Home/Detection rules/Palo Alto Cortex XDR
Tool
EDR / XDR

Palo Alto Cortex XDR

763 rules · Sigma detections in Palo Alto Cortex XDR syntax
The same Sigma detection corpus, machine-rendered into Palo Alto Cortex XDR query syntax and ready to paste. Switch platforms above for identical coverage in another language, or choose Sigma (generic) for the portable YAML.
Download all 1,524 rules (.zip, 675 KB) Every Palo Alto Cortex XDR query in this view, packaged to deploy.
Severity critical high medium low all severities Export CSV Export .zip
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance4
Resource Development5
Initial Access7
Execution25
Persistence31
Privilege Escalation17
Stealth63
Defense Impairment16
Credential Access26
Discovery24
Lateral Movement10
Collection11
Command and Control18
Exfiltration7
Impact10
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.

Detection rules

50 shown of 763
high Moderate Medium FP
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
status test author Bartlomiej Czyz, Relativity ATT&CK sub-technique id 5bb68627-3198-40ca-b458-49f973db8752
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("rundll32.exe", "rundll32")))
view Sigma YAML 
title: Rundll32 Execution Without Parameters
id: 5bb68627-3198-40ca-b458-49f973db8752
status: test
description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
author: Bartlomiej Czyz, Relativity
date: 2021-01-31
modified: 2023-02-28
tags:
    - attack.lateral-movement
    - attack.t1021.002
    - attack.t1570
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine:
            - 'rundll32.exe'
            - 'rundll32'
    condition: selection
falsepositives:
    - False positives may occur if a user called rundll32 from CLI with no options
level: high
Convert to SIEM query
high Moderate Medium FP
Running Chrome VPN Extensions via the Registry 2 VPN Extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
status test author frack113 ATT&CK technique id b64a026b-8deb-4c1d-92fd-98893209dff1
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "Software\Wow6432Node\Google\Chrome\Extensions" and 
 action_registry_key_name contains "update_url") and 
 (action_registry_key_name in ("*fdcgdnkidjaadafnichfpabhfomcebme*", "*fcfhplploccackoneaefokcmbjfbkenj*", "*bihmplhobchoageeokmgbdihknkjbknd*", "*gkojfkhlekighikafcpjkiklfbnlmeio*", "*jajilbjjinjmgcibalaakngmkilboobh*", "*gjknjjomckknofjidppipffbpoekiipm*", "*nabbmpekekjknlbkgpodfndbodhijjem*", "*kpiecbcckbofpmkkkdibbllpinceiihk*", "*nlbejmccbhkncgokjcmghpfloaajcffj*", "*omghfjlpggmjjaagoclmmobgdodcjboh*", "*bibjcjfmgapbfoljiojpipaooddpkpai*", "*mpcaainmfjjigeicjnlkdfajbioopjko*", "*jljopmgdobloagejpohpldgkiellmfnc*", "*lochiccbgeohimldjooaakjllnafhaid*", "*nhnfcgpcbfclhfafjlooihdfghaeinfc*", "*ookhnhpkphagefgdiemllfajmkdkcaim*", "*namfblliamklmeodpcelkokjbffgmeoo*", "*nbcojefnccbanplpoffopkoepjmhgdgh*", "*majdfhpaihoncoakbjgbdhglocklcgno*", "*lnfdmdhmfbimhhpaeocncdlhiodoblbd*", "*eppiocemhmnlbhjplcgkofciiegomcon*", "*cocfojppfigjeefejbpfmedgjbpchcng*", "*foiopecknacmiihiocgdjgbjokkpkohc*", "*hhdobjgopfphlmjbmnpglhfcgppchgje*", "*jgbaghohigdbgbolncodkdlpenhcmcge*", "*inligpkjkhbpifecbdjhmdpcfhnlelja*", "*higioemojdadgdbhbbbkfbebbdlfjbip*", "*hipncndjamdcmphkgngojegjblibadbe*", "*iolonopooapdagdemdoaihahlfkncfgg*", "*nhfjkakglbnnpkpldhjmpmmfefifedcj*", "*jpgljfpmoofbmlieejglhonfofmahini*", "*fgddmllnllkalaagkghckoinaemmogpe*", "*ejkaocphofnobjdedneohbbiilggdlbi*", "*keodbianoliadkoelloecbhllnpiocoi*", "*hoapmlpnmpaehilehggglehfdlnoegck*", "*poeojclicodamonabcabmapamjkkmnnk*", "*dfkdflfgjdajbhocmfjolpjbebdkcjog*", "*kcdahmgmaagjhocpipbodaokikjkampi*", "*klnkiajpmpkkkgpgbogmcgfjhdoljacg*", "*lneaocagcijjdpkcabeanfpdbmapcjjg*", "*pgfpignfckbloagkfnamnolkeaecfgfh*", "*jplnlifepflhkbkgonidnobkakhmpnmh*", "*jliodmnojccaloajphkingdnpljdhdok*", "*hnmpcagpplmpfojmgmnngilcnanddlhb*", "*ffbkglfijbcbgblgflchnbphjdllaogb*", "*kcndmbbelllkmioekdagahekgimemejo*", "*jdgilggpfmjpbodmhndmhojklgfdlhob*", "*bihhflimonbpcfagfadcnbbdngpopnjb*", "*ppajinakbfocjfnijggfndbdmjggcmde*", "*oofgbpoabipfcfjapgnbbjjaenockbdp*", "*bhnhkdgoefpmekcgnccpnhjfdgicfebm*", "*knmmpciebaoojcpjjoeonlcjacjopcpf*", "*dhadilbmmjiooceioladdphemaliiobo*", "*jedieiamjmoflcknjdjhpieklepfglin*", "*mhngpdlhojliikfknhfaglpnddniijfh*", "*omdakjcmkglenbhjadbccaookpfjihpa*", "*npgimkapccfidfkfoklhpkgmhgfejhbj*", "*akeehkgglkmpapdnanoochpfmeghfdln*", "*gbmdmipapolaohpinhblmcnpmmlgfgje*", "*aigmfoeogfnljhnofglledbhhfegannp*", "*cgojmfochfikphincbhokimmmjenhhgk*", "*ficajfeojakddincjafebjmfiefcmanc*", "*ifnaibldjfdmaipaddffmgcmekjhiloa*", "*jbnmpdkcfkochpanomnkhnafobppmccn*", "*apcfdffemoinopelidncddjbhkiblecc*", "*mjolnodfokkkaichkcjipfgblbfgojpa*", "*oifjbnnafapeiknapihcmpeodaeblbkn*", "*plpmggfglncceinmilojdkiijhmajkjh*", "*mjnbclmflcpookeapghfhapeffmpodij*", "*bblcccknbdbplgmdjnnikffefhdlobhp*", "*aojlhgbkmkahabcmcpifbolnoichfeep*", "*lcmammnjlbmlbcaniggmlejfjpjagiia*", "*knajdeaocbpmfghhmijicidfcmdgbdpm*", "*bdlcnpceagnkjnjlbbbcepohejbheilk*", "*edknjdjielmpdlnllkdmaghlbpnmjmgb*", "*eidnihaadmmancegllknfbliaijfmkgo*", "*ckiahbcmlmkpfiijecbpflfahoimklke*", "*macdlemfnignjhclfcfichcdhiomgjjb*", "*chioafkonnhbpajpengbalkececleldf*", "*amnoibeflfphhplmckdbiajkjaoomgnj*", "*llbhddikeonkpbhpncnhialfbpnilcnc*", "*pcienlhnoficegnepejpfiklggkioccm*", "*iocnglnmfkgfedpcemdflhkchokkfeii*", "*igahhbkcppaollcjeaaoapkijbnphfhb*", "*njpmifchgidinihmijhcfpbdmglecdlb*", "*ggackgngljinccllcmbgnpgpllcjepgc*", "*kchocjcihdgkoplngjemhpplmmloanja*", "*bnijmipndnicefcdbhgcjoognndbgkep*", "*lklekjodgannjcccdlbicoamibgbdnmi*", "*dbdbnchagbkhknegmhgikkleoogjcfge*", "*egblhcjfjmbjajhjhpmnlekffgaemgfh*", "*ehbhfpfdkmhcpaehaooegfdflljcnfec*", "*bkkgdjpomdnfemhhkalfkogckjdkcjkg*", "*almalgbpmcfpdaopimbdchdliminoign*", "*akkbkhnikoeojlhiiomohpdnkhbkhieh*", "*gbfgfbopcfokdpkdigfmoeaajfmpkbnh*", "*bniikohfmajhdcffljgfeiklcbgffppl*", "*lejgfmmlngaigdmmikblappdafcmkndb*", "*ffhhkmlgedgcliajaedapkdfigdobcif*", "*gcknhkkoolaabfmlnjonogaaifnjlfnp*", "*pooljnboifbodgifngpppfklhifechoe*", "*fjoaledfpmneenckfbpdfhkmimnjocfa*", "*aakchaleigkohafkfjfjbblobjifikek*", "*dpplabbmogkhghncfbfdeeokoefdjegm*", "*padekgcemlokbadohgkifijomclgjgif*", "*bfidboloedlamgdmenmlbipfnccokknp*"))))
