Skip to content

DET0537 Behavioral detection for Supply Chain Compromise (package/update tamper → install → first-run)

Item Value
ID DET0537
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1195 (Supply Chain Compromise)

Analytics

Windows

AN1480

1) New or updated software is delivered/installed from atypical sources or with signature/hash mismatches; 2) installer/updater writes binaries to unexpected paths or replaces existing signed files; 3) first run causes unsigned/abnormally signed modules to load or child processes to execute, optionally followed by network egress to new destinations.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Metadata (DC0059) WinEventLog:Microsoft-Windows-CodeIntegrity/Operational CodeIntegrity reports ‘Invalid image hash’ or ‘Unsigned image’ for new/updated binaries
Network Traffic Flow (DC0078) NSM:Flow First-time egress from host after new install to unknown update endpoints
Mutable Elements
Field Description
TimeWindow Correlation window between install events and first-run activity (default 2h; adjust for staged rollouts).
TrustedPublishers Publisher/Signer allow-list to suppress expected updates.
TrustedUpdateHosts Known update CDNs/APIs (e.g., download.microsoft.com) to reduce egress false positives.
RiskScoreThreshold Score cut-off for alerting when combining path, signer, and reputation features.

Linux

AN1481

1) Package manager or curl/wget installs/upgrades from non-approved repos or unsigned packages; 2) new ELF written into PATH directories or replacement of existing binaries/libraries; 3) first run leads to unexpected child processes or outbound connections.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve, unlink
Process Modification (DC0020) auditd:SYSCALL open, rename
File Metadata (DC0059) journald:package dpkg/apt install, remove, upgrade events
Network Traffic Flow (DC0078) NSM:Flow First-time egress to unknown registries/mirrors immediately after install
Mutable Elements
Field Description
ApprovedRepos Allow-listed APT/YUM repo URLs and GPG key fingerprints.
PathScope Directories to watch for new ELF writes (e.g., /usr/bin, /usr/local/bin, /lib/, /opt//bin).
MinBinarySize Ignore tiny helper files; default >16KB.
TimeWindow Install→first-run correlation window (default 2h).

macOS

AN1482

1) pkg/notarization installs from atypical sources or with Gatekeeper/AMFI warnings; 2) new Mach-O written into /Applications or ~/Library paths or substitution of signed components; 3) first run from installer spawns unsigned children or exfil.

Log Sources
Data Component Name Channel
File Metadata (DC0059) macos:unifiedlog installer or system_installd ‘PackageKit: install succeeded/failed’ with non-notarized or unknown signer
Process Creation (DC0032) macos:osquery launchd, processes
File Modification (DC0061) macos:endpointsecurity write, rename
Network Traffic Flow (DC0078) NSM:Flow New egress from app just installed to unknown update endpoints
Mutable Elements
Field Description
AllowedTeamIDs Apple Developer Team IDs permitted in your fleet.
TrustedDMGs Known DMG/Pkg sources and hashes.
TimeWindow Install→first-run correlation window (default 2h).
RiskScoreThreshold Adjust alert sensitivity based on org tolerance.