Hunter-Case-06 - Shai-Hulud Worm NPM Package Supply Chain
- Shai-Hulud: The novel self-replicating worm infecting hundreds of NPM packages
1.) Information
Hunter Blue's day started everyday with researching the cyber security news for new Threat Huntings tasks to execute them on customer datalakes.
-> Interesting report from sysdig: https://www.sysdig.com/blog/shai-hulud-the-novel-self-replicating-worm-infecting-hundreds-of-npm-packages
>>>>>>Once executed, this novel worm — dubbed Shai-Hulud — steals credentials, exfiltrates them, and attempts to find additional NPM packages in which to copy itself. The malicious code also attempts to leak data on GitHub by making private repositories public.<<<<<<
You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.
1.1) Information Links and Research
Compromised npm Packages and Versions but many more are affected
The following packages were confirmed to include malicious code on September 8, 2025. Only the versions listed below are known to be compromised.
Color & Styling Utilities
[email protected] – Style and color terminal output (≈300M weekly downloads).
[email protected] – Template literal support for chalk (≈3.9M weekly).
[email protected] – ANSI escape codes for colors and styles (≈371M weekly).
[email protected] – Detect terminal color support (≈287M weekly).
[email protected] – Convert between RGB, HSL, HEX (≈193M weekly).
[email protected] – Parse CSS color strings (≈27M weekly).
[email protected] – CSS color name to RGB mappings (≈191M weekly).
[email protected] – General color conversion/manipulation.
ANSI / Terminal String Handling
[email protected] – Regex to match ANSI escape codes (≈243M weekly).
[email protected] – Remove ANSI codes from strings (≈261M weekly).
[email protected] – Slice strings safely with ANSI sequences (≈59M weekly).
[email protected] – Wrap text with ANSI sequences preserved (≈197M weekly).
[email protected] – Detect ANSI codes in strings (≈12M weekly).
General Utilities
[email protected] – Normalize arguments into arrays (≈26M weekly).
[email protected] – Check if a value is array-like (≈73M weekly).
[email protected] – Normalize Windows path backslashes (≈0.26M weekly).
[email protected] – Create error objects with custom properties.
Debugging & Logging
[email protected] – Namespace-based logging utility (≈357M weekly).
[email protected] – Detect terminal hyperlink support (≈19M weekly).
Experimental / Miscellaneous
[email protected] – Prototype Web Components for testing.
@duckdb/[email protected], @duckdb/[email protected], [email protected], @duckdb/[email protected] – Database components.
[email protected], prebid-universal-creative, prebid@latest – Ad tech libraries.
Attacker-Controlled Cryptocurrency Wallets
Ethereum (ETH)
0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 (primary)
0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024
0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B
Bitcoin (BTC)
1H13VnQJKtT4HjD5ZFKaaiZEetMbG7nDHx
bc1qms4f8ys8c4z47h0q29nnmyekc9r74u5ypqw6wm
Solana
5VVyuV5K6c2gMq1zVeQUFAmo8shPZH28MJCVzccrsZG6
Function Selectors Targeted (Ethereum)
0x095ea7b3 – approve()
0xa9059cbb – transfer()
0x23b872dd – transferFrom()
0xd505accf – permit()
Malware Code Characteristics
Hooks into fetch(), XMLHttpRequest, and window.ethereum.request.
Environment checks for browser objects (typeof window !== ‘undefined’).
Levenshtein algorithm for wallet address substitution.
Hidden control object: window.stealthProxyControl.