view Sigma YAML 
title: Running Chrome VPN Extensions via the Registry 2 VPN Extension
id: b64a026b-8deb-4c1d-92fd-98893209dff1
status: test
description: Running Chrome VPN Extensions via the Registry install 2 vpn extension
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1133/T1133.md#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension
author: frack113
date: 2021-12-28
modified: 2023-08-17
tags:
    - attack.initial-access
    - attack.persistence
    - attack.t1133
logsource:
    category: registry_set
    product: windows
detection:
    chrome_ext:
        TargetObject|contains: 'Software\Wow6432Node\Google\Chrome\Extensions'
        TargetObject|endswith: 'update_url'
    chrome_vpn:
        TargetObject|contains:
            - fdcgdnkidjaadafnichfpabhfomcebme # ZenMate VPN
            - fcfhplploccackoneaefokcmbjfbkenj # 1clickVPN
            - bihmplhobchoageeokmgbdihknkjbknd # Touch VPN
            - gkojfkhlekighikafcpjkiklfbnlmeio # Hola Free VPN
            - jajilbjjinjmgcibalaakngmkilboobh # Astar VPN
            - gjknjjomckknofjidppipffbpoekiipm # VPN Free
            - nabbmpekekjknlbkgpodfndbodhijjem # Earth VPN
            - kpiecbcckbofpmkkkdibbllpinceiihk # DotVPN
            - nlbejmccbhkncgokjcmghpfloaajcffj # Hotspot Shield Free VPN
            - omghfjlpggmjjaagoclmmobgdodcjboh # Browsec VPN
            - bibjcjfmgapbfoljiojpipaooddpkpai # VPN-free.pro
            - mpcaainmfjjigeicjnlkdfajbioopjko # VPN Unlimited Free
            - jljopmgdobloagejpohpldgkiellmfnc # PP VPN
            - lochiccbgeohimldjooaakjllnafhaid # IP Unblock
            - nhnfcgpcbfclhfafjlooihdfghaeinfc # Surf VPN
            - ookhnhpkphagefgdiemllfajmkdkcaim # iNinja VPN
            - namfblliamklmeodpcelkokjbffgmeoo # Daily VPN
            - nbcojefnccbanplpoffopkoepjmhgdgh # Hoxx VPN Proxy
            - majdfhpaihoncoakbjgbdhglocklcgno # Free VPN
            - lnfdmdhmfbimhhpaeocncdlhiodoblbd # VPN PROXY MASTER
            - eppiocemhmnlbhjplcgkofciiegomcon # Urban Free VPN
            - cocfojppfigjeefejbpfmedgjbpchcng # SaferVPN Proxy
            - foiopecknacmiihiocgdjgbjokkpkohc # VPN Professional
            - hhdobjgopfphlmjbmnpglhfcgppchgje # AdGuard VPN
            - jgbaghohigdbgbolncodkdlpenhcmcge # Free VPN
            - inligpkjkhbpifecbdjhmdpcfhnlelja # Free One Touch VPN
            - higioemojdadgdbhbbbkfbebbdlfjbip # Unlimited VPN & Proxy by ibVPN
            - hipncndjamdcmphkgngojegjblibadbe # RusVPN
            - iolonopooapdagdemdoaihahlfkncfgg # Azino VPN
            - nhfjkakglbnnpkpldhjmpmmfefifedcj # Pron VPN
            - jpgljfpmoofbmlieejglhonfofmahini # Free Residential VPN
            - fgddmllnllkalaagkghckoinaemmogpe # ExpressVPN
            - ejkaocphofnobjdedneohbbiilggdlbi # Hotspot Shield Elite VPN Proxy
            - keodbianoliadkoelloecbhllnpiocoi # Hide My IP VPN
            - hoapmlpnmpaehilehggglehfdlnoegck # Tunnello VPN
            - poeojclicodamonabcabmapamjkkmnnk # HMA VPN Proxy Unblocker
            - dfkdflfgjdajbhocmfjolpjbebdkcjog # Free Avira Phantom VPN
            - kcdahmgmaagjhocpipbodaokikjkampi # Hola VPN
            - klnkiajpmpkkkgpgbogmcgfjhdoljacg # Free VPN for Chrome
            - lneaocagcijjdpkcabeanfpdbmapcjjg # Hub VPN
            - pgfpignfckbloagkfnamnolkeaecfgfh # Free Proxy VPN
            - jplnlifepflhkbkgonidnobkakhmpnmh # Private Internet Access
            - jliodmnojccaloajphkingdnpljdhdok # Turbo VPN for PC
            - hnmpcagpplmpfojmgmnngilcnanddlhb # Windscribe
            - ffbkglfijbcbgblgflchnbphjdllaogb # CyberGhost VPN
            - kcndmbbelllkmioekdagahekgimemejo # VPN.AC
            - jdgilggpfmjpbodmhndmhojklgfdlhob # Browser VPN
            - bihhflimonbpcfagfadcnbbdngpopnjb # DEEPRISM VPN
            - ppajinakbfocjfnijggfndbdmjggcmde # My Browser Vpn
            - oofgbpoabipfcfjapgnbbjjaenockbdp # SetupVPN
            - bhnhkdgoefpmekcgnccpnhjfdgicfebm # Wachee VPN
            - knmmpciebaoojcpjjoeonlcjacjopcpf # Thunder Proxy
            - dhadilbmmjiooceioladdphemaliiobo # Free Proxy VPN
            - jedieiamjmoflcknjdjhpieklepfglin # FastestVPN Proxy
            - mhngpdlhojliikfknhfaglpnddniijfh # WorkingVPN
            - omdakjcmkglenbhjadbccaookpfjihpa # TunnelBear VPN
            - npgimkapccfidfkfoklhpkgmhgfejhbj # BelkaVPN
            - akeehkgglkmpapdnanoochpfmeghfdln # VPN Master
            - gbmdmipapolaohpinhblmcnpmmlgfgje # Unblock Websites
            - aigmfoeogfnljhnofglledbhhfegannp # Lethean Proxy VPN
            - cgojmfochfikphincbhokimmmjenhhgk # Whoer VPN
            - ficajfeojakddincjafebjmfiefcmanc # Best VPN USA
            - ifnaibldjfdmaipaddffmgcmekjhiloa # FREE VPN DEWELOPMENT
            - jbnmpdkcfkochpanomnkhnafobppmccn # apkfold free vpn
