1) New or updated software is delivered/installed from atypical sources or with signature/hash mismatches; 2) installer/updater writes binaries to unexpected paths or replaces existing signed files; 3) first run causes unsigned/abnormally signed modules to load or child processes to execute, optionally followed by network egress to new destinations.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Metadata (DC0059) | WinEventLog:Microsoft-Windows-CodeIntegrity/Operational | CodeIntegrity reports 'Invalid image hash' or 'Unsigned image' for new/updated binaries |
| Network Traffic Flow (DC0078) | NSM:Flow | First-time egress from host after new install to unknown update endpoints |
| Field | Description |
|---|---|
| TimeWindow | Correlation window between install events and first-run activity (default 2h; adjust for staged rollouts). |
| TrustedPublishers | Publisher/Signer allow-list to suppress expected updates. |
| TrustedUpdateHosts | Known update CDNs/APIs (e.g., download.microsoft.com) to reduce egress false positives. |
| RiskScoreThreshold | Score cut-off for alerting when combining path, signer, and reputation features. |
1) Package manager or curl/wget installs/upgrades from non-approved repos or unsigned packages; 2) new ELF written into PATH directories or replacement of existing binaries/libraries; 3) first run leads to unexpected child processes or outbound connections.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve, unlink |
| Process Modification (DC0020) | auditd:SYSCALL | open, rename |
| File Metadata (DC0059) | journald:package | dpkg/apt install, remove, upgrade events |
| Network Traffic Flow (DC0078) | NSM:Flow | First-time egress to unknown registries/mirrors immediately after install |
| Field | Description |
|---|---|
| ApprovedRepos | Allow-listed APT/YUM repo URLs and GPG key fingerprints. |
| PathScope | Directories to watch for new ELF writes (e.g., /usr/bin, /usr/local/bin, /lib*/, /opt/*/bin). |
| MinBinarySize | Ignore tiny helper files; default >16KB. |
| TimeWindow | Install→first-run correlation window (default 2h). |
1) pkg/notarization installs from atypical sources or with Gatekeeper/AMFI warnings; 2) new Mach-O written into /Applications or ~/Library paths or substitution of signed components; 3) first run from installer spawns unsigned children or exfil.
| Data Component | Name | Channel |
|---|---|---|
| File Metadata (DC0059) | macos:unifiedlog | installer or system_installd 'PackageKit: install succeeded/failed' with non-notarized or unknown signer |
| Process Creation (DC0032) | macos:osquery | launchd, processes |
| File Modification (DC0061) | macos:endpointsecurity | write, rename |
| Network Traffic Flow (DC0078) | NSM:Flow | New egress from app just installed to unknown update endpoints |
| Field | Description |
|---|---|
| AllowedTeamIDs | Apple Developer Team IDs permitted in your fleet. |
| TrustedDMGs | Known DMG/Pkg sources and hashes. |
| TimeWindow | Install→first-run correlation window (default 2h). |
| RiskScoreThreshold | Adjust alert sensitivity based on org tolerance. |