Phishing Infrastructure
Domain: npmjs[.]help
IP: 185.7.81.108
Email: support[at]npmjs[dot]help
Malicious CDN: static-mw-host.b-cdn[.]net, img-data-backup.b-cdn[.]net
Remote host: websocket-api2.publicvm[.]com
Example phishing URL: https://www.npmjs[.]help/settings/qix/tfa/manageTfa?action=setup-totp
2.) Indicators of Compromise
Indicators of compromise
Type
Value
Notes / usage
SHA256
46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09
Malicious bundle.js listed in report. Unit 42
URL (webhook)
https://webhook[.]site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7
C2 / exfil endpoint used by the malware. Use webhook.site (dot replaced) when searching. Unit 42
GitHub repo name
Shai-Hulud
Malware creates public repo named Shai-Hulud to publish exfiltrated secrets. Unit 42
Tool abuse indicator
trufflehog
Legit tool abused by actors for secrets discovery — hunt for usage. Unit 42
Tool: trufflehog execution
Defender XDR Hunting
Other SOC Customer Case where Defender already flagged the malicious npm packages
2.1) Executions from Threat Actor - Steps
worm executes during the post-install phase of the compromised NPM packages, running a huge bundle.js script
code targets Linux and macOS machines, performing multiple operations in parallel to spread itself in the NPM package registry and steal sensitive information like credentials
Shai-Hulud conducts local system discovery
searching for sensitive details on the machine, including GitHub and NPM credentials, as well as credentials for AWS and GCP
spread itself and compromise other ecosystems
worm uses the GitHub user and their credentials ( ghp_* and gho_* tokens), iterating over the repositories belonging to the user
gain persistence and steal their associated secrets via a malicious GitHub action that is invoked on a “push” action
receive the credentials, the site https://webhook[.]site is used
trufflehog binary is downloaded and used to search for other sensitive credentials in the filesystem
Shai-Hulud also contains code that looks for AWS and GCP credentials, searching both locally in the file system and any Instance Metadata Service (IMDS) endpoints
malicious JavaScript checks again if the GitHub user is authenticated. If so, it creates a new GitHub repository named “Shai-Hulud”, where the previously found credentials are uploaded in a base64 encoded JSON file
2.2) Indicators of Compromise - Executions
#IOCs
ProcessCommandLine
sh -c "node bundle.js"
InitiatingProcessCommandLine
node /Users/<USERNAME>/.nvm/versions/node/v20.14.0/bin/npm install
Trufflehog Tool execution modification (rights) - Tool to search for Api keys, credentials, tokens,
chmod +x /Users/<USERNAME>/Workspaces/ivf/platform/frontend/apps/client-ivf/node_modules/@nativescript-community/ui-pulltorefresh/trufflehog
Trufflehog extraction
ProcessCommandLine
tar -xzf /Users/<USERNAME>/Workspaces/ivf/platform/frontend/apps/client-ivf/node_modules/@nativescript-community/ui-pulltorefresh/trufflehog_3.90.6_darwin_arm64.tar.gz -C /Users/<USERNAME>/Workspaces/ivf/platform/frontend/apps/client-ivf/node_modules/@nativescript-community/ui-pulltorefresh trufflehog
Other Cases
Filepath
/home/devops-agent-1/.npm/_cacache/content-v2/sha512/34/b8/00d4fe26f80010b9a7ad0ca97cf7d8709cf41df1c1745e37c85ffcdd3206bf92079a9d1167d0c3f6fc76ccc4f60d7897242a207fd4ce032e96f55d259cbc
npm (and the underlying cacache) stores downloaded package content in a content-addressable cache under ~/.npm/_cacache/content-v2/sha512/<first2>/<next2>/<fullhash>.
The path encodes a sha512-derived key (the 34/b8/... prefix is just sharding of the hash).
The file itself typically contains the compressed package tarball (or a data blob) as fetched from the registry (registry.npmjs.org, github, or mirrors).
3.) Initial Access
worm executes during the post-install phase of the compromised NPM packages, running a huge bundle.js script
4.) Finding through Threat Hunting
We hunted through the Datalake logs in the whole infrastructure and yes you guess it right we found a malicious execution not related to legit admin tasks which was also confirmed by the system owner (macOS user), so we saved the "life" of this company.
5.) Mitigation
Strengthen Supply Chain Controls
Pin dependencies to verified versions and use ‘npm ci’ instead of ‘npm install’ to enforce lockfile consistency. While this strengthens supplychain integrity, it adds complexity for developers (slower iteration, lockfile conflicts, harder testing of new versions). Whether to enforce strict reproducibility should be decided based on each team’s risk appetite and operational needs.
