Adversary ships a tampered application or update: an updater/installer (msiexec/setup/update.exe/vendor service) writes or replaces binaries; on first run it spawns scripts/shells or unsigned DLLs and beacons to non-approved update CDNs/hosts. Detection correlates: (1) process creation of installer/updater → (2) file metadata changes in program paths → (3) first-run children and module/signature anomalies → (4) outbound connections to unexpected hosts within a short window.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=22 |
| File Metadata (DC0059) | WinEventLog:Microsoft-Windows-CodeIntegrity/Operational | Unsigned or invalid image for newly installed/updated binaries |
| Network Traffic Flow (DC0078) | NSM:Flow | First-time egress to non-approved update hosts right after install/update |
| Field | Description |
|---|---|
| TimeWindow | Correlate write→first-run→egress (default 90 minutes). |
| ApprovedUpdateHosts | Allow-list of vendor update endpoints, enterprise proxy/cache. |
| ApprovedSigners | Code-signing publishers allowed for programs/services. |
| ProgramPaths | Monitored install locations (e.g., C:\Program Files, C:\ProgramData, %LOCALAPPDATA%). |
A compromised package/update (deb/rpm/tarball/AppImage/vendor updater) is installed, writing/overwriting files in /usr/local/bin, /usr/bin, /opt, or ~/.local; first run executes unexpected shells/curl/wget and connects to unapproved hosts. Correlate package/updater execution → file writes/replace → first-run child processes → egress.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Metadata (DC0059) | journald:package | dpkg/apt/yum/dnf transaction logs; vendor updaters in systemd journals |
| Network Traffic Flow (DC0078) | NSM:Flow | New outbound flows to non-approved vendor hosts post install |
| Field | Description |
|---|---|
| PathScope | Monitored install paths (/usr/local, /usr/bin, /opt/*, ~/.local/bin, /var/lib/systemd). |
| ApprovedRepos | Allow-listed APT/YUM repos and GPG keys for vendor updates. |
| TimeWindow | Default 90 minutes. |
A tampered app/pkg/notarized update is installed via installer, softwareupdated, Homebrew, or vendor updater; new Mach-O or bundle contents appear in /Applications, /Library, /usr/local or /opt/homebrew; first run spawns sh/zsh/osascript/curl and makes egress to unfamiliar domains; AMFI/Gatekeeper may log signature/notarization problems.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | pkginstalld/softwareupdated/Homebrew install transactions |
| Process Creation (DC0032) | macos:endpointsecurity | exec |
| Network Traffic Flow (DC0078) | NSM:Flow | New/rare egress to non-approved update hosts after install |
| Field | Description |
|---|---|
| AllowedTeamIDs | Apple Developer Team IDs allowed for enterprise. |
| BrewTapsAllowList | Trusted Homebrew taps. |
| TimeWindow | Default 90 minutes. |