            - apcfdffemoinopelidncddjbhkiblecc # Soul VPN
            - mjolnodfokkkaichkcjipfgblbfgojpa # DotVPN
            - oifjbnnafapeiknapihcmpeodaeblbkn # rderzh VPN Proxy
            - plpmggfglncceinmilojdkiijhmajkjh # Red Panda VPN
            - mjnbclmflcpookeapghfhapeffmpodij # Ultrareach VPN
            - bblcccknbdbplgmdjnnikffefhdlobhp # FastStunnel VPN
            - aojlhgbkmkahabcmcpifbolnoichfeep # VirtualShield VPN
            - lcmammnjlbmlbcaniggmlejfjpjagiia # Adblock Office VPN Proxy Server
            - knajdeaocbpmfghhmijicidfcmdgbdpm # Guru VPN & Proxy
            - bdlcnpceagnkjnjlbbbcepohejbheilk # Malus VPN
            - edknjdjielmpdlnllkdmaghlbpnmjmgb # Muscle VPN
            - eidnihaadmmancegllknfbliaijfmkgo # Push VPN
            - ckiahbcmlmkpfiijecbpflfahoimklke # Gom VPN
            - macdlemfnignjhclfcfichcdhiomgjjb # Free Fast VPN
            - chioafkonnhbpajpengbalkececleldf # BullVPN
            - amnoibeflfphhplmckdbiajkjaoomgnj # HideAll VPN
            - llbhddikeonkpbhpncnhialfbpnilcnc # ProxyFlow
            - pcienlhnoficegnepejpfiklggkioccm # Cloud VPN
            - iocnglnmfkgfedpcemdflhkchokkfeii # sVPN
            - igahhbkcppaollcjeaaoapkijbnphfhb # Social VPN
            - njpmifchgidinihmijhcfpbdmglecdlb # Trellonet Trellonet
            - ggackgngljinccllcmbgnpgpllcjepgc # WindmillVPN
            - kchocjcihdgkoplngjemhpplmmloanja # IPBurger Proxy & VPN
            - bnijmipndnicefcdbhgcjoognndbgkep # Veee
            - lklekjodgannjcccdlbicoamibgbdnmi # Anonymous Proxy Vpn Browser
            - dbdbnchagbkhknegmhgikkleoogjcfge # Hideman VPN
            - egblhcjfjmbjajhjhpmnlekffgaemgfh # Fornex VPN
            - ehbhfpfdkmhcpaehaooegfdflljcnfec # WeVPN
            - bkkgdjpomdnfemhhkalfkogckjdkcjkg # VPNMatic
            - almalgbpmcfpdaopimbdchdliminoign # Urban Shield
            - akkbkhnikoeojlhiiomohpdnkhbkhieh # Prime VPN
            - gbfgfbopcfokdpkdigfmoeaajfmpkbnh # westwind
            - bniikohfmajhdcffljgfeiklcbgffppl # Upnet
            - lejgfmmlngaigdmmikblappdafcmkndb # uVPN
            - ffhhkmlgedgcliajaedapkdfigdobcif # Nucleus VPN
            - gcknhkkoolaabfmlnjonogaaifnjlfnp # FoxyProxy Standard
            - pooljnboifbodgifngpppfklhifechoe # GeoProxy
            - fjoaledfpmneenckfbpdfhkmimnjocfa # NordVPN
            - aakchaleigkohafkfjfjbblobjifikek # ProxFlow
            - dpplabbmogkhghncfbfdeeokoefdjegm # Proxy SwitchySharp
            - padekgcemlokbadohgkifijomclgjgif # Proxy SwitchyOmega
            - bfidboloedlamgdmenmlbipfnccokknp # PureVPN
    condition: all of chrome_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
SNAKE Malware Covert Store Registry Key
Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id d0fa35db-0e92-400e-aa16-d32ae2521618
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter event_type = ENUM.REGISTRY and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_registry_key_name contains "SECURITY\Policy\Secrets\n")
view Sigma YAML 
title: SNAKE Malware Covert Store Registry Key
id: d0fa35db-0e92-400e-aa16-d32ae2521618
status: test
description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-11
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|endswith: 'SECURITY\Policy\Secrets\n'
    condition: selection
level: high
Convert to SIEM query
high Moderate Medium FP
SNAKE Malware WerFault Persistence File Creation
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 64827580-e4c3-4c64-97eb-c72325d45399
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name contains "C:\Windows\WinSxS\" and 
 action_file_name contains "\WerFault.exe") and 
 (not 
 (actor_process_image_path in ("C:\Windows\System32\*", "C:\Windows\SysWOW64\*", "C:\Windows\WinSxS\*")))))
view Sigma YAML 
title: SNAKE Malware WerFault Persistence File Creation
id: 64827580-e4c3-4c64-97eb-c72325d45399
status: test
description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
references:
    - https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-05-18
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\WinSxS\'
        TargetFilename|endswith: '\WerFault.exe'
    filter_main_system_location:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
SOURGUM Actor Behaviours
Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
status test author MSTIC, FPT.EagleEye ATT&CK sub-technique id 7ba08e95-1e0b-40cd-9db5-b980555e42fd
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*windows\system32\Physmem.sys*", "*Windows\system32\ime\SHARED\WimBootConfigurations.ini*", "*Windows\system32\ime\IMEJP\WimBootConfigurations.ini*", "*Windows\system32\ime\IMETC\WimBootConfigurations.ini*")) or 
 (((action_process_image_path in ("*windows\system32\filepath2*", "*windows\system32\ime*")) and 
 action_process_image_command_line contains "reg add") and 
 (action_process_image_command_line in ("*HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32*", "*HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32*")))))
view Sigma YAML 
title: SOURGUM Actor Behaviours
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
status: test
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
references:
    - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
    - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml
    - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
author: MSTIC, FPT.EagleEye
date: 2021-06-15
modified: 2022-10-09
tags:
    - attack.t1546
    - attack.t1546.015
    - attack.persistence
