title: Supply Chain Compromise (T1195)
id: df00tech-t1195
status: experimental
description: "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can occur at any stage — from manipulation of development tools, source code repositories, open-source dependencies, software update/distribution mechanisms, system images, or physical hardware. Because the attack abuses trusted software distribution channels, defenders must focus on post-delivery behavioral indicators: trusted installer processes spawning shells, legitimate software making unexpected network connections, newly installed applications loading unsigned modules, and integrity failures in software binaries. High-profile incidents include SolarWinds Orion (Sunburst backdoor in update packages), CCleaner (backdoor distributed via official update), 3CX (second-order compromise via trojanized Electron app), and NotPetya (distributed via M.E.Doc accounting software update)."
references:
  - https://attack.mitre.org/techniques/T1195/
  - https://df00tech.com/detections/T1195
author: df00tech
date: 2026/04/18
tags:
  - attack.t1195
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers (especially older or enterprise software) that invoke cmd.exe or PowerShell as part of post-install configuration scripts or service registration
  - "Software deployment platforms (SCCM, Intune, PDQ Deploy) that use msiexec.exe or setup.exe as wrappers that legitimately spawn PowerShell for configuration"
  - "Electron-based applications (VSCode, Slack, Teams) whose squirrel.exe updater spawns cmd.exe for delta patching operations"
  - "Development environment tools (Visual Studio, JetBrains, Eclipse) that run PowerShell or scripts as part of extension installation or project scaffolding"
  - "Third-party IT management agents (SolarWinds, ConnectWise, Kaseya) whose update mechanisms spawn child processes by design"
level: critical