1. Home
  2. ATT&CK Techniques
  3. T1195.002 Compromise Software Supply Chain

T1195.002 Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
ID.RA-01.03 Vulnerability management Mitigates T1195.002 Compromise Software Supply Chain
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies and development tools can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems.
References
    PR.PS-02.01 Patch identification and application Mitigates T1195.002 Compromise Software Supply Chain
    Comments
    This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
    References
      PR.PS-06.06 Vulnerability remediation Mitigates T1195.002 Compromise Software Supply Chain
      Comments
      This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise.
      References
        EX.DD-04.01 Third-party systems and software evaluation Mitigates T1195.002 Compromise Software Supply Chain
        Comments
        This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
        References
          EX.MM-01.01 Third-party monitoring and management resources Mitigates T1195.002 Compromise Software Supply Chain
          Comments
          This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            SR-11 Component Authenticity mitigates T1195.002 Compromise Software Supply Chain
            SR-04 Provenance mitigates T1195.002 Compromise Software Supply Chain
            SR-05 Acquisition Strategies, Tools, and Methods mitigates T1195.002 Compromise Software Supply Chain
            CA-07 Continuous Monitoring mitigates T1195.002 Compromise Software Supply Chain
            CA-02 Control Assessments mitigates T1195.002 Compromise Software Supply Chain
            RA-10 Threat Hunting mitigates T1195.002 Compromise Software Supply Chain
            SA-22 Unsupported System Components mitigates T1195.002 Compromise Software Supply Chain
            CM-11 User-installed Software mitigates T1195.002 Compromise Software Supply Chain
            SI-02 Flaw Remediation mitigates T1195.002 Compromise Software Supply Chain
            RA-05 Vulnerability Monitoring and Scanning mitigates T1195.002 Compromise Software Supply Chain
            CM-07 Least Functionality mitigates T1195.002 Compromise Software Supply Chain

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            action.malware.variety.Disable controls Disable or interfere with security controls related-to T1195.002 Compromise Software Supply Chain
            action.malware.variety.Rootkit Rootkit (maintain local privileges and stealth) related-to T1195.002 Compromise Software Supply Chain

            Azure Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            azure_update_manager Azure Update Manager technique_scores T1195.002 Compromise Software Supply Chain
            Comments
            This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
            References
            1. https://learn.microsoft.com/en-us/azure/update-manager/workflow-update-manager

            GCP Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            assured_oss Assured Open Source Software technique_scores T1195.002 Compromise Software Supply Chain
            Comments
            Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.
            References
            1. https://cloud.google.com/security/products/assured-open-source-software
            google_secops Google Security Operations technique_scores T1195.002 Compromise Software Supply Chain
            Comments
            Google Security Ops is able to trigger an alert based on unusual file write events by 3rd party software (e.g., SolarWinds executable ".*\\solarwinds\.businesslayerhost\.exe"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/security/unusual_solarwinds_child_process__via_cmdline.yaral
            References
            1. ['https://cloud.google.com/security/products/security-operations'
            2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
            3. 'https://github.com/chronicle/detection-rules']