title: Compromise Software Supply Chain (T1195.002)
id: df00tech-t1195-002
status: experimental
description: "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Real-world examples include SUNSPOT injecting SUNBURST into SolarWinds Orion builds, CCBkdr backdooring CCleaner 5.33, and Sandworm replacing M.E.Doc updates with NotPetya. Detection focuses on post-installation behavioral anomalies: legitimate software exhibiting unexpected child process execution, unusual outbound connectivity, suspicious DLL loading, and credential access patterns that should never originate from trusted update mechanisms."
references:
  - https://attack.mitre.org/techniques/T1195/002/
  - https://df00tech.com/detections/T1195.002
author: df00tech
date: 2026/04/18
tags:
  - attack.t1195.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software updaters that use PowerShell or cmd.exe as part of their post-install configuration (e.g., some enterprise software uses PowerShell for environment setup after MSI installation)"
  - Build systems that invoke utility scripts via cmd.exe or PowerShell during compilation steps — common in CI/CD pipelines where MSBuild calls post-build scripts
  - "Software vendors using non-standard ports for update delivery (e.g., some enterprise patch management solutions use custom ports for update traffic)"
  - "IT provisioning tools (SCCM, Intune, Chocolatey) that install software via msiexec.exe and then run PowerShell configuration scripts as part of normal deployment workflows"
  - "Development workstations where build tools (devenv.exe, dotnet.exe) regularly invoke scripts during local builds"
level: high