Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SR-11 | Component Authenticity | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SR-04 | Provenance | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SR-05 | Acquisition Strategies, Tools, and Methods | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CA-07 | Continuous Monitoring | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CA-02 | Control Assessments | mitigates | T1195.002 | Compromise Software Supply Chain | |
| RA-10 | Threat Hunting | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SA-22 | Unsupported System Components | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CM-11 | User-installed Software | mitigates | T1195.002 | Compromise Software Supply Chain | |
| SI-02 | Flaw Remediation | mitigates | T1195.002 | Compromise Software Supply Chain | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1195.002 | Compromise Software Supply Chain | |
| CM-07 | Least Functionality | mitigates | T1195.002 | Compromise Software Supply Chain |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Disable controls | Disable or interfere with security controls | related-to | T1195.002 | Compromise Software Supply Chain | |
| action.malware.variety.Rootkit | Rootkit (maintain local privileges and stealth) | related-to | T1195.002 | Compromise Software Supply Chain |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| assured_oss | Assured Open Source Software | technique_scores | T1195.002 | Compromise Software Supply Chain |
Comments
Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.
References
|
| google_secops | Google Security Operations | technique_scores | T1195.002 | Compromise Software Supply Chain |
Comments
Google Security Ops is able to trigger an alert based on unusual file write events by 3rd party software (e.g., SolarWinds executable ".*\\solarwinds\.businesslayerhost\.exe").
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/file_event/unusual_solarwinds_file_creation__via_filewrite.yaral
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/security/unusual_solarwinds_child_process__via_cmdline.yaral
References
|