← Library
splApache-2.0from splunk/security_content

Shai-Hulud 2 Exfiltration Artifact Files

Detects creation of exfiltration artifact files associated with Shai-Hulud 2.0 npm supply chain malware. The malware creates cloud.json, contents.json, environment.json, truffleSecrets.json, and actionsSecrets.json files containing harvested credentials from AWS, Azure, GCP, GitHub secrets, and environment variables. These files are staged before being pushed to attacker-controlled repositories.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_name IN (
  "cloud.json",
  "contents.json",
  "environment.json",
  "truffleSecrets.json",
  "actionsSecrets.json"
)

by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
   Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
   Filesystem.vendor_product

| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `shai_hulud_2_exfiltration_artifact_files_filter`