From 075d25cc748d42d9f0e10d6705fdafa5d9adfbc4 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 26 Nov 2025 16:32:29 +0000 Subject: [PATCH 01/16] [New/Tuning] NPM Shai-Hulud coverage https://socket.dev/blog/shai-hulud-strikes-again-v2 --- ...rol_curl_wget_spawn_via_nodejs_parent.toml | 38 +++-- ...cution_register_github_actions_runner.toml | 126 +++++++++++++++++ .../execution_via_github_actions_runner.toml | 130 ++++++++++++++++++ 3 files changed, 286 insertions(+), 8 deletions(-) rename rules/{linux => cross-platform}/command_and_control_curl_wget_spawn_via_nodejs_parent.toml (86%) create mode 100644 rules/cross-platform/execution_register_github_actions_runner.toml create mode 100644 rules/cross-platform/execution_via_github_actions_runner.toml diff --git a/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml similarity index 86% rename from rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml rename to rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index b89451ba4c4..2911d14a212 100644 --- a/rules/linux/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/09/18" -integration = ["endpoint", "crowdstrike"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/10/17" +updated_date = "2025/11/26" [rule] author = ["Elastic"] @@ -12,7 +12,19 @@ command and control behavior. Adversaries may use Node.js to download additional the system. """ from = "now-9m" -index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" +] language = "eql" license = "Elastic License v2" name = "Curl or Wget Spawned via Node.js" @@ -77,22 +89,32 @@ severity = "low" tags = [ "Domain: Endpoint", "OS: Linux", + "OS: Windows", + "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", - "Data Source: Elastic Defend", "Resources: Investigation Guide", "Data Source: Crowdstrike", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", ] timestamp_override = "event.ingested" type = "eql" query = ''' -process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node" and ( +process where event.type == "start" and + event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and + process.parent.name in ("node", "bun", "node.exe", "bun.exe") and ( ( - process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and - process.args == "-c" and process.command_line like~ ("*curl*", "*wget*") + process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "cmd.exe", "bash.exe", "powershell.exe") and + process.command_line like~ ("*curl*http*", "*wget*http*") ) or ( - process.name in ("curl", "wget") + process.name in ("curl", "wget", "curl.exe", "wget.exe") ) ) ''' diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml new file mode 100644 index 00000000000..be6ccd274c4 --- /dev/null +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -0,0 +1,126 @@ +[metadata] +creation_date = "2025/11/26" +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] +maturity = "production" +updated_date = "2025/11/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary. +When a machine is registered to a remote repository, its owner gains the ability to execute arbitrary workflow commands on that host. +Unexpected or unauthorized runner registration may indicate adversarial activity aimed at establishing remote code execution +via malicious GitHub workflows. +""" +false_positives = [ + "Authorized github repository with no malicious workflow actions.", +] +from = "now-9m" +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" +] +language = "eql" +license = "Elastic License v2" +name = "Remote GitHub Actions Runner Registration" +note = """## Triage and analysis + +### Investigating Remote GitHub Actions Runner Registration + +Unexpected or unauthorized Github actions runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows. + +### Possible investigation steps + +- Review the remote repository details and reputation. +- Examine the remote repository for any suspicious workflows run commands in the `.github/workflows` folder. +- Examine the execution context like process tree, associated network and file activities. +- Verify if there is adjascent any sensitive file access or collection. +- Correlate with other alerts and investiguate if this activity is related to a supply chain attack. + +### False positive analysis + +- Authorized configuration changes. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. +- Terminate any suspicious child processes that were initiated by the registered Github actions runner. +- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. +- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. +- Implement application whitelisting to prevent unauthorized execution. