LoFP / legitimate pre-commit hooks or ci/cd pipeline jobs that use a script to run a credential scanner as part of a security check.

Techniques

• t1005
• t1059
• t1059.004
• t1059.007
• t1552

Sample rules

Script Interpreter Spawning Credential Scanner - Linux

• source: sigma
• technicques:
  • t1005
  • t1059
  • t1059.004
  • t1552

Description

Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the “Shai-Hulud: The Second Coming” campaign.

Detection logic

condition: all of selection_*
selection_child:
- Image|endswith:
  - /trufflehog
  - /gitleaks
- CommandLine|contains:
  - trufflehog
  - gitleaks
selection_parent:
  ParentImage|endswith:
  - /node
  - /bun

Script Interpreter Spawning Credential Scanner - Windows

• source: sigma
• technicques:
  • t1005
  • t1059
  • t1059.007
  • t1552

Description

Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the “Shai-Hulud: The Second Coming” campaign.

Detection logic

condition: all of selection_*
selection_child:
- Image|endswith:
  - trufflehog.exe
  - gitleaks.exe
- CommandLine|contains:
  - trufflehog
  - gitleaks
selection_parent:
  ParentImage|endswith:
  - \node.exe
  - \bun.exe