| ID | Technique | Tactic |
|---|---|---|
| T1574.006 | Dynamic Linker Hijacking | Defense Evasion |
| T1554 | Compromise Host Software Binary | Persistence |
| T1195 | Supply Chain Compromise | Privilege Escalation |
Detection: Shai-Hulud Workflow File Creation or Modification
Description
Detects creation or deletion of malicious GitHub Actions workflow files associated with Shai-Hulud worm variants on Linux or Windows endpoints. This includes the original shai-hulud-workflow.yml, the 2.0 backdoor discussion.yaml (enables command injection via GitHub Discussions on self-hosted runners named SHA1HULUD), and the secrets exfiltration workflow formatter_*.yml pattern. These files are used to exfiltrate credentials and propagate across repositories.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
3
4from datamodel=Endpoint.Filesystem where
5
6Filesystem.file_path IN (
7 "*/.github/workflows/discussion.yaml",
8 "*/.github/workflows/discussion.yml",
9 "*/.github/workflows/formatter_*.yaml",
10 "*/.github/workflows/formatter_*.yml",
11 "*/.github/workflows/shai-hulud-workflow.yaml",
12 "*/.github/workflows/shai-hulud-workflow.yml",
13 "*/.github/workflows/shai-hulud.yaml",
14 "*/.github/workflows/shai-hulud.yml",
15 "*\\.github\\workflows\\discussion.yaml",
16 "*\\.github\\workflows\\discussion.yml",
17 "*\\.github\\workflows\\formatter_*.yaml",
18 "*\\.github\\workflows\\formatter_*.yml",
19 "*\\.github\\workflows\\shai-hulud-workflow.yaml",
20 "*\\.github\\workflows\\shai-hulud-workflow.yml",
21 "*\\.github\\workflows\\shai-hulud.yaml",
22 "*\\.github\\workflows\\shai-hulud.yml"
23)
24
25by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
26 Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
27 Filesystem.vendor_product
28
29
30| `drop_dm_object_name(Filesystem)`
31
32| `security_content_ctime(firstTime)`
33
34| `security_content_ctime(lastTime)`
35
36| `shai_hulud_workflow_file_creation_or_modification_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon EventID 11 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Sysmon for Linux EventID 11 |  Linux |
'sysmon:linux' |
'Syslog:Linux-Sysmon/Operational' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| shai_hulud_workflow_file_creation_or_modification_filter | search * |
shai_hulud_workflow_file_creation_or_modification_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Delivery
Exploitation
Installation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain filesystem events, specifically file creation
and deletion events. These logs must be processed using the appropriate Splunk
Technology Add-ons that are specific to the EDR product. The logs must also be
mapped to the Filesystem node of the Endpoint data model. Use the Splunk Common
Information Model (CIM) to normalize the field names and speed up the data modeling
process.
Known False Positives
Very low. Legitimate usage of a file with this exact name is unlikely; validate with repository owners.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Shai-Hulud malicious workflow file detected on endpoint $dest$ at $file_path$. Immediate investigation required.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 30 | file_path |
References
-
https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
-
https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | Syslog:Linux-Sysmon/Operational |
sysmon:linux |
| Integration | ✅ Passing | Dataset | Syslog:Linux-Sysmon/Operational |
sysmon:linux |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1