Supply-Chain Firewall blocked package manager command

supply-chain-firewall

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

This rule detects instances of Supply-Chain Firewall automatically blocking package manager commands from running.

Strategy

This rule monitors Supply-Chain Firewall’s logs for automatically blocked package manager commands (@evt.outcome:BLOCK -@warned:true). These events occur when Supply-Chain Firewall determines that running a command would result in known malware being installed.

Note that blocked commands with @warned:true correspond to user-initiated cancellations of package manager commands after being presented with warnings by Supply-Chain Firewall. These warnings are generally related to vulnerabilities, not malware, and hence have been excluded.

Triage and response

Any logs detected by this rule are for package manager commands that were blocked from running, so no incident response measures are required.

  • Examine the logs to determine which package(s) caused Supply-Chain Firewall to block.
  • Investigate the context in which the blocked command was executed.
  • Determine whether the blocked command resulted from a false positive in Supply-Chain Firewall’s verifiers.
    • This can occur, for example, when a benign package hosted internally in your enterprise has the same name as a malicious package hosted on the public registry.
  • In the event of a true positive, audit other endpoints in your environment for completed installations of the packages of concern.