    - attack.privilege-escalation
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|contains:
            - 'windows\system32\Physmem.sys'
            - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
            - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini'
    registry_image:
        Image|contains:
            - 'windows\system32\filepath2'
            - 'windows\system32\ime'
        CommandLine|contains: 'reg add'
    registry_key:
        CommandLine|contains:
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32'
            - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32'
    condition: selection or all of registry_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
status test author TropChaud ATT&CK sub-technique id 24c77512-782b-448a-8950-eddb0785fc71
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_signature_product = "SQLite" or 
 (action_process_image_path in ("*\sqlite.exe", "*\sqlite3.exe"))) and 
 (action_process_image_command_line in ("*\User Data\*", "*\Opera Software\*", "*\ChromiumViewer\*")) and 
 (action_process_image_command_line in ("*Login Data*", "*Cookies*", "*Web Data*", "*History*", "*Bookmarks*"))))
view Sigma YAML 
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.t1555.003
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_chromium:
        CommandLine|contains:
            - '\User Data\' # Most common folder for user profile data among Chromium browsers
            - '\Opera Software\' # Opera
            - '\ChromiumViewer\' # Sleipnir (Fenrir)
    selection_data:
        CommandLine|contains:
            - 'Login Data' # Passwords
            - 'Cookies'
            - 'Web Data' # Credit cards, autofill data
            - 'History'
            - 'Bookmarks'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
SQLite Firefox Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
status test author frack113 ATT&CK technique id 4833155a-4053-4c9c-a997-777fcea0baa7
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_signature_product = "SQLite" or 
 (action_process_image_path in ("*\sqlite.exe", "*\sqlite3.exe"))) and 
 (action_process_image_command_line in ("*cookies.sqlite*", "*places.sqlite*"))))
view Sigma YAML 
title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
    - https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: frack113
date: 2022-04-08
modified: 2023-01-19
tags:
    - attack.credential-access
    - attack.t1539
    - attack.collection
    - attack.t1005
logsource:
    category: process_creation
    product: windows
detection:
    selection_sql:
        - Product: SQLite
        - Image|endswith:
              - '\sqlite.exe'
              - '\sqlite3.exe'
    selection_firefox:
        CommandLine|contains:
            - 'cookies.sqlite'
            - 'places.sqlite' # Bookmarks, history
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Schtasks Creation Or Modification With SYSTEM Privileges
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 89ca78fd-b37c-4310-b3d3-81a023f83936
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_path contains "\schtasks.exe" and 
 (action_process_image_command_line in ("* /change *", "* /create *"))) and 
 action_process_image_command_line contains "/ru " and 
 (action_process_image_command_line in ("*NT AUT*", "* SYSTEM *"))) and 
 (not 
 ((action_process_image_path contains "\schtasks.exe" and 
 (action_process_image_command_line contains "/TN TVInstallRestore" and 
 action_process_image_command_line contains "\TeamViewer_.exe")) or 
 (action_process_image_command_line contains "Subscription Heartbeat" and 
 action_process_image_command_line contains "\HeartbeatConfig.xml" and 
 action_process_image_command_line contains "\Microsoft Shared\OFFICE") or 
 (action_process_image_command_line in ("*/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR *", "*:\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe*", "*/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART\" /RL HIGHEST*"))))))
view Sigma YAML 
title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
    - https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_root:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains:
            - ' /change '
            - ' /create '
    selection_run:
        CommandLine|contains: '/ru '
    selection_user:
        CommandLine|contains:
            - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
            - ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
    filter_optional_teamviewer:
        # FP from test set in SIGMA
        # Cannot use ParentImage on all OSes for 4688 events
        # ParentImage|contains|all:
        #     - '\AppData\Local\Temp\'
        #     - 'TeamViewer_.exe'
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - '/TN TVInstallRestore'
            - '\TeamViewer_.exe'
    filter_optional_office:
        CommandLine|contains|all:
            # https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
            - 'Subscription Heartbeat'
            - '\HeartbeatConfig.xml'
            - '\Microsoft Shared\OFFICE'
    filter_optional_avira:
        CommandLine|contains:
            - '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
            - ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
            - '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
ScreenConnect - SlashAndGrab Exploitation Indicators
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 05164d17-8e11-4d7d-973e-9e4962436b87
