Supply-Chain Firewall unverified package manager command

supply-chain-firewall

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1195-supply-chain-compromise

Goal

This rule detects instances of Supply-Chain Firewall running a package manager command without verification, which occurs when the underlying package manager is on an unsupported version. Supply-Chain Firewall was therefore unable to resolve the command’s installation targets, if any.

Strategy

This rule monitors Supply-Chain Firewall’s logs for @verified:false. This attribute is set only in cases when Supply-Chain Firewall was unable to verify a package manager command it executed.

Triage and response

  • Examine the logs to determine the package manager command that was executed and whether the command may have installed packages.
  • Determine whether any packages that were installed have associated security advisories using:
    • Datadog Security Research’s public malicious packages dataset
    • OSV.dev’s public API or website
  • Based on the results of the previous step, take any necessary action to remediate the system where the command was executed.
  • If possible, update the affected package manager to a supported version to take advantage of Supply-Chain Firewall verification.