EXPLORE
Sign In
← Back to Explore
T1195.002

Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on...

LinuxWindowsmacOS
23
Detections
3
Sources
9
Threat Actors

BY SOURCE

16elastic4splunk_escu3sigma

PROCEDURES (16)

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Child Process2 detections

Auto-extracted: 2 detections for child process

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Dns2 detections

Auto-extracted: 2 detections for dns

Shellcode2 detections

Auto-extracted: 2 detections for shellcode

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Child Process1 detections

Auto-extracted: 1 detections for child process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Inject1 detections

Auto-extracted: 1 detections for inject

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (9)

APT41Cobalt GroupDaggerflyDragonflyFIN7GOLD SOUTHFIELDMoonstone SleetSandworm TeamThreat Group-3390

DETECTIONS (23)

3CX Supply Chain Attack Network Indicators
splunk_escu
Command Execution via SolarWinds Process
elasticmedium
Deprecated - SUNBURST Command and Control Activity
elastichigh
DPKG Package Installed by Unusual Parent Process
elasticlow
Elastic Defend Alert from GenAI Utility or Descendant
elasticcritical
Elastic Defend Alert from Package Manager Install Ancestry
elasticcritical
Execution via GitHub Actions Runner
elasticmedium
GitHub Actions Unusual Bot Push to Repository
elasticlow
GitHub Actions Workflow Modification Blocked
elasticmedium
Github Activity on a Private Repository from an Unusual IP
elasticlow
Hunting 3CXDesktopApp Software
splunk_escu
New GitHub Self Hosted Action Runner
elasticmedium
Notepad++ Updater DNS Query to Uncommon Domains
sigmamedium
Remote GitHub Actions Runner Registration
elasticmedium
RPM Package Installed by Unusual Parent Process
elasticlow
Shai-Hulud 2 Exfiltration Artifact Files
splunk_escu
SolarWinds Process Disabling Services via Registry
elasticmedium
Suspicious Child Process of Notepad++ Updater - GUP.Exe
sigmahigh
Suspicious Execution from VS Code Extension
elasticmedium
Suspicious SolarWinds Child Process
elasticmedium
Uncommon File Created by Notepad++ Updater Gup.EXE
sigmahigh
Unusual DPKG Execution
elasticmedium
Windows Vulnerable 3CX Software
splunk_escu