Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
CA-2 | Control Assessments | Protects | T1195.001 | Compromise Software Dependencies and Development Tools | |
CA-7 | Continuous Monitoring | Protects | T1195.001 | Compromise Software Dependencies and Development Tools | |
CM-11 | User-installed Software | Protects | T1195.001 | Compromise Software Dependencies and Development Tools | |
CM-7 | Least Functionality | Protects | T1195.001 | Compromise Software Dependencies and Development Tools | |
RA-10 | Threat Hunting | Protects | T1195.001 | Compromise Software Dependencies and Development Tools | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1195.001 | Compromise Software Dependencies and Development Tools | |
SA-22 | Unsupported System Components | Protects | T1195.001 | Compromise Software Dependencies and Development Tools | |
SI-2 | Flaw Remediation | Protects | T1195.001 | Compromise Software Dependencies and Development Tools |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_sentinel | Azure Sentinel | technique_scores | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
The following Azure Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: "Azure DevOps - Project Visibility changed to public" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. "Azure DevOps - Public project created" and "Azure DevOps - Public project enabled by admin" can identify specific instances of potential defense evasion.
The following Azure Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: "AzureDevops Service Connection Abuse" can detect potential malicious behavior associated with use of large number of service connections, "External Upstream Source added to Azure DevOps" identifies a specific behavior that could compromise the DevOps build pipeline, "Azure DevOps Pull Request Policy Bypassing - History" can identify specific potentially malicious behavior that compromises the build process, "Azure DevOps Pipeline modified by a New User" identifies potentially malicious activity that could compromise the DevOps pipeline, "Azure DevOps Administrator Group Monitoring" monitors for specific activity which could compromise the build/release process, "New Agent Added to Pool by New User or a New OS" can detect a suspicious behavior that could potentially compromise DevOps pipeline.
References
|
azure_automation_update_management | Azure Automation Update Management | technique_scores | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
|