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_file_name contains "C:\Windows\Temp\ScreenConnect\" and 
 action_file_name contains "\LB3.exe") or 
 (action_file_name in ("*C:\mpyutd.msi*", "*C:\perflogs\RunSchedulerTaskOnce.ps1*", "*C:\ProgramData\1.msi*", "*C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi*", "*C:\ProgramData\update.dat*", "*C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe*", "*C:\Windows\Help\Help\SentinelAgentCore.dll*", "*C:\Windows\Help\Help\SentinelUI.exe*", "*C:\Windows\spsrv.exe*", "*C:\Windows\Temp\svchost.exe*"))))
view Sigma YAML 
title: ScreenConnect - SlashAndGrab Exploitation Indicators
id: 05164d17-8e11-4d7d-973e-9e4962436b87
status: test
description: |
    Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains|all:
              - 'C:\Windows\Temp\ScreenConnect\'
              - '\LB3.exe'
        - TargetFilename|contains:
              - 'C:\mpyutd.msi'
              - 'C:\perflogs\RunSchedulerTaskOnce.ps1'
              - 'C:\ProgramData\1.msi'
              - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
              - 'C:\ProgramData\update.dat'
              - 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
              - 'C:\Windows\Help\Help\SentinelAgentCore.dll'
              - 'C:\Windows\Help\Help\SentinelUI.exe'
              - 'C:\Windows\spsrv.exe'
              - 'C:\Windows\Temp\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Script Event Consumer Spawning Process
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
status test author Sittikorn S ATT&CK technique id f6d1dd2f-b8ce-40ca-bc23-062efb686b34
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\scrcons.exe" and 
 (action_process_image_path in ("*\svchost.exe", "*\dllhost.exe", "*\powershell.exe", "*\pwsh.exe", "*\wscript.exe", "*\cscript.exe", "*\schtasks.exe", "*\regsvr32.exe", "*\mshta.exe", "*\rundll32.exe", "*\msiexec.exe", "*\msbuild.exe"))))
view Sigma YAML 
title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: test
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
    - https://redcanary.com/blog/child-processes/
    - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021-06-21
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1047
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\scrcons.exe'
        Image|endswith:
            - '\svchost.exe'
            - '\dllhost.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\schtasks.exe'
            - '\regsvr32.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\msiexec.exe'
            - '\msbuild.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Script Interpreter Spawning Credential Scanner - Linux
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id f0025a69-e1b7-4dda-a53c-db21fa2d4071
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((actor_process_image_path in ("*/node", "*/bun")) and 
 ((action_process_image_path in ("*/trufflehog", "*/gitleaks")) or 
 (action_process_image_command_line in ("*trufflehog*", "*gitleaks*")))))
view Sigma YAML 
title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
    - id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.execution
    - attack.collection
    - attack.t1005
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith:
         # Add more script interpreters as needed
            - '/node'
            - '/bun'
    selection_child:
        - Image|endswith:
              - '/trufflehog'
              - '/gitleaks'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
Convert to SIEM query
high Moderate High FP
Script Interpreter Spawning Credential Scanner - Windows
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path in ("*\node.exe", "*\bun.exe")) and 
 ((action_process_image_path in ("*trufflehog.exe", "*gitleaks.exe")) or 
 (action_process_image_command_line in ("*trufflehog*", "*gitleaks*")))))
view Sigma YAML 
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.collection
    - attack.execution
    - attack.t1005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
           # Add more script interpreters as needed
            - '\node.exe'
            - '\bun.exe'
    selection_child:
        - Image|endswith:
              - 'trufflehog.exe'
              - 'gitleaks.exe'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
Convert to SIEM query
high Strong Medium FP
Sdiagnhost Calling Suspicious Child Process
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
status test author Nextron Systems, @Kostastsale ATT&CK technique id f3d39c45-de1a-4486-a687-ab126124f744
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "\sdiagnhost.exe" and 
 (action_process_image_path in ("*\powershell.exe", "*\pwsh.exe", "*\cmd.exe", "*\mshta.exe", "*\cscript.exe", "*\wscript.exe", "*\taskkill.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\calc.exe"))) and 
 (not 
 ((action_process_image_path contains "\cmd.exe" and 
 action_process_image_command_line contains "bits") or 
 (action_process_image_path contains "\powershell.exe" and 
 (action_process_image_command_line in ("*-noprofile -", "*-noprofile")))))))
view Sigma YAML 
title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
    - https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    - https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sdiagnhost.exe'
        Image|endswith:
            # Add more suspicious LOLBins
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