Conduct security awareness training for developers to identify phishing and credential harvesting attempts. Include this case-study to demonstrate the risk.
Integrate automated dependency scanning tools (e.g., Snyk, Semgrep, Mend.io, Socket.dev) into CI/CD pipelines to flag malicious or anomalous packages early.
Mirror critical open-source packages in private registries and vet updates before internal distribution.
Rebuild and Redeploy
Recompile and redeploy all applications that previously included compromised dependencies to remove malicious code from runtime environments.
For web applications, publish clean client-side builds immediately to eliminate malware exposure for new sessions.
Remove and Replace Malicious Packages
Uninstall compromised versions immediately and upgrade to patched releases (e.g., [email protected] or later).
If a patch is not out yet, roll back to the last known good version before the incident (e.g., downgrade [email protected] to 6.0.0) and lock your dependency there.
Perform a clean reinstall:
Delete the node_modules directory.
Clear the npm cache.
Regenerate lockfiles to ensure all code is sourced from trusted versions.
HOST and user
reset all passwords
clear NPM Cache
remove NPM node_modules
generate new package-lock.json
rotate All Tokens
restage the host
Secure Secrets and Tokens
Assume that secrets may have been exfiltrated from ‘build’ or ‘runtime’ environments where compromised packages were present.
Rotate all private keys, API tokens, and credentials used in affected CI/CD pipelines and applications.
Audit Dependencies
Inventory all applications, services, and build pipelines for use of affected package versions.
Use lockfiles (package-lock.json, yarn.lock) or a Software Composition Analysis (SCA) tool to pinpoint instances of vulnerable packages.
Use a read-only dependency scanner to identify compromised package versions listed in this advisory. For example, the Open Tools Vulnerable Packages Scanner supports npm, yarn, pnpm, and bun lockfiles, generates a JSON report, and can be integrated into CI pipelines to fail builds when a match is detected.
Begin with a scan only or dry run mode. Once confirmed, replace affected packages, regenerate lockfiles, and redeploy updated applications.
6.) Detection and Hunting
6.1) Sigma Rules
###will follow6.2) Linux Commandline Hunting
###
/bin/bash -c -l 'source /home/tux/.user/shell-snapshots/snapshot-bash-snapshot.sh && eval 'echo "========================================" && echo "🔒 VOLLSTÄNDIGER SICHERHEITSBERICHT 🔒" && echo "========================================" && echo "" && echo "✅ SYSTEM VOLLSTÄNDIG SICHER!" && echo "" && echo "ALLE 19 KOMPROMITTIERTEN PAKETE ÜBERPRÜFT:" && echo "" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "✅ [email protected] - NICHT GEFUNDEN" && echo "" && echo "🛡️ SCHUTZSTATUS: VOLLSTÄNDIG GESCHÜTZT" && echo "🔍 MALWARE SCAN: SAUBER" && echo "📦 SICHERE VERSIONEN: INSTALLIERT" && echo "" && echo "========================================"' \< /dev/null && pwd -P >| /tmp/output'
6.3) Hunting Queries Microsoft Defender XDR
###HUNT01 - VER1-Compromised Packages
CommonSecurityLog
| where DestinationHostName == "registry.npmjs.org"
// | where RequestURL has_any ("backslash","chalk-template","supports-hyperlinks","has-ansi","simple-swizzle","color-string","error-ex","color-name","is-arrayish","slice-ansi","color-convert","wrap-ansi","ansi-regex","supports-color","strip-ansi","chalk","debug","ansi-styles", "proto-tinker-wc")
| where RequestURL has_all ("backslash", "0.2.1") or
RequestURL has_all ("chalk-template", "1.1.1") or
RequestURL has_all ("supports-hyperlinks", "4.1.1") or
RequestURL has_all ("has-ansi", "6.0.1") or
RequestURL has_all ("simple-swizzle", "0.2.3") or