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2", +] +risk_score = 47 +rule_id = "57e118c1-19eb-4c20-93a6-8a6c30a5b48b" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + process.name in ("Runner.Listener", "Runner.Listener.exe") and + process.args == "configure" and process.args == "--url" and process.args == "--token" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml new file mode 100644 index 00000000000..a0d1fc344c5 --- /dev/null +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -0,0 +1,130 @@ +[metadata] +creation_date = "2025/11/26" +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] +maturity = "production" +updated_date = "2025/11/26" + +[rule] +author = ["Elastic"] +description = """ +This rule detects potentially dangerous commands spawned by the GitHub Actions Runner.Worker process on self-hosted runner +machines. Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute +arbitrary commands on the runner host. This behavior may indicate malicious or unexpected workflow activity, including +code execution, file manipulation, or network exfiltration initiated through a compromised repository or unauthorized +workflow. +""" +false_positives = [ + "Authorized GitHub actions runner with no malicious workflow actions.", +] +from = "now-9m" +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" +] +language = "eql" +license = "Elastic License v2" +name = "Execution via GitHub Actions Runner" +note = """## Triage and analysis + +### Investigating Execution via GitHub Actions Runner + +Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. + +### Possible investigation steps + +- Review the execution details like process.command_line and if it's expected or not. +- Examine associated network and file activities and if there is any ingress tool transfer activity. +- Verify if there is adjascent any sensitive file access or collection. +- Correlate with other alerts and investiguate if this activity is related to a supply chain attack. + +### False positive analysis + +- Authorized github workflow actions. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. +- Terminate any suspicious child processes that were initiated by the Github actions runner. +- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. +- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. +- Implement application whitelisting to prevent unauthorized execution. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2", +] +risk_score = 47 +rule_id = "a640ef5b-e1da-4b17-8391-468fdbd1b517" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Initial Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where event.type == "start" and + process.parent.name in ("Runner.Worker", "Runner.Worker.exe") and + ( + process.name like ("curl", "curl.exe", "wget", "wget.exe", "powershell.exe", "cmd.exe", "pwsh.exe", "certutil.exe", "rundll32.exe", "bash", "sh", "zsh", "tar", "rm", + "sed", "osascript", "chmod", "nohup", "setsid", "dash", "ash", "tcsh", "csh", "ksh", "fish", "python*", "perl*", "ruby*", "lua*", "php*", "node", "node.exe") or + process.executable : ("/tmp/*", "/private/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/*", "/var/run/*", "?:\\Users\\*") + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + From 4def7ab43a176afe4e254ba97074c8040a22c497 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 26 Nov 2025 17:36:07 +0000 Subject: [PATCH 02/16] Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml --- ...and_and_control_curl_wget_spawn_via_nodejs_parent.toml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 2911d14a212..58757c25731 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -58,7 +58,7 @@ This rule flags Node.js launching curl or wget, directly or via a shell, a commo - Rebuild and redeploy the workload from a known-good image, remove the malicious child_process code path from the Node.js application, restore validated configs/data, rotate any keys or tokens used by that service, and verify no further curl/wget spawns occur post-recovery. - Harden by removing curl/wget from runtime images where not required, enforcing egress allowlists for the service, constraining execution with AppArmor/SELinux/seccomp and least-privilege service accounts, and adding CI/CD checks to block package.json postinstall scripts or code that shells out to downloaders. """ -risk_score = 21 +risk_score = 47 rule_id = "d9af2479-ad13-4471-a312-f586517f1243" setup = """## Setup @@ -85,7 +85,7 @@ For more details on Elastic Agent configuration settings, refer to the [helper g - To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", @@ -102,6 +102,7 @@ tags = [ "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Auditd Manager", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" @@ -116,7 +117,8 @@ process where event.type == "start" and ( process.name in ("curl", "wget", "curl.exe", "wget.exe") ) -) +) and + not process.command_line like ("*127.0.0.1*", "*localhost*") ''' [[rule.threat]] From 3decbd4cf620be56ec2f9563ae708558785caf0a Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 26 Nov 2025 17:37:28 +0000 Subject: [PATCH 03/16] Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml --- ...command_and_control_curl_wget_spawn_via_nodejs_parent.