npm Supply Chain Compromise & Lifecycle Hook Abuse Detection (#3806)

MHaggis · josehelps · nasbench · web-flow · commit 442e815dad0f · 2025-11-25T14:56:20.000-08:00
* extra content

* 5 more extras

* Hunt 1

* story+extras

* Create linux_shai_hulud_2_exfiltration_artifacts.yml

* Create linux_shai_hulud_workflow_file_modification.yml

* Create linux_suspicious_github_workflow_file_modification.yml

* Create windows_github_workflow_file_creation_hunt.yml

* more

* last 3

* final pass

* Bump versions to resolve merge conflicts with develop branch

* Fix deprecated status for curl/wget bash execution detections

* Add npm Supply Chain Compromise story to file_download_or_read_to_pipe_execution (replacement for deprecated curl/wget bash detections)

* Fix version numbers to match previous build requirements

* Add all required Filesystem fields to windows_suspicious_github_workflow_file_modification search

* Update detections/endpoint/windows_curl_download_to_suspicious_path.yml

Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;

* small fixes

* apply updates

* more updates

* Update shai_hulud_2_exfiltration_artifact_files.yml

* Fix Windows path escaping - use single backslash in YAML block scalar

---------

Co-authored-by: Jose Enrique Hernandez &lt;josehelps@gmail.com&gt;
Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;
diff --git a/detections/cloud/github_enterprise_delete_branch_ruleset.yml b/detections/cloud/github_enterprise_delete_branch_ruleset.yml
@@ -1,7 +1,7 @@
 name: GitHub Enterprise Delete Branch Ruleset
 id: 6169ea23-3719-439f-957a-0ea5174b70e2
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -47,6 +47,7 @@ rba:
 tags:
   analytic_story:
   - GitHub Malicious Activity
+  - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
diff --git a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml
@@ -1,7 +1,7 @@
 name: GitHub Enterprise Disable Audit Log Event Stream
 id: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -47,6 +47,7 @@ rba:
 tags:
   analytic_story:
   - GitHub Malicious Activity
+  - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
   - T1562.008
diff --git a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml
@@ -1,7 +1,7 @@
 name: GitHub Enterprise Modify Audit Log Event Stream
 id: 99abf2e1-863c-4ec6-82f8-714391590a4c
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -47,6 +47,7 @@ rba:
 tags:
   analytic_story:
   - GitHub Malicious Activity
+  - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
   - T1562.008
diff --git a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml
@@ -1,7 +1,7 @@
 name: GitHub Enterprise Pause Audit Log Event Stream
 id: 21083dcb-276d-4ef9-8f7e-2113ca5e8094
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -47,6 +47,7 @@ rba:
 tags:
   analytic_story:
   - GitHub Malicious Activity
+  - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
   - T1562.008
diff --git a/detections/cloud/github_enterprise_register_self_hosted_runner.yml b/detections/cloud/github_enterprise_register_self_hosted_runner.yml
@@ -1,7 +1,7 @@
 name: GitHub Enterprise Register Self Hosted Runner
 id: b27685a2-8826-4123-ab78-2d9d0d419ed0
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-11-25'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -23,6 +23,7 @@ search: '`github_enterprise` action=enterprise.register_self_hosted_runner
 how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
 known_false_positives: unknown
 references:
+- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
 - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
 - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
 drilldown_searches:
@@ -46,6 +47,7 @@ rba:
 tags:
   analytic_story:
   - GitHub Malicious Activity
+  - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
   - T1562.001
diff --git a/detections/cloud/github_enterprise_repository_archived.yml b/detections/cloud/github_enterprise_repository_archived.yml
@@ -1,7 +1,7 @@
 name: GitHub Enterprise Repository Archived
 id: 8367cb99-bae1-4748-ae3b-0927bb381424
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -48,6 +48,7 @@ rba:
 tags:
   analytic_story:
   - GitHub Malicious Activity
+  - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
   - T1485
diff --git a/detections/cloud/github_enterprise_repository_deleted.yml b/detections/cloud/github_enterprise_repository_deleted.yml
@@ -1,7 +1,7 @@
 name: GitHub Enterprise Repository Deleted
 id: f709e736-3e6c-492f-b865-bc7696cc24a7
-version: 2
-date: '2025-05-02'
+version: 3
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -45,6 +45,7 @@ rba:
 tags:
   analytic_story:
   - GitHub Malicious Activity
+  - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
   - T1485
diff --git a/detections/cloud/github_organizations_delete_branch_ruleset.yml b/detections/cloud/github_organizations_delete_branch_ruleset.yml
@@ -1,7 +1,7 @@
 name: GitHub Organizations Delete Branch Ruleset
 id: 8e454f64-4bd6-45e6-8a94-1b482593d721
-version: 3
-date: '2025-06-24'
+version: 4
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -48,6 +48,7 @@ rba:
 tags:
   analytic_story:
     - GitHub Malicious Activity
+    - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
     - T1562.001
diff --git a/detections/cloud/github_organizations_repository_archived.yml b/detections/cloud/github_organizations_repository_archived.yml
@@ -1,7 +1,7 @@
 name: GitHub Organizations Repository Archived
 id: 4f568a0e-896f-4d94-a2f7-fa6d82ab1f77
-version: 3
-date: '2025-06-24'
+version: 4
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -49,6 +49,7 @@ rba:
 tags:
   analytic_story:
     - GitHub Malicious Activity
+    - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
     - T1485
