Supply Chain Compromise: Compromise Software Supply Chain T1195.002
Tactic: Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Events covered
12 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
| Sysmon | Event ID 3 | Network connection |
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 12 | RegistryEvent (Object create and delete) |
| Sysmon | Event ID 13 | RegistryEvent (Value Set) |
| Sysmon | Event ID 14 | RegistryEvent (Key and Value Rename) |
| Sysmon | Event ID 22 | DNSEvent (DNS query) |
| Security-Auditing | Event ID 4688 | A new process has been created. |
| ESF | exec | Process Execution (Notify) |
| ESF | create | File or Directory Create (NOTIFY) |
| Sysmon-for-Linux | Event ID 1 | Process Create |
| Sysmon-for-Linux | Event ID 11 | File created |
Authoring guide
Patterns shared across the 51 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (50 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (1405 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (81 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 15 rules
- Axios NPM Compromise File Creation Indicators - Linux
- Axios NPM Compromise File Creation Indicators - MacOS
- Axios NPM Compromise File Creation Indicators - Windows
- Axios NPM Compromise Indicators - Linux
- Axios NPM Compromise Indicators - macOS
- Axios NPM Compromise Indicators - Windows
- LiteLLM / TeamPCP Supply Chain Attack Indicators
- Notepad++ Updater DNS Query to Uncommon Domains
- Shai-Hulud 2.0 Malicious NPM Package Installation
- Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
- Shai-Hulud Malicious Bun Execution
- Shai-Hulud Malicious Bun Execution - Linux
- Suspicious Child Process of Notepad++ Updater - GUP.Exe
- TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
- Uncommon File Created by Notepad++ Updater Gup.EXE
Elastic 17 rules
- Command Execution via SolarWinds Process
- Deprecated - SUNBURST Command and Control Activity
- DPKG Package Installed by Unusual Parent Process
- Elastic Defend Alert from GenAI Utility or Descendant
- Elastic Defend Alert from Package Manager Install Ancestry
- Execution via GitHub Actions Runner
- GitHub Actions Unusual Bot Push to Repository
- GitHub Actions Workflow Modification Blocked
- Github Activity on a Private Repository from an Unusual IP
- New GitHub Self Hosted Action Runner
- Ollama DNS Query to Untrusted Domain
- Remote GitHub Actions Runner Registration
- RPM Package Installed by Unusual Parent Process
- SolarWinds Process Disabling Services via Registry
- Suspicious Execution from VS Code Extension
- Suspicious SolarWinds Child Process
- Unusual DPKG Execution
Splunk 4 rules
- 3CX Supply Chain Attack Network Indicators
- Hunting 3CXDesktopApp Software
- Shai-Hulud 2 Exfiltration Artifact Files
- Windows Vulnerable 3CX Software
Panther 15 rules
- GitHub Artifact Download from Cross-Fork Workflow
- GitHub Commits Skipping Workflows
- GitHub Cross-Fork Workflow Run
- GitHub Malicious Comment/Review Content
- GitHub Malicious Commit Content
- GitHub Malicious Issue/Pages Content
- GitHub Malicious Pull Request Content
- GitHub pull_request_target Workflow on Self-Hosted Runner
- GitHub pull_request_target Workflow Usage
- GitHub pull_request_target Workflow with Checkout Action
- GitHub Sha1-Hulud Malicious Repository Created
- GitHub Supply Chain - Software Installation Tool User Agents
- GitHub Workflow Contains Checkout Action
- GitHub Workflow Downloading Artifacts
- GitHub Workflow Using Self-Hosted Runner