppedFile matches "*SysWOW64\\*" OR DroppedFile matches "*\\ProgramData\\*"
  | "PackageInstallerDroppedExecutable" as DetectionBranch
  | fields _messageTime, _sourceHost, Username, Image as ChildImage, CommandLine as ChildCommandLine, DroppedFile, DetectionBranch
]

| sort by _messageTime desc
| count by _sourceHost, Username, ChildImage, DetectionBranch
high severity high confidence

Three-branch Sumo Logic CSE detection for T1204.005 Malicious Library execution using Sysmon operational logs. Parses Sysmon XML events to identify: (1) package manager processes (pip, npm, yarn, node) spawning Windows native LOLBins as child processes during install-time hook execution; (2) Python or Node processes establishing outbound network connections on non-standard ports to untrusted public endpoints indicating C2 embedded in malicious library code; (3) package runtime processes writing executable or script files to startup folders, system directories, or temp paths indicating dropper behavior. Covers supply chain attacks, typosquatting, and dependency confusion vectors.

Data Sources

Sumo Logic Installed Collector with Windows Event Log Source for SysmonSumo Logic Cloud-to-Cloud Source (if forwarding via SIEM aggregator)Windows Sysmon operational log (Microsoft-Windows-Sysmon/Operational)

Required Tables

Sysmon EventID 1 (Process Create) — _sourceCategory windows/sysmonSysmon EventID 3 (Network Connect) — _sourceCategory windows/sysmonSysmon EventID 11 (File Create) — _sourceCategory windows/sysmon

False Positives & Tuning

  • Legitimate packages with native extension build requirements (numpy, lxml, psycopg2-binary) frequently invoke cmd.exe or cl.exe via setup.py during installation, especially in developer environments without pre-built wheels. Suppress by adding a filter for known compiler image paths (cl.exe, link.exe, ninja).
  • Node.js serverless frameworks or desktop apps (Electron-based tools like VS Code extensions) may establish connections to non-standard port APIs during postinstall telemetry or license checks. Whitelist specific application hashes or destination IP ranges for known vendors.
  • Python deployment automation using Fabric or Invoke that explicitly shells out to PowerShell for Windows host provisioning tasks may trigger Branch 1. Tune by creating an allowlist based on specific ServiceAccount usernames performing these operations.
  • Security tooling written in Python (vulnerability scanners, pen-test frameworks) legitimately making unusual outbound connections. Correlate with device type (security scanner) before escalating.
Download portable Sigma rule (.yml)

Other platforms for T1204.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Malicious Python Package via Local pip install (setup.py subprocess spawn)

    Expected signal: Sysmon Event ID 1: Process Create with ParentImage=python.exe (pip runner), Image=cmd.exe, CommandLine containing 'whoami'. DeviceProcessEvents: InitiatingProcessFileName=python.exe with CommandLine containing 'setup.py', FileName=cmd.exe. The process tree root will be pip.exe -> python.exe -> cmd.exe.

  2. Test 2Malicious NPM Package with Postinstall Hook (Linux/macOS)

    Expected signal: Sysmon for Linux or auditd: process creation with parent=node (npm runner), child=sh, CommandLine containing 'id > /tmp/npm_postinstall_test.txt'. If Sysmon for Linux is deployed: EventID=1, ParentImage path contains node, Image=/bin/sh. Linux audit log: execve syscall with parent node process.

  3. Test 3Python Library C2 Callback Simulation (Non-Standard Port)

    Expected signal: Sysmon Event ID 3: Network Connection with Image=python.exe, DestinationIp=127.0.0.1, DestinationPort=4444. DeviceNetworkEvents: InitiatingProcessFileName=python.exe, RemotePort=4444. The connection will fail with ECONNREFUSED but the outbound attempt is still logged.

  4. Test 4Malicious Python Library Dropping Persistence Script to Startup Folder

    Expected signal: Sysmon Event ID 11: File Create with Image=python.exe, TargetFilename=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\df00tech_test_persistence.vbs. DeviceFileEvents: InitiatingProcessFileName=python.exe, FileName=df00tech_test_persistence.vbs, FolderPath contains Startup.

  5. Test 5Simulated Typosquat Package Python Credential Harvester

    Expected signal: Sysmon Event ID 15 (FileCreateStreamHash) or Event ID 11 if file is created. DeviceFileEvents: InitiatingProcessFileName=python.exe accessing FolderPath containing 'Google\Chrome\User Data'. This also fires the hunting query for credential store access.

Last updated: 2026-04-19 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1204.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious LinkT1204.002Malicious FileT1204.003Malicious ImageT1204.004Malicious Copy and Paste

Related Techniques

T1204User ExecutionT1195.001Compromise Software Dependencies and Development ToolsT1059.007JavaScriptT1059.006PythonT1547.001Registry Run Keys / Startup FolderT1053.005Scheduled TaskT1105Ingress Tool TransferT1552.001Credentials In FilesT1056.001KeyloggingT1608.001Upload Malware

Same Tactic: Execution

Popular Detections