            - '\mshta.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\taskkill.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            # - '\csc.exe'   # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
            - '\calc.exe'  # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
    filter_main_cmd_bits:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'bits'
    filter_main_powershell_noprofile:
        Image|endswith: '\powershell.exe'
        CommandLine|endswith:
            - '-noprofile -'
            - '-noprofile'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Security Event Logging Disabled via MiniNt Registry Key - Registry Set
Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events. Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing. Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 8839e550-52d7-4958-9f2f-e13c1e736838
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_registry_key_name = "HKLM\System\CurrentControlSet\Control\MiniNt\(Default)")
view Sigma YAML 
title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
    - id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
      type: similar
status: experimental
description: |
    Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
    Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
    Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
    - https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1112
    - car.2022-03-001
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
    condition: selection
falsepositives:
    - Highly Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Security Service Disabled Via Reg.EXE
Detects execution of "reg.exe" to disable security services such as Windows Defender.
status test author Florian Roth (Nextron Systems), John Lambert (idea), elhoim ATT&CK technique id 5e95028c-5229-4214-afae-d653d573d0ec
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_command_line contains "reg" and 
 action_process_image_command_line contains "add") and 
 ((action_process_image_command_line contains "d 4" and 
 action_process_image_command_line contains "v Start") and 
 (action_process_image_command_line in ("*\AppIDSvc*", "*\MsMpSvc*", "*\NisSrv*", "*\SecurityHealthService*", "*\Sense*", "*\UsoSvc*", "*\WdBoot*", "*\WdFilter*", "*\WdNisDrv*", "*\WdNisSvc*", "*\WinDefend*", "*\wscsvc*", "*\wuauserv*")))))
view Sigma YAML 
title: Security Service Disabled Via Reg.EXE
id: 5e95028c-5229-4214-afae-d653d573d0ec
status: test
description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
references:
    - https://twitter.com/JohnLaTwC/status/1415295021041979392
    - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
    - https://vms.drweb.fr/virus/?i=24144899
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
date: 2021-07-14
modified: 2023-06-05
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection_reg_add:
        CommandLine|contains|all:
            - 'reg'
            - 'add'
    selection_cli_reg_start:
        CommandLine|contains|all:
            - 'd 4'
            - 'v Start'
        CommandLine|contains:
            - '\AppIDSvc'
            - '\MsMpSvc'
            - '\NisSrv'
            - '\SecurityHealthService'
            - '\Sense'
            - '\UsoSvc'
            - '\WdBoot'
            - '\WdFilter'
            - '\WdNisDrv'
            - '\WdNisSvc'
            - '\WinDefend'
            - '\wscsvc'
            - '\wuauserv'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
status test author Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) ATT&CK technique id f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" and 
 (action_process_image_command_line in ("*\NTDS.dit*", "*\SYSTEM*", "*\SECURITY*"))))
view Sigma YAML 
title: Sensitive File Access Via Volume Shadow Copy Backup
id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
status: test
description: |
    Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
references:
    - https://twitter.com/vxunderground/status/1423336151860002816?s=20
    - https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
    - https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2024-01-18
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        # copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1
        # There is an additional "\" to escape the special "?"
        CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
    selection_2:
        CommandLine|contains:
            - '\\NTDS.dit'
            - '\\SYSTEM'
            - '\\SECURITY'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Serpent Backdoor Payload Execution Via Scheduled Task
Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
status test author @kostastsale ATT&CK sub-technique id d5eb7432-fda4-4bba-a37f-ffa74d9ed639
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path in ("*\cmd.exe", "*\powershell.exe")) and 
 (action_process_image_command_line contains "[System/EventID=" and 
 action_process_image_command_line contains "/create" and 
 action_process_image_command_line contains "/delete" and 
 action_process_image_command_line contains "/ec" and 
 action_process_image_command_line contains "/so" and 
 action_process_image_command_line contains "/tn run")))
view Sigma YAML 
title: Serpent Backdoor Payload Execution Via Scheduled Task
id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
status: test
description: |
    Detects post exploitation execution technique of the Serpent backdoor.