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 58757c25731..b05b411430f 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -96,13 +96,13 @@ tags = [ "Resources: Investigation Guide", "Data Source: Crowdstrike", "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", "Data Source: Auditd Manager", - "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" @@ -118,7 +118,7 @@ process where event.type == "start" and process.name in ("curl", "wget", "curl.exe", "wget.exe") ) ) and - not process.command_line like ("*127.0.0.1*", "*localhost*") + not process.command_line like ("*127.0.0.1*", "*localhost*") ''' [[rule.threat]] From af51eb8a43edb3c9da507e1f0b462d6f838cf9ee Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 26 Nov 2025 17:51:11 +0000 Subject: [PATCH 04/16] Update command_and_control_curl_wget_spawn_via_nodejs_parent.toml --- .../command_and_control_curl_wget_spawn_via_nodejs_parent.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index b05b411430f..f4962187342 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -94,7 +94,6 @@ tags = [ "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide", - "Data Source: Crowdstrike", "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", From 84b00b5212ce6bab2dca4b030e3ff6cc512a82e4 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 26 Nov 2025 18:03:28 +0000 Subject: [PATCH 05/16] Update credential_access_trufflehog_execution.toml --- ...redential_access_trufflehog_execution.toml | 35 +++++++++++++++++-- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index 1cb2f2453db..fd5601dfd1b 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2025/09/18" -integration = ["endpoint"] +integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" -updated_date = "2025/11/25" +updated_date = "2025/11/26" [rule] author = ["Elastic"] @@ -19,7 +19,19 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.process-*"] +index = [ + "endgame-*", + "logs-crowdstrike.fdr*", + "logs-endpoint.events.process-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-system.security*", + "logs-windows.forwarded*", + "logs-windows.sysmon_operational-*", + "winlogbeat-*", + "auditbeat-*", + "logs-auditd_manager.auditd-*" +] language = "eql" license = "Elastic License v2" name = "Credential Access via TruffleHog Execution" @@ -71,6 +83,23 @@ tags = [ "Data Source: Elastic Defend", "Resources: Investigation Guide", ] +tags = [ + "Domain: Endpoint", + "OS: Linux", + "OS: Windows", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Windows Security Event Logs", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: Sysmon", + "Data Source: SentinelOne", + "Data Source: Crowdstrike", + "Data Source: Auditd Manager", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "eql" query = ''' From 136e3856dc436d49e5d7f17ec88504296c46936d Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 26 Nov 2025 21:36:24 +0000 Subject: [PATCH 06/16] Update credential_access_trufflehog_execution.toml --- .../credential_access_trufflehog_execution.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index fd5601dfd1b..665c9fcb70b 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -70,9 +70,9 @@ references = [ "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", "https://socket.dev/blog/shai-hulud-strikes-again-v2", ] -risk_score = 21 +risk_score = 47 rule_id = "47595dea-452b-4d37-b82d-6dd691325139" -severity = "low" +severity = "medium" tags = [ "Domain: Endpoint", "OS: Linux", From 0c2422ab6c035b7a7636f72712ecda095b56b815 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 26 Nov 2025 21:47:10 +0000 Subject: [PATCH 07/16] Update credential_access_trufflehog_execution.toml --- .../credential_access_trufflehog_execution.toml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/rules/cross-platform/credential_access_trufflehog_execution.toml b/rules/cross-platform/credential_access_trufflehog_execution.toml index 665c9fcb70b..b6faa0d1aee 100644 --- a/rules/cross-platform/credential_access_trufflehog_execution.toml +++ b/rules/cross-platform/credential_access_trufflehog_execution.toml @@ -73,16 +73,6 @@ references = [ risk_score = 47 rule_id = "47595dea-452b-4d37-b82d-6dd691325139" severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Linux", - "OS: Windows", - "OS: macOS", - "Use Case: Threat Detection", - "Tactic: Credential Access", - "Data Source: Elastic Defend", - "Resources: Investigation Guide", -] tags = [ "Domain: Endpoint", "OS: Linux", From dce060c5719abb01d0b430d8b455f893d0faeda3 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Nov 2025 09:50:28 +0000 Subject: [PATCH 08/16] Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- .../command_and_control_curl_wget_spawn_via_nodejs_parent.