Techniques
Sample rules
Shai-Hulud Workflow File Creation or Modification
- source: splunk
- technicques:
- T1574.006
- T1554
- T1195
Description
Detects creation or deletion of malicious GitHub Actions workflow files associated with Shai-Hulud worm variants on Linux or Windows endpoints. This includes the original shai-hulud-workflow.yml, the 2.0 backdoor discussion.yaml (enables command injection via GitHub Discussions on self-hosted runners named SHA1HULUD), and the secrets exfiltration workflow formatter_*.yml pattern. These files are used to exfiltrate credentials and propagate across repositories.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Filesystem where
Filesystem.file_path IN (
"*/.github/workflows/discussion.yaml",
"*/.github/workflows/discussion.yml",
"*/.github/workflows/formatter_*.yaml",
"*/.github/workflows/formatter_*.yml",
"*/.github/workflows/shai-hulud-workflow.yaml",
"*/.github/workflows/shai-hulud-workflow.yml",
"*/.github/workflows/shai-hulud.yaml",
"*/.github/workflows/shai-hulud.yml",
"*\\.github\\workflows\\discussion.yaml",
"*\\.github\\workflows\\discussion.yml",
"*\\.github\\workflows\\formatter_*.yaml",
"*\\.github\\workflows\\formatter_*.yml",
"*\\.github\\workflows\\shai-hulud-workflow.yaml",
"*\\.github\\workflows\\shai-hulud-workflow.yml",
"*\\.github\\workflows\\shai-hulud.yaml",
"*\\.github\\workflows\\shai-hulud.yml"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `shai_hulud_workflow_file_creation_or_modification_filter`