    According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
    It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
references:
    - https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
author: '@kostastsale'
date: 2022-03-21
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.t1053.005
    - attack.t1059.006
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains|all:
            - '[System/EventID='
            - '/create'
            - '/delete'
            - '/ec'
            - '/so'
            - '/tn run'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Service Binary in Suspicious Folder
Detect the creation of a service with a service binary located in a suspicious directory
status test author Florian Roth (Nextron Systems), frack113 ATT&CK technique id a07f0359-4c90-4dc4-a681-8ffea40b4f47
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_registry_key_name contains "HKLM\System\CurrentControlSet\Services\" and 
 action_registry_key_name contains "\Start" and 
 (actor_process_image_path in ("*\Users\Public\*", "*\Perflogs\*", "*\ADMIN$\*", "*\Temp\*")) and 
 ((action_registry_value_name in ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")) or 
 (action_registry_data in ("DWORD (0x00000000)", "DWORD (0x00000001)", "DWORD (0x00000002)")))) or 
 (action_registry_key_name contains "HKLM\System\CurrentControlSet\Services\" and 
 action_registry_key_name contains "\ImagePath" and 
 ((action_registry_value_name in ("*\Users\Public\*", "*\Perflogs\*", "*\ADMIN$\*", "*\Temp\*")) or 
 (action_registry_data in ("*\Users\Public\*", "*\Perflogs\*", "*\ADMIN$\*", "*\Temp\*"))))) and 
 (not 
 ((actor_process_image_path contains "\Common Files\" and 
 actor_process_image_path contains "\Temp\") or 
 (action_registry_key_name contains "\CurrentControlSet\Services\MBAMInstallerService\ImagePath" and 
 (action_registry_value_name contains "\AppData\Local\Temp\MBAMInstallerService.exe\"" or 
 action_registry_data contains "\AppData\Local\Temp\MBAMInstallerService.exe\"") and 
 actor_process_image_path = "C:\Windows\system32\services.exe")))))
view Sigma YAML 
title: Service Binary in Suspicious Folder
id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
    - id: c0abc838-36b0-47c9-b3b3-a90c39455382
      type: obsolete
status: test
description: Detect the creation of a service with a service binary located in a suspicious directory
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems), frack113
date: 2022-05-02
modified: 2025-10-07
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: registry_set
    product: windows
detection:
    selection_service_start:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\Start'
        Image|contains:
            - '\Users\Public\'
            - '\Perflogs\'
            - '\ADMIN$\'
            - '\Temp\'
        Details:
            - 'DWORD (0x00000000)'  # boot
            - 'DWORD (0x00000001)'  # System
            - 'DWORD (0x00000002)'  # Automatic
            # 3 - Manual , 4 - Disabled
    selection_service_imagepath:
        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
        TargetObject|endswith: '\ImagePath'
        Details|contains:
            - '\Users\Public\'
            - '\Perflogs\'
            - '\ADMIN$\'
            - '\Temp\'
    filter_optional_avast:
        Image|contains|all: # Filter FP with Avast software
            - '\Common Files\'
            - '\Temp\'
    filter_optional_mbamservice:
        TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
        Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
        Image: 'C:\Windows\system32\services.exe'
    condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id bae7c70b-8569-44e9-accf-b30073da8a5d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_process_image_path contains "\node.exe" and 
 (action_process_image_command_line in ("*install*", "* i *"))) and 
 (action_process_image_command_line in ("*[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@afetcan/[email protected]*", "*@afetcan/[email protected]*", "*@alaan/[email protected]*", "*@alexadark/[email protected]*", "*@alexadark/[email protected]*", "*@alexadark/[email protected]*", "*@alexadark/[email protected]*", "*@alexcolls/[email protected]*", "*@alexcolls/[email protected]*", "*@alexcolls/[email protected]*", "*@alexcolls/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@aryanhussain/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@bdkinc/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@caretive/[email protected]*", "*@chtijs/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@cllbk/[email protected]*", "*@commute/[email protected]*", "*@commute/[email protected]*", "*@commute/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@elsedev/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@faq-component/[email protected]*", "*@faq-component/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@hapheus/[email protected]*", "*@hover-design/[email protected]*", "*@hover-design/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@hyperlook/[email protected]*", "*@ifelsedeveloper/[email protected]*", "*@ifelsedeveloper/[email protected]*", "*@ifings/[email protected]*", "*@ifings/[email protected]*", "*@jayeshsadhwani/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@livecms/[email protected]*", "*@livecms/[email protected]*", "*@lokeswari-satyanarayanan/[email protected]*", "*@louisle2/[email protected]*", "*@louisle2/[email protected]*", "*@lpdjs/[email protected]*", "*@lui-ui/[email protected]*", "*@lui-ui/[email protected]*", "*@lui-ui/[email protected]*", "*@markvivanco/[email protected]*", "*@markvivanco/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@micado-digital/[email protected]*", "*@mizzle-dev/[email protected]*", "*@mparpaillon/[email protected]*", "*@mparpaillon/[email protected]*", "*@mparpaillon/[email protected]*", "*@ntnx/[email protected]*", "*@ntnx/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@osmanekrem/[email protected]*", "*@osmanekrem/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@pradhumngautam/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@pruthvi21/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@relyt/[email protected]*", "*@relyt/[email protected]*", "*@relyt/[email protected]*", "*@sameepsi/[email protected]*", "*@sameepsi/[email protected]*", "*@seezo/[email protected]*", "*@seung-ju/[email protected]*", "*@seung-ju/[email protected]*", "*@seung-ju/[email protected]*", "*@seung-ju/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@sme-ui/[email protected]*", "*@strapbuild/[email protected]*", "*@strapbuild/[email protected]*", "*@strapbuild/[email protected]*", "*@strapbuild/[email protected]*", "*@suraj_h/[email protected]*", "*@thedelta/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trefox/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trpc-rate-limiter/[email protected]*", "*@trpc-rate-limiter/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@viapip/[email protected]*", "*@vishadtyagi/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@vucod/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*"))))
view Sigma YAML 
title: Shai-Hulud 2.0 Malicious NPM Package Installation
id: bae7c70b-8569-44e9-accf-b30073da8a5d
related:
    - id: 514f533b-f56e-421d-80b0-f7706a3e9d23