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index f4962187342..f65fcd6d6f8 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -1,6 +1,6 @@ [metadata] creation_date = "2025/09/18" -integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] +integration = ["endpoint", "windows", "system", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"] maturity = "production" updated_date = "2025/11/26" From 20e438d762c11db38adb662fd66238261296d4ac Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Nov 2025 09:50:36 +0000 Subject: [PATCH 09/16] Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- .../command_and_control_curl_wget_spawn_via_nodejs_parent.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index f65fcd6d6f8..495d6b048c8 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -16,7 +16,6 @@ index = [ "endgame-*", "logs-crowdstrike.fdr*", "logs-endpoint.events.process-*", - "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-system.security*", "logs-windows.forwarded*", From 6e1e91867b788256ec6e36054620a207741d7fe0 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Nov 2025 09:50:45 +0000 Subject: [PATCH 10/16] Update rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- .../command_and_control_curl_wget_spawn_via_nodejs_parent.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml index 495d6b048c8..f1dc2e1662f 100644 --- a/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml +++ b/rules/cross-platform/command_and_control_curl_wget_spawn_via_nodejs_parent.toml @@ -96,7 +96,6 @@ tags = [ "Data Source: Elastic Defend", "Data Source: Elastic Endgame", "Data Source: Windows Security Event Logs", - "Data Source: Microsoft Defender for Endpoint", "Data Source: Sysmon", "Data Source: SentinelOne", "Data Source: Crowdstrike", From 91f09bece0e6394548996af8b651d194b0d80493 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Nov 2025 09:51:28 +0000 Subject: [PATCH 11/16] Update rules/cross-platform/execution_register_github_actions_runner.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- .../execution_register_github_actions_runner.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/execution_register_github_actions_runner.toml b/rules/cross-platform/execution_register_github_actions_runner.toml index be6ccd274c4..bd5c534de51 100644 --- a/rules/cross-platform/execution_register_github_actions_runner.toml +++ b/rules/cross-platform/execution_register_github_actions_runner.toml @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.name in ("Runner.Listener", "Runner.Listener.exe") and process.args == "configure" and process.args == "--url" and process.args == "--token" ''' From 3fc61fadfe22b3e4bb8d2b6870b61fc0eb3793e4 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 27 Nov 2025 09:51:40 +0000 Subject: [PATCH 12/16] Update rules/cross-platform/execution_via_github_actions_runner.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --- rules/cross-platform/execution_via_github_actions_runner.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cross-platform/execution_via_github_actions_runner.toml b/rules/cross-platform/execution_via_github_actions_runner.toml index a0d1fc344c5..08782e87f48 100644 --- a/rules/cross-platform/execution_via_github_actions_runner.toml +++ b/rules/cross-platform/execution_via_github_actions_runner.toml @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and +process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and process.parent.name in ("Runner.Worker", "Runner.Worker.exe") and ( process.name like ("curl", "curl.exe", "wget", "wget.exe", "powershell.exe", "cmd.exe", "pwsh.exe", "certutil.exe", "rundll32.exe", "bash", "sh", "zsh", "tar", "rm", From f06017670a717cec801f17686d0c8339efdddd40 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Fri, 28 Nov 2025 16:52:42 +0000 Subject: [PATCH 13/16] Create initial_access_github_register_self_hosted_runner.toml --- ...ss_github_register_self_hosted_runner.toml | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 rules/integrations/github/initial_access_github_register_self_hosted_runner.toml diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml new file mode 100644 index 00000000000..0b951e54da4 --- /dev/null +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -0,0 +1,91 @@ +[metadata] +creation_date = "2025/11/28" +integration = ["github"] +maturity = "production" +updated_date = "2025/11/28" + +[rule] +author = ["Elastic"] +description = """ +This rule detects the creation of a self-hosted Github runner from a first time seen user.id in the last 7 days. Adversaries +may abuse self-hosted runners to execute workflow jobs on customer infrastructure. +""" +false_positives = [ + "Authorized self-hosted GitHub actions runner.", +] +from = "now-9m" +index = ["logs-github.audit-*"] +language = "eql" +license = "Elastic License v2" +name = "First Time Seen GitHub Self Hosted Action Runner" +note = """## Triage and analysis + +### Investigating First Time Seen GitHub Self Hosted Runner + +Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. + +### Possible investigation steps + +- Validate the user is authoried to perform this change +- Review the purpose of the self-hosted action runner and what actions will be executed. +- Verify if there is any adjascent sensitive file access or collection. +- Correlate with other alerts and investiguate if this activity is related to a supply chain attack. + +### False positive analysis + +- Authorized github self-hosted actions runner. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement. +- Terminate any suspicious child processes that were initiated by the Github actions runner. +- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise. +- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed. +- Implement application whitelisting to prevent unauthorized execution. +- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.""" +references = [ + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", + "https://socket.dev/blog/shai-hulud-strikes-again-v2", +] +risk_score = 47 +rule_id = "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset:"github.audit" and event.category:"configuration" and event.action:"enterprise.register_self_hosted_runner" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + + +[rule.new_terms] +field = "new_terms_fields" +value = ["user.id", "github.actor_ip"] +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d" \ No newline at end of file From d7aac6df263fa6274007bd0e1bf2791ddf7bf39a Mon Sep 17 00:00:00 2001 From: Samirbous Date: Fri, 28 Nov 2025 16:54:54 +0000 Subject: [PATCH 14/16] Update initial_access_github_register_self_hosted_runner.toml --- .../initial_access_github_register_self_hosted_runner.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 0b951e54da4..73d1057b26c 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -7,7 +7,7 @@ updated_date = "2025/11/28" [rule] author = ["Elastic"] description = """ -This rule detects the creation of a self-hosted Github runner from a first time seen user.id in the last 7 days. Adversaries +This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 7 days. Adversaries may abuse self-hosted runners to execute workflow jobs on customer infrastructure. """ false_positives = [ @@ -85,7 +85,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" -value = ["user.id", "github.actor_ip"] +value = ["user.name", "github.actor_ip"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" \ No newline at end of file From a6779f9b49660ffee884a936fa9821e254e1fa93 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Fri, 28 Nov 2025 17:02:56 +0000 Subject: [PATCH 15/16] Update initial_access_github_register_self_hosted_runner.toml --- .../initial_access_github_register_self_hosted_runner.toml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index 73d1057b26c..c4c871d5e2e 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -7,7 +7,7 @@ updated_date = "2025/11/28" [rule] author = ["Elastic"] description = """ -This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 7 days. Adversaries +This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries may abuse self-hosted runners to execute workflow jobs on customer infrastructure. """ false_positives = [ @@ -15,7 +15,7 @@ false_positives = [ ] from = "now-9m" index = ["logs-github.audit-*"] -language = "eql" +language = "kuery" license = "Elastic License v2" name = "First Time Seen GitHub Self Hosted Action Runner" note = """## Triage and analysis @@ -86,6 +86,7 @@ reference = "https://attack.mitre.org/tactics/TA0001/" [rule.new_terms] field = "new_terms_fields" value = ["user.name", "github.actor_ip"] + [[rule.new_terms.history_window_start]] field = "history_window_start" -value = "now-7d" \ No newline at end of file +value = "now-5d" \ No newline at end of file From a32358ec2e44e5b5f960440e9847f88cabdb4162 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Fri, 28 Nov 2025 17:08:24 +0000 Subject: [PATCH 16/16] Update initial_access_github_register_self_hosted_runner.toml --- .../initial_access_github_register_self_hosted_runner.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml index c4c871d5e2e..9a0f61d24a6 100644 --- a/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml +++ b/rules/integrations/github/initial_access_github_register_self_hosted_runner.toml @@ -17,10 +17,10 @@ from = "now-9m" index = ["logs-github.audit-*"] language = "kuery" license = "Elastic License v2" -name = "First Time Seen GitHub Self Hosted Action Runner" +name = "New GitHub Self Hosted Action Runner" note = """## Triage and analysis -### Investigating First Time Seen GitHub Self Hosted Runner +### Investigating New GitHub Self Hosted Action Runner Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host.