T1195.002: Compromise Software Supply Chain
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
supply_chain: PT-CR-1780: SupplyChain_Push_By_Non_Standard_User: A user that had not previously pushed changes to branches pushed changes to a branch from the tracked branch list supply_chain: PT-CR-1764: SupplyChain_Merge_Request_Apply_From_New_Assignee: Merge into a branch from a new host under a new account supply_chain: PT-CR-1762: SupplyChain_Push_Without_Merge_Request: A user pushed changes to a branch without a merge request supply_chain: PT-CR-1761: SupplyChain_Merge_Request_Apply_Without_Approvers: Merge into a branch without approvers supply_chain: PT-CR-1759: SupplyChain_Web_UI_File_Operation: A user created or modified a file in a tracked branch via the web interface
Detection
ID | DS0022 | Data source and component | File: File Metadata | Description | Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. |
---|
Mitigation
ID | M1016 | Name | Vulnerability Scanning | Description | Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. |
---|
ID | M1051 | Name | Update Software | Description | A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation. |
---|