EXPLORE

← Back to Explore

T1195

Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including: * Manipulation of development tools * Manipulation of a development environment * Manipulation of source code repositories (public or private) * Manipulation of source code in open-source dependencies * Manipulation of software update/distribution mechanisms * Comp...

LinuxWindowsmacOSSaaS

40

Detections

3

Sources

3

Threat Actors

BY SOURCE

20splunk_escu19elastic1sigma

PROCEDURES (20)

General Monitoring11 detections

Auto-extracted: 11 detections for general monitoring

Bypass4 detections

Auto-extracted: 4 detections for bypass

Credential2 detections

Auto-extracted: 2 detections for credential

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Shellcode2 detections

Auto-extracted: 2 detections for shellcode

Tamper2 detections

Auto-extracted: 2 detections for tamper

Child Process2 detections

Auto-extracted: 2 detections for child process

Remote2 detections

Auto-extracted: 2 detections for remote

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Inject1 detections

Auto-extracted: 1 detections for inject

Persist1 detections

Auto-extracted: 1 detections for persist

Credential1 detections

Auto-extracted: 1 detections for credential

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (3)

Ember Bear OilRig Sandworm Team

DETECTIONS (40)

Command Execution via SolarWinds Process

Deprecated - SUNBURST Command and Control Activity

DPKG Package Installed by Unusual Parent Process

Elastic Defend Alert from GenAI Utility or Descendant

elasticcritical

Elastic Defend Alert from Package Manager Install Ancestry

elasticcritical

Execution via GitHub Actions Runner

GitHub Actions Unusual Bot Push to Repository

GitHub Actions Workflow Modification Blocked

Github Activity on a Private Repository from an Unusual IP

GitHub Enterprise Delete Branch Ruleset

GitHub Enterprise Disable 2FA Requirement

GitHub Enterprise Disable Audit Log Event Stream

GitHub Enterprise Disable Classic Branch Protection Rule

GitHub Enterprise Disable Dependabot

GitHub Enterprise Disable IP Allow List

GitHub Enterprise Modify Audit Log Event Stream

GitHub Enterprise Pause Audit Log Event Stream

GitHub Enterprise Register Self Hosted Runner

GitHub Enterprise Remove Organization

GitHub Enterprise Repository Archived

GitHub Enterprise Repository Deleted

GitHub Organizations Delete Branch Ruleset

GitHub Organizations Disable 2FA Requirement

GitHub Organizations Disable Classic Branch Protection Rule

GitHub Organizations Disable Dependabot

GitHub Organizations Repository Archived

GitHub Organizations Repository Deleted

GitHub Workflow File Creation or Modification

Network Connection to OAST Domain via Script Interpreter

New GitHub Self Hosted Action Runner

Node.js Pre or Post-Install Script Execution

Octopus Scanner Malware

Remote GitHub Actions Runner Registration

RPM Package Installed by Unusual Parent Process

Shai-Hulud Workflow File Creation or Modification

SolarWinds Process Disabling Services via Registry

Suspicious Execution from VS Code Extension

Suspicious SolarWinds Child Process

Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners

Unusual DPKG Execution