Skip to content

DET0309 Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)

Item Value
ID DET0309
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1195.002 (Compromise Software Supply Chain)

Analytics

Windows

AN0862

Adversary ships a tampered application or update: an updater/installer (msiexec/setup/update.exe/vendor service) writes or replaces binaries; on first run it spawns scripts/shells or unsigned DLLs and beacons to non-approved update CDNs/hosts. Detection correlates: (1) process creation of installer/updater → (2) file metadata changes in program paths → (3) first-run children and module/signature anomalies → (4) outbound connections to unexpected hosts within a short window.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Driver Load (DC0079) WinEventLog:Sysmon EventCode=6
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
File Metadata (DC0059) WinEventLog:Microsoft-Windows-CodeIntegrity/Operational Unsigned or invalid image for newly installed/updated binaries
Network Traffic Flow (DC0078) NSM:Flow First-time egress to non-approved update hosts right after install/update
Mutable Elements
Field Description
TimeWindow Correlate write→first-run→egress (default 90 minutes).
ApprovedUpdateHosts Allow-list of vendor update endpoints, enterprise proxy/cache.
ApprovedSigners Code-signing publishers allowed for programs/services.
ProgramPaths Monitored install locations (e.g., C:\Program Files, C:\ProgramData, %LOCALAPPDATA%).

Linux

AN0863

A compromised package/update (deb/rpm/tarball/AppImage/vendor updater) is installed, writing/overwriting files in /usr/local/bin, /usr/bin, /opt, or ~/.local; first run executes unexpected shells/curl/wget and connects to unapproved hosts. Correlate package/updater execution → file writes/replace → first-run child processes → egress.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Metadata (DC0059) journald:package dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals
Network Traffic Flow (DC0078) NSM:Flow New outbound flows to non-approved vendor hosts post install
Mutable Elements
Field Description
PathScope Monitored install paths (/usr/local, /usr/bin, /opt/*, ~/.local/bin, /var/lib/systemd).
ApprovedRepos Allow-listed APT/YUM repos and GPG keys for vendor updates.
TimeWindow Default 90 minutes.

macOS

AN0864

A tampered app/pkg/notarized update is installed via installer, softwareupdated, Homebrew, or vendor updater; new Mach-O or bundle contents appear in /Applications, /Library, /usr/local or /opt/homebrew; first run spawns sh/zsh/osascript/curl and makes egress to unfamiliar domains; AMFI/Gatekeeper may log signature/notarization problems.

Log Sources
Data Component Name Channel
File Metadata (DC0059) macos:unifiedlog pkginstalld/softwareupdated/Homebrew install transactions
Process Creation (DC0032) macos:endpointsecurity exec
Network Traffic Flow (DC0078) NSM:Flow New/rare egress to non-approved update hosts after install
Mutable Elements
Field Description
AllowedTeamIDs Apple Developer Team IDs allowed for enterprise.
BrewTapsAllowList Trusted Homebrew taps.
TimeWindow Default 90 minutes.