RequestURL has_all ("color-string", "2.1.1") or
RequestURL has_all ("error-ex", "1.3.3") or
RequestURL has_all ("color-name", "2.0.1") or
RequestURL has_all ("is-arrayish", "0.3.3") or
RequestURL has_all ("slice-ansi", "7.1.1") or
RequestURL has_all ("color-convert", "3.1.1") or
RequestURL has_all ("wrap-ansi", "9.0.1") or
RequestURL has_all ("ansi-regex", "6.2.1") or
RequestURL has_all ("supports-color", "10.2.1") or
RequestURL has_all ("strip-ansi", "7.1.1") or
RequestURL has_all ("chalk", "5.6.1") or
RequestURL has_all ("debug", "4.4.2") or
RequestURL has_all ("ansi-styles", "6.2.2") or
RequestURL has_all ("proto-tinker-wc", "0.1.87")
| project-reorder TimeGenerated, SourceUserName, RequestURL
###HUNT02 - VER2-Compromised Packages
THANKS TIMO SARKAR ;)
// Hunt for recently compromised npm packages: https://www.ox.security/blog/npm-packages-compromised/ & https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
DeviceProcessEvents
| where ProcessCommandLine has_any (
"@ahmedhfarag/[email protected]",
"@ahmedhfarag/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nexe/[email protected]",
"@nexe/[email protected]",
"@nexe/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@thangved/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@ui-ux-gang/[email protected]",
"@yoobic/[email protected]",
"@yoobic/[email protected]",
"@yoobic/[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
)
###HUNT03 - MAL-Domain01-Hunting
#######// Description: This query will check for Domain, DNS, Queryevents, Network Events, URL Infos in Mails and URL Click Events requesting suspicious Domains.
let domainList = dynamic(["webhook.site"]);
union
(
IdentityQueryEvents
| where QueryTarget has_any(domainList)
| project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
DeviceNetworkEvents
| where RemoteUrl has_any(domainList) or LocalIP has_any(domainList) or RemoteIP has_any(domainList)
| project Timestamp,DeviceName, InitiatingProcessAccountName ,Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents", InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessParentFileName
),
(
DeviceNetworkInfo
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
| mv-expand DnsAddresses, ConnectedNetworks
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
EmailUrlInfo
| where UrlDomain has_any(domainList)
| project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
UrlClickEvents
| where Url has_any(domainList)
| project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
###CIM-HUNT04 - C2 communication
//Find devices that may have communicated with
let domainList = dynamic(["webhook.site"]);
union
(
DnsEvents
| where QueryType has_any(domainList) or Name has_any(domainList)
//or QueryType matches regex @"^.*\.devtunnels\.ms$" or Name matches regex @"^.*\.devtunnels\.ms$"
| project TimeGenerated, Domain = QueryType, SourceTable = "DnsEvents"
),
(
IdentityQueryEvents
| where QueryTarget has_any(domainList)
//or QueryType matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = QueryTarget, SourceTable = "IdentityQueryEvents"
),
(
DeviceNetworkEvents
| where RemoteUrl has_any(domainList)
//or RemoteUrl matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = RemoteUrl, SourceTable = "DeviceNetworkEvents"
),
(
DeviceNetworkInfo
| extend DnsAddresses = parse_json(DnsAddresses), ConnectedNetworks = parse_json(ConnectedNetworks)
| mv-expand DnsAddresses, ConnectedNetworks
| where DnsAddresses has_any(domainList) or ConnectedNetworks.Name has_any(domainList)
//or DnsAddresses matches regex @"^.*\.devtunnels\.ms$" or ConnectedNetworks .Name matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = coalesce(DnsAddresses, ConnectedNetworks.Name), SourceTable = "DeviceNetworkInfo"
