Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0309: Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)

This detection strategy is about spotting a potentially compromised software or update chain by correlating suspicious installer writes, unusual first-run...

EnterpriseDET0309Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about spotting a potentially compromised software or update chain by correlating suspicious installer writes, unusual first-run or child-process behavior, and outbound network or signature anomalies. For leaders, the value is not simply malware detection; it is early recognition that trusted software delivery may have become an initial-access path, which can affect many systems quickly and complicate containment decisions.

Executive priority

Treat this as a high-priority validation area for operational resilience and incident readiness because it maps to ATT&CK T1195.002, Compromise Software Supply Chain, an initial-access technique affecting Linux, Windows, and macOS environments. Executives should ask whether the organization can distinguish normal software installation and update behavior from abnormal post-install execution and egress, and whether IR playbooks cover the possibility that a trusted vendor package or update channel is the entry point.

Technical view

The ATT&CK object provides no official detection text and does not specify platforms for the detection strategy itself, but its name gives a useful analytic pattern: correlate installer or updater write activity with first-run behavior, unexpected child processes, outbound communications, and code-signing or signature anomalies. SOC and detection teams should validate this pattern against the related T1195.002 initial-access context across environments where Linux, Windows, or macOS software distribution is in scope. The key defensive question is whether telemetry is linked across file creation/modification, process lineage, network egress, and software trust metadata rather than reviewed in isolation.

Likely telemetry

  • Software installer and updater execution records
  • File write or modification events in application, update, or installation paths
  • Process creation and parent-child process lineage
  • First-run execution evidence for newly installed or updated software
  • Outbound network connection and destination metadata

Detection direction

  • Build or validate correlation logic that ties installer/write activity to subsequent first-run and child-process behavior, then checks for unusual egress or signature anomalies.
  • Tune against known enterprise software deployment and update workflows to reduce false positives from legitimate patching, software management, and administrative tooling.
  • Prioritize visibility into trusted software distribution paths, update mechanisms, and high-impact applications because the related ATT&CK technique is an initial-access behavior.
  • Review whether detections work across the operating systems actually present in the environment; the related technique lists Linux, Windows, and macOS, while this detection strategy does not specify its own platforms.
  • Avoid relying on any single signal such as a network connection or a signature warning; the value of this strategy is in combining multiple weak signals into a higher-confidence investigation lead.

Mitigation priorities

  • Inventory critical software, update channels, and deployment mechanisms so defenders know what normal installer and updater behavior looks like.
  • Ensure endpoint, network, and software trust telemetry is retained and correlated for newly installed or updated applications.
  • Define incident response procedures for suspected software supply chain compromise, including scoping affected versions, isolating impacted systems, and preserving installer/update artifacts.
  • Use change management and software approval evidence to support audit readiness and to distinguish authorized updates from anomalous behavior.
  • Validate controls through tabletop or detection engineering exercises focused on compromised update-chain scenarios, without assuming any specific vendor or product exposure.
Analyst notes and limits

This Glexia take is based on a sparse ATT&CK detection strategy object. The strongest source-backed context comes from the relationship to T1195.002, Compromise Software Supply Chain, which is an enterprise initial-access technique involving manipulation of application source code, update or distribution mechanisms, or compiled releases before receipt by the final consumer.

The object has no official description, no official detection text, no tactics, and no platforms specified for the detection strategy itself. Local software deployment architecture, endpoint telemetry, network logging, and code-signing practices are required to determine practical detection coverage and control gaps.

Official MITRE ATT&CK definition

Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1195.002 Compromise Software Supply Chain Sub-technique This object detects Compromise Software Supply Chain.
Relationship explorer

All related ATT&CK context

detects · Technique T1195.002: Compromise Software Supply Chain Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d63b95dd9d51b60f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d63b95dd9d51…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0309
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use