Skip to content

Commit 1f0f39c

Browse files
AegrahAegrah
authored
Merge branch 'main' into web-server-post-creation-fetch
2 parents 9ff1164 + 7a884eb commit 1f0f39c

File tree

1 file changed

+40
-24
lines changed

1 file changed

+40
-24
lines changed

rules/linux/persistence_nodejs_pre_or_post_install_script_execution.toml renamed to rules/cross-platform/execution_nodejs_pre_or_post_install_script_execution.toml

Lines changed: 40 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
[metadata]
22
creation_date = "2025/09/18"
3-
integration = ["endpoint", "crowdstrike"]
3+
integration = ["endpoint", "crowdstrike", "sentinel_one_cloud_funnel"]
44
maturity = "production"
5-
updated_date = "2025/10/17"
5+
updated_date = "2025/12/03"
66

77
[rule]
88
author = ["Elastic"]
@@ -13,11 +13,15 @@ this technique to execute arbitrary commands on the system and establish persist
1313
was observed in the wild as part of the Shai-Hulud worm.
1414
"""
1515
from = "now-9m"
16-
index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*"]
16+
index = ["logs-endpoint.events.process*", "logs-crowdstrike.fdr*", "logs-sentinel_one_cloud_funnel.*"]
1717
language = "eql"
1818
license = "Elastic License v2"
1919
name = "Node.js Pre or Post-Install Script Execution"
20-
references = ["https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise"]
20+
references = [
21+
"https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
22+
"https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
23+
"https://www.elastic.co/blog/shai-hulud-worm-2-0-updated-response",
24+
]
2125
risk_score = 47
2226
rule_id = "0871a5d8-6b5f-4a12-a568-fd7bc05bd8db"
2327
setup = """## Setup
@@ -49,42 +53,26 @@ severity = "medium"
4953
tags = [
5054
"Domain: Endpoint",
5155
"OS: Linux",
56+
"OS: macOS",
5257
"Use Case: Threat Detection",
5358
"Tactic: Persistence",
5459
"Tactic: Execution",
5560
"Tactic: Defense Evasion",
5661
"Data Source: Elastic Defend",
5762
"Resources: Investigation Guide",
5863
"Data Source: Crowdstrike",
64+
"Data Source: SentinelOne",
5965
]
6066
type = "eql"
6167
query = '''
6268
sequence by host.id with maxspan=10s
63-
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.name == "node" and process.args == "install"] by process.entity_id
64-
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "ProcessRollup2") and process.parent.name == "node"] by process.parent.entity_id
69+
[process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.name == "node" and process.args == "install"] by process.entity_id
70+
[process where host.os.type in ("linux", "macos") and event.type == "start" and event.action in ("exec", "ProcessRollup2", "start") and process.parent.name == "node"] by process.parent.entity_id
6571
'''
6672

6773
[[rule.threat]]
6874
framework = "MITRE ATT&CK"
6975

70-
[[rule.threat.technique]]
71-
id = "T1543"
72-
name = "Create or Modify System Process"
73-
reference = "https://attack.mitre.org/techniques/T1543/"
74-
75-
[[rule.threat.technique]]
76-
id = "T1574"
77-
name = "Hijack Execution Flow"
78-
reference = "https://attack.mitre.org/techniques/T1574/"
79-
80-
[rule.threat.tactic]
81-
id = "TA0003"
82-
name = "Persistence"
83-
reference = "https://attack.mitre.org/tactics/TA0003/"
84-
85-
[[rule.threat]]
86-
framework = "MITRE ATT&CK"
87-
8876
[[rule.threat.technique]]
8977
id = "T1059"
9078
name = "Command and Scripting Interpreter"
@@ -95,6 +83,16 @@ id = "T1059.004"
9583
name = "Unix Shell"
9684
reference = "https://attack.mitre.org/techniques/T1059/004/"
9785

86+
[[rule.threat.technique]]
87+
id = "T1204"
88+
name = "User Execution"
89+
reference = "https://attack.mitre.org/techniques/T1204/"
90+
91+
[[rule.threat.technique.subtechnique]]
92+
id = "T1204.005"
93+
name = "Malicious Library"
94+
reference = "https://attack.mitre.org/techniques/T1204/005/"
95+
9896
[rule.threat.tactic]
9997
id = "TA0002"
10098
name = "Execution"
@@ -103,6 +101,24 @@ reference = "https://attack.mitre.org/tactics/TA0002/"
103101
[[rule.threat]]
104102
framework = "MITRE ATT&CK"
105103

104+
[[rule.threat.technique]]
105+
id = "T1543"
106+
name = "Create or Modify System Process"
107+
reference = "https://attack.mitre.org/techniques/T1543/"
108+
109+
[[rule.threat.technique]]
110+
id = "T1574"
111+
name = "Hijack Execution Flow"
112+
reference = "https://attack.mitre.org/techniques/T1574/"
113+
114+
[rule.threat.tactic]
115+
id = "TA0003"
116+
name = "Persistence"
117+
reference = "https://attack.mitre.org/tactics/TA0003/"
118+
119+
[[rule.threat]]
120+
framework = "MITRE ATT&CK"
121+
106122
[rule.threat.tactic]
107123
id = "TA0005"
108124
name = "Defense Evasion"

0 commit comments

Comments
 (0)