),
(
VMConnection
| extend RemoteDnsQuestions = parse_json(RemoteDnsQuestions), RemoteDnsCanonicalNames = parse_json(RemoteDnsCanonicalNames)
| mv-expand RemoteDnsQuestions, RemoteDnsCanonicalNames
| where RemoteDnsQuestions has_any(domainList) or RemoteDnsCanonicalNames has_any(domainList)
//or RemoteDnsQuestions matches regex @"^.*\.devtunnels\.ms$" or RemoteDnsCanonicalNames matches regex @"^.*\.devtunnels\.ms$"
| project TimeGenerated, Domain = coalesce(RemoteDnsQuestions, RemoteDnsCanonicalNames), SourceTable = "VMConnection"
),
(
W3CIISLog
| where csHost has_any(domainList) or csReferer has_any(domainList)
//or csHost matches regex @"^.*\.devtunnels\.ms$" or csReferer matches regex @"^.*\.devtunnels\.ms$"
| project TimeGenerated, Domain = coalesce(csHost, csReferer), SourceTable = "W3CIISLog"
),
(
EmailUrlInfo
| where UrlDomain has_any(domainList)
//or UrlDomain matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = UrlDomain, SourceTable = "EmailUrlInfo"
),
(
UrlClickEvents
| where Url has_any(domainList)
//or Url matches regex @"^.*\.devtunnels\.ms$"
| project Timestamp, Domain = Url, SourceTable = "UrlClickEvents"
)
| order by TimeGenerated desc
###CIM-HUNT05 - Files with known malicious hashes (file events)
DeviceFileEvents
| where Timestamp > ago(30d)
| where SHA256 in (
"46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09",
"b74caeaa75e077c99f7d44f46daaf9796a3be43ecf24f2a1fd381844669da777",
"dc67467a39b70d1cd4c1f7f7a459b35058163592f4a9e8fb4dffcbba98ef210c",
"4b2399646573bb737c4969563303d8ee2e9ddbd1b271f1ca9e35ea78062538db"
)
| project Timestamp, DeviceName, InitiatingProcessAccountName, action_file_name=FileName, FolderPath, SHA256
| order by Timestamp desc
###CIM-HUNT06 - Detect downloads or network requests to the webhook.site IOC
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has "webhook.site" and RemoteUrl has "bb8ca5f6-4175-45d2-b042-fc9ebb8170b7"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc
###CIM-HUNT07 - Detection of the malicious workflow filename (shai-hulud-workflow.yml)
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName == "shai-hulud-workflow.yml"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, InitiatingProcessCommandLine
| order by Timestamp desc
###CIM-HUNT08 - Hunt for trufflehog use (process telemetry)
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_cs "trufflehog" or FileName has_cs "trufflehog"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
###CIM-HUNT09 - Hunt for trufflehog use (process telemetry)
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has_all ("chmod", "+x", "trufflehog", "tinycolor", "node_modules", "node") or
ProcessCommandLine has_all ("chmod", "+x", "trufflehog") or
ProcessCommandLine has_all ("node", "bundle.js", "sh -c")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
| order by Timestamp desc
6.4) Hunting Queries Palo Cortex XDR
###HUNT01 - Description: Reports indicate only Linux+Mac is targeted due to an os.platform() check, ensure agent coverage on these devices
dataset = endpoints
| filter endpoint_status in (ENUM.CONNECTED, ENUM.DISCONNECTED)
| comp count() by platform
###HUNT02 - Description: Check for connections to any webhook.site domains in raw NGFW URL logs. Optional filter for specific URI observed in use by threat actor.
dataset = panw_ngfw_url_raw
| filter lowercase(url_domain) contains "webhook.site"
| alter susp_uri = if(uri contains "bb8ca5f6-4175-45d2-b042-fc9ebb8170b7")
// Optional filter:
// | filter susp_uri = true
| fields url_domain, uri, susp_uri, *
###HUNT03 - Description: Check for connections to any webhook.site domains in XDR telemetry. Optional filter for specific URI observed in use by threat actor.
