User-initiated installation of Python (pip), NodeJS (npm), or other language libraries, followed by unexpected network connections, credential access, or startup file modifications. Defender sees pip install or npm install commands run by a non-root user, followed shortly by new .py, .sh, or .js files in hidden directories, or interpreter-based execution during boot/login.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve: Execution of pip, npm, gem, or similar package managers |
| File Creation (DC0039) | auditd:PATH | New .py/.js/.sh files written to ~/.local/, ~/.cache/, or /tmp/ within 5 min of package install |
| Network Traffic Content (DC0085) | NSM:Flow | http::request: Network connection to package registry or C2 from interpreter shortly after install |
| Field | Description |
|---|---|
| PackageManagerList | Monitored package managers (e.g., pip, npm, gem, poetry, conda) |
| InstallWritePaths | Directories to watch for post-install execution artifacts (e.g., ~/.local/, /usr/lib/python3.8/site-packages/) |
| UserContextScope | Filter to focus on non-system accounts (e.g., interactive shell users) |
| TimeWindow | Correlate install command to subsequent network/file activity (default: 5 min) |
Execution of pip.exe, npm.cmd, or MSI installers within user context, followed by script interpreter startup (e.g., python.exe) or PowerShell with unusual child processes or file writes in %APPDATA%, %TEMP%, or %LOCALAPPDATA%. Defender correlates command-line install tools with Sysmon and Event Logs to trace downstream behavior.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| AllowedParentProcesses | Filter expected automation tools (e.g., enterprise installers, known IDEs) |
| InstallPathsToWatch | Suspicious post-install write paths (e.g., %APPDATA%, %TEMP%) |
| ExecutableEntropyThreshold | Used for evaluating if dropped files are packed/obfuscated |
Execution of Homebrew, pip3, npm, or manually downloaded PKGs from Terminal or shell, followed by the creation of startup agents, interpreter spawns, or outbound connections to unfamiliar domains. Defender links Terminal commands to plist creation, unsigned binary launches, and python3 or node processes connecting to remote endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Command line invocation of pip3, brew install, npm install from interactive Terminal |
| File Metadata (DC0059) | macos:unifiedlog | Creation of new LaunchAgent or LoginItem plist files in ~/Library/LaunchAgents/ |
| Network Connection Creation (DC0082) | NSM:Flow | Outbound HTTP/S initiated by newly installed interpreter process |
| Field | Description |
|---|---|
| StartupAgentPaths | Filter user persistence plist directories like ~/Library/LaunchAgents |
| UnsignedBinaryAlerting | Enable alerting for new binaries lacking Apple or organization signature |
| InstallToNetWindow | Correlate install action to interpreter-based network behavior |