detection.wiki

Detection rules › Splunk

Shai-Hulud Workflow File Creation or Modification

Author
Michael Haag, Splunk
Source
upstream

Detects creation or deletion of malicious GitHub Actions workflow files associated with Shai-Hulud worm variants on Linux or Windows endpoints. This includes the original shai-hulud-workflow.yml, the 2.0 backdoor discussion.yaml (enables command injection via GitHub Discussions on self-hosted runners named SHA1HULUD), and the secrets exfiltration workflow formatter_*.yml pattern. These files are used to exfiltrate credentials and propagate across repositories.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1195 Supply Chain Compromise
PersistenceT1554 Compromise Host Software Binary, T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking
Privilege EscalationT1574.006 Hijack Execution Flow: Dynamic Linker Hijacking
Defense EvasionT1574.006 Hijack Execution Flow: Dynamic Linker Hijacking

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: tstats

tstats WHERE Filesystem.file_path IN ("*/.github/workflows/discussion.yaml", "*/.github/workflows/discussion.yml", "*/.github/workflows/formatter_*.yaml", "*/.github/workflows/formatter_*.yml", "*/.github/workflows/shai-hulud-workflow.yaml", "*/.github/workflows/shai-hulud-workflow.yml", "*/.github/workflows/shai-hulud.yaml", "*/.github/workflows/shai-hulud.yml", "*\\.github\\workflows\\discussion.yaml", "*\\.github\\workflows\\discussion.yml", "*\\.github\\workflows\\formatter_*.yaml", "*\\.github\\workflows\\formatter_*.yml", "*\\.github\\workflows\\shai-hulud-workflow.yaml", "*\\.github\\workflows\\shai-hulud-workflow.yml", "*\\.github\\workflows\\shai-hulud.yaml", "*\\.github\\workflows\\shai-hulud.yml") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product

Stage 2: search

search

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Filesystem.file_pathin
  • "*/.github/workflows/discussion.yaml"
  • "*/.github/workflows/discussion.yml"
  • "*/.github/workflows/formatter_*.yaml"
  • "*/.github/workflows/formatter_*.yml"
  • "*/.github/workflows/shai-hulud-workflow.yaml"
  • "*/.github/workflows/shai-hulud-workflow.yml"
  • "*/.github/workflows/shai-hulud.yaml"
  • "*/.github/workflows/shai-hulud.yml"
  • "*\\.github\\workflows\\discussion.yaml"
  • "*\\.github\\workflows\\discussion.yml"
  • "*\\.github\\workflows\\formatter_*.yaml"
  • "*\\.github\\workflows\\formatter_*.yml"
  • "*\\.github\\workflows\\shai-hulud-workflow.yaml"
  • "*\\.github\\workflows\\shai-hulud-workflow.yml"
  • "*\\.github\\workflows\\shai-hulud.yaml"
  • "*\\.github\\workflows\\shai-hulud.yml"