dataset = xdr_data
| filter event_type = STORY
| filter lowercase(dst_action_external_hostname) contains "webhook.site" or lowercase(dns_query_name) contains "webhook.site"
//| alter susp_uri = if(uri contains "bb8ca5f6-4175-45d2-b042-fc9ebb8170b7")
//| fields agent_hostname, dst_action_external_hostname, dns_query_name, action_external_hostname, action_network_dns_domains
###HUNT04 - Description: Detect malicious YAML file
dataset = xdr_data
| filter event_type = FILE and action_file_name = "shai-hulud-workflow.yml" and agent_os_type in (ENUM.AGENT_OS_MAC, ENUM.AGENT_OS_LINUX)
| fields agent_hostname, actor_effective_username, action_file_name, action_file_path, actor_process_image_name, actor_process_command_line
###HUNT05 - Detects Trufflehog usage. Legitimate tool abused by threat actor for secrets discovery. False positives may occur if there is legitimate use.
dataset = xdr_data
| filter event_type = PROCESS and lowercase(action_process_image_command_line) contains "trufflehog"
| fields agent_hostname, actor_effective_username, actor_process_command_line, action_process_image_command_line
###HUNT06 - Description: Detect malicious bundle.js file
config case_sensitive = false
| dataset = xdr_data
| filter event_type = FILE and action_file_sha256 = "46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09"
| fields agent_hostname, action_file_name, action_file_path, event_type, event_sub_type, actor_process_image_name, actor_process_command_line
dataset = xdr_data
| filter event_type = FILE and action_file_name = "bundle.js" and agent_os_type in (ENUM.AGENT_OS_MAC, ENUM.AGENT_OS_LINUX)
| fields agent_hostname, actor_effective_username, action_file_name, action_file_path, actor_process_image_name, actor_process_command_line
###HUNT07 - VER2-Compromised Packages
// Hunt for recently compromised npm packages: https://www.ox.security/blog/npm-packages-compromised/ & https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again
dataset = xdr_data
//| filter event_type = PROCESS and lowercase(action_process_image_command_line) in
| filter event_type = FILE and lowercase(action_file_path) in
(
"@ahmedhfarag/[email protected]",
"@ahmedhfarag/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@art-ws/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@crowdstrike/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@ctrl/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@hestjs/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nativescript-community/[email protected]",
"@nexe/[email protected]",
"@nexe/[email protected]",
"@nexe/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@nstudio/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@operato/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@teselagen/[email protected]",
"@thangved/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@things-factory/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@tnf-dev/[email protected]",
"@ui-ux-gang/[email protected]",
"@yoobic/[email protected]",
"@yoobic/[email protected]",
"@yoobic/[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
)
6.5) Hunting Queries Tanium EDR
###HUNT06 - Description: Detect malicious bundle.js file, trufflehog
Get Trace Executed Processes[unlimited,1758288047852|1758291646852,0,0,99,0,"","",".*(trufflehog).*","","",""] from all machines
Get Trace Executed Processes[unlimited,1758288047852|1758291646852,0,0,99,0,"","",".*(bundle.js).*","","",""] from all machines
Get Trace Executed Processes[unlimited,1758288047852|1758291646852,0,0,99,0,"","",".*(bundle\.js|trufflehog|tinycolor|node\_modules|chmod|sh -c).*","","",""] from all machines
###HUNT03 - MAL-Domain01-Hunting - Webhook Site
#######// Description: This query will check for Domain, DNS, Queryevents, Network Events, URL Infos in Mails and URL Click Events requesting suspicious Domains.
Get Trace DNS Queries[unlimited,1758287446087|1758291045087,1,0,100,0,"","",".*(webhook.site).*","",""] from all machines
7.) Conclusion and Learning for a Hunter Blue
The NPM incident reveals Supply chain attacks are increasing in frequency. It is more important than ever to monitor third-party packages for malicious activity. Since malicious code can be hidden in many different ways, using runtime threat detection is critical to catching these attack
its definitely necessary to check during Hunting or Initial Triage how Malware was staged
-> showcasing how fruitful Compromise Assessment Hunting and Time Line Analysis can be and should be used in such cases -> it is essential.
Last updated