diff --git a/detections/cloud/github_organizations_repository_deleted.yml b/detections/cloud/github_organizations_repository_deleted.yml
@@ -1,7 +1,7 @@
 name: GitHub Organizations Repository Deleted
 id: 9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71
-version: 3
-date: '2025-06-24'
+version: 4
+date: '2025-10-27'
 author: Patrick Bareiss, Splunk
 status: production
 type: Anomaly
@@ -49,6 +49,7 @@ rba:
 tags:
   analytic_story:
     - GitHub Malicious Activity
+    - NPM Supply Chain Compromise
   asset_type: GitHub
   mitre_attack_id:
     - T1485
diff --git a/detections/endpoint/file_download_or_read_to_pipe_execution.yml b/detections/endpoint/file_download_or_read_to_pipe_execution.yml
@@ -1,7 +1,7 @@
 name: File Download or Read to Pipe Execution
 id: 26f86252-1549-45e1-a212-eb26840e86bc
-version: 1
-date: '2025-10-16'
+version: 2
+date: '2025-11-25'
 author: Michael Haag, Nasreddine Bencherchali, Splunk, DipsyTipsy
 status: production
 type: TTP
@@ -127,6 +127,7 @@ tags:
     - Ingress Tool Transfer
     - Linux Living Off The Land
     - Log4Shell CVE-2021-44228
+    - NPM Supply Chain Compromise
   asset_type: Endpoint
   cve:
     - CVE-2021-44228
diff --git a/detections/endpoint/github_workflow_file_creation_or_modification.yml b/detections/endpoint/github_workflow_file_creation_or_modification.yml
@@ -0,0 +1,76 @@
+name: GitHub Workflow File Creation or Modification
+id: 2a9f3a2e-2c07-4c5f-9e42-8f8f0b6b6a12
+version: 1
+date: '2025-11-25'
+author: Michael Haag, Splunk
+status: production
+type: Hunting
+description: |
+  The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints.
+  This hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise.
+  GitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers.
+  By monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows.
+  This data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.
+data_source:
+- Sysmon for Linux EventID 11
+- Sysmon EventID 11
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+
+  from datamodel=Endpoint.Filesystem where
+
+  Filesystem.file_path IN (
+    "*/.github/workflows/*.yaml",
+    "*/.github/workflows/*.yml",
+    "*\\.github\\workflows\\*.yaml",
+    "*\\.github\\workflows\\*.yml"
+  )
+
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
+     Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
+     Filesystem.vendor_product
+
+  | `drop_dm_object_name(Filesystem)`
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `github_workflow_file_creation_or_modification_filter`
+how_to_implement: |
+  The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain filesystem events, specifically file creation
+  events. These logs must be processed using the appropriate Splunk Technology Add-ons
+  that are specific to the EDR product. The logs must also be mapped to the `Filesystem`
+  node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM)
+  to normalize the field names and speed up the data modeling process.
+known_false_positives: |
+  Legitimate engineering activity regularly creates workflow YAMLs. Suppress by repository path allowlisting, CI hosts, change windows, or approval timeframes.
+references:
+  - https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem
+  - https://securelist.com/shai-hulud-worm-infects-500-npm-packages-in-a-supply-chain-attack/117547/
+  - https://github.com/SigmaHQ/sigma/pull/5658/files
+  - https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax
+tags:
+  analytic_story:
+    - NPM Supply Chain Compromise
+  asset_type: Endpoint
+  mitre_attack_id:
+    - T1574.006
+    - T1554
+    - T1195
+  product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test - Linux
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/npm/workflow_yml_sysmon.log
+    source: Syslog:Linux-Sysmon/Operational
+    sourcetype: sysmon:linux
+- name: True Positive Test - Windows
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1195.001/npm/windows_workflow_sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml
@@ -1,7 +1,7 @@
 name: Linux Curl Upload File
 id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-10-27'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -74,6 +74,7 @@ tags:
   - Linux Living Off The Land
   - Data Exfiltration
   - Ingress Tool Transfer
+  - NPM Supply Chain Compromise
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml
@@ -1,7 +1,7 @@
 name: Linux Ingress Tool Transfer Hunting
 id: 52fd468b-cb6d-48f5-b16a-92f1c9bb10cf
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-10-27'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -45,6 +45,7 @@ tags:
   - Ingress Tool Transfer
   - Linux Living Off The Land
   - XorDDos
+  - NPM Supply Chain Compromise
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml
@@ -1,7 +1,7 @@
 name: Linux Ingress Tool Transfer with Curl
 id: 8c1de57d-abc1-4b41-a727-a7a8fc5e0857
-version: 8
-date: '2025-05-02'
+version: 9
+date: '2025-10-27'
 author: Michael Haag, Splunk
 status: production
 type: Anomaly
@@ -71,6 +71,7 @@ tags:
   - Ingress Tool Transfer
   - Linux Living Off The Land
   - XorDDos
+  - NPM Supply Chain Compromise
   asset_type: Endpoint
   mitre_attack_id:
   - T1105
diff --git a/detections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml b/detections/endpoint/shai_hulud_2_exfiltration_artifact_files.yml
diff --git a/detections/endpoint/shai_hulud_workflow_file_creation_or_modification.yml b/detections/endpoint/shai_hulud_workflow_file_creation_or_modification.yml
diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml
diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml
diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml
diff --git a/stories/npm_supply_chain_compromise.yml b/stories/npm_supply_chain_compromise.yml
