[New/Tuning] NPM Shai-Hulud coverage (#5368)
* [New/Tuning] NPM Shai-Hulud coverage https://socket.dev/blog/shai-hulud-strikes-again-v2 * Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml * Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml * Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml * Update credential_access_trufflehog_execution.toml * Update credential_access_trufflehog_execution.toml * Update credential_access_trufflehog_execution.toml * Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/cross-platform/execution_register_github_actions_runner.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/cross-platform/execution_via_github_actions_runner.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Create initial_access_github_register_self_hosted_runner.toml * Update initial_access_github_register_self_hosted_runner.toml * Update initial_access_github_register_self_hosted_runner.toml * Update initial_access_github_register_self_hosted_runner.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
@@ -0,0 +1,92 @@
|
||||
[metadata]
|
||||
creation_date = "2025/11/28"
|
||||
integration = ["github"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/11/28"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries
|
||||
may abuse self-hosted runners to execute workflow jobs on customer infrastructure.
|
||||
"""
|
||||
false_positives = [
|
||||
"Authorized self-hosted GitHub actions runner.",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-github.audit-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "New GitHub Self Hosted Action Runner"
|
||||
note = """## Triage and analysis
|
||||
|
||||
### Investigating New GitHub Self Hosted Action Runner
|
||||
|
||||
Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host.
|
||||
|
||||
### Possible investigation steps
|
||||
|
||||
- Validate the user is authoried to perform this change
|
||||
- Review the purpose of the self-hosted action runner and what actions will be executed.
|
||||
- Verify if there is any adjascent sensitive file access or collection.
|
||||
- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.
|
||||
|
||||
### False positive analysis
|
||||
|
||||
- Authorized github self-hosted actions runner.
|
||||
|
||||
### Response and remediation
|
||||
|
||||
- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
|
||||
- Terminate any suspicious child processes that were initiated by the Github actions runner.
|
||||
- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.
|
||||
- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
|
||||
- Implement application whitelisting to prevent unauthorized execution.
|
||||
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
|
||||
references = [
|
||||
"https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
|
||||
"https://socket.dev/blog/shai-hulud-strikes-again-v2",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1"
|
||||
severity = "medium"
|
||||
tags = [
|
||||
"Domain: Cloud",
|
||||
"Use Case: Threat Detection",
|
||||
"Tactic: Initial Access",
|
||||
"Data Source: Github",
|
||||
"Resources: Investigation Guide",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "new_terms"
|
||||
|
||||
query = '''
|
||||
event.dataset:"github.audit" and event.category:"configuration" and event.action:"enterprise.register_self_hosted_runner"
|
||||
'''
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1195"
|
||||
name = "Supply Chain Compromise"
|
||||
reference = "https://attack.mitre.org/techniques/T1195/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1195.002"
|
||||
name = "Compromise Software Supply Chain"
|
||||
reference = "https://attack.mitre.org/techniques/T1195/002/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0001"
|
||||
name = "Initial Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0001/"
|
||||
|
||||
|
||||
[rule.new_terms]
|
||||
field = "new_terms_fields"
|
||||
value = ["user.name", "github.actor_ip"]
|
||||
|
||||
[[rule.new_terms.history_window_start]]
|
||||
field = "history_window_start"
|
||||
value = "now-5d"
|
||||
Reference in New Issue
Block a user