      type: similar
status: experimental
description: |
    Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
    - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
    - https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1195.002
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\node.exe'
        CommandLine|contains:
            - 'install'
            - ' i '
  # List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
    selection_packages:
        CommandLine|contains:
            - '[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@afetcan/[email protected]'
            - '@afetcan/[email protected]'
            - '@alaan/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexcolls/[email protected]'
            - '@alexcolls/[email protected]'
            - '@alexcolls/[email protected]'
            - '@alexcolls/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@aryanhussain/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@bdkinc/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@caretive/[email protected]'
            - '@chtijs/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@cllbk/[email protected]'
            - '@commute/[email protected]'
            - '@commute/[email protected]'
            - '@commute/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@elsedev/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@faq-component/[email protected]'
            - '@faq-component/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@hapheus/[email protected]'
            - '@hover-design/[email protected]'
            - '@hover-design/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@hyperlook/[email protected]'
            - '@ifelsedeveloper/[email protected]'
            - '@ifelsedeveloper/[email protected]'
            - '@ifings/[email protected]'
            - '@ifings/[email protected]'
            - '@jayeshsadhwani/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@livecms/[email protected]'
            - '@livecms/[email protected]'
            - '@lokeswari-satyanarayanan/[email protected]'
            - '@louisle2/[email protected]'
            - '@louisle2/[email protected]'
            - '@lpdjs/[email protected]'
            - '@lui-ui/[email protected]'
            - '@lui-ui/[email protected]'
            - '@lui-ui/[email protected]'
            - '@markvivanco/[email protected]'
            - '@markvivanco/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@micado-digital/[email protected]'
            - '@mizzle-dev/[email protected]'
            - '@mparpaillon/[email protected]'
            - '@mparpaillon/[email protected]'
            - '@mparpaillon/[email protected]'
            - '@ntnx/[email protected]'
            - '@ntnx/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@osmanekrem/[email protected]'
            - '@osmanekrem/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@pradhumngautam/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@pruthvi21/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@relyt/[email protected]'
            - '@relyt/[email protected]'
            - '@relyt/[email protected]'
            - '@sameepsi/[email protected]'
            - '@sameepsi/[email protected]'
            - '@seezo/[email protected]'
            - '@seung-ju/[email protected]'
            - '@seung-ju/[email protected]'
            - '@seung-ju/[email protected]'
            - '@seung-ju/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@sme-ui/[email protected]'
            - '@strapbuild/[email protected]'
            - '@strapbuild/[email protected]'
            - '@strapbuild/[email protected]'
            - '@strapbuild/[email protected]'
            - '@suraj_h/[email protected]'
            - '@thedelta/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trefox/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trpc-rate-limiter/[email protected]'
            - '@trpc-rate-limiter/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@viapip/[email protected]'
            - '@vishadtyagi/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@vucod/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_npm_package_installation/info.yml
Convert to SIEM query
high Moderate Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 514f533b-f56e-421d-80b0-f7706a3e9d23
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path contains "\node" and 
 (action_process_image_command_line in ("*install*", "* i *"))) and 
 (action_process_image_command_line in ("*[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@accordproject/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@actbase/[email protected]*", "*@afetcan/[email protected]*", "*@afetcan/[email protected]*", "*@alaan/[email protected]*", "*@alexadark/[email protected]*", "*@alexadark/[email protected]*", "*@alexadark/[email protected]*", "*@alexadark/[email protected]*", "*@alexcolls/[email protected]*", "*@alexcolls/[email protected]*", "*@alexcolls/[email protected]*", "*@alexcolls/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@antstackio/[email protected]*", "*@aryanhussain/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@asyncapi/[email protected]*", "*@bdkinc/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@browserbasehq/[email protected]*", "*@caretive/[email protected]*", "*@chtijs/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@clausehq/[email protected]*", "*@cllbk/[email protected]*", "*@commute/[email protected]*", "*@commute/[email protected]*", "*@commute/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@dev-blinq/[email protected]*", "*@elsedev/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@ensdomains/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@everreal/[email protected]*", "*@faq-component/[email protected]*", "*@faq-component/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@fishingbooker/[email protected]*", "*@hapheus/[email protected]*", "*@hover-design/[email protected]*", "*@hover-design/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@huntersofbook/[email protected]*", "*@hyperlook/[email protected]*", "*@ifelsedeveloper/[email protected]*", "*@ifelsedeveloper/[email protected]*", "*@ifings/[email protected]*", "*@ifings/[email protected]*", "*@jayeshsadhwani/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@kvytech/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@lessondesk/[email protected]*", "*@livecms/[email protected]*", "*@livecms/[email protected]*", "*@lokeswari-satyanarayanan/[email protected]*", "*@louisle2/[email protected]*", "*@louisle2/[email protected]*", "*@lpdjs/[email protected]*", "*@lui-ui/[email protected]*", "*@lui-ui/[email protected]*", "*@lui-ui/[email protected]*", "*@markvivanco/[email protected]*", "*@markvivanco/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@mcp-use/[email protected]*", "*@micado-digital/[email protected]*", "*@mizzle-dev/[email protected]*", "*@mparpaillon/[email protected]*", "*@mparpaillon/[email protected]*", "*@mparpaillon/[email protected]*", "*@ntnx/[email protected]*", "*@ntnx/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@oku-ui/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@orbitgtbelgium/[email protected]*", "*@osmanekrem/[email protected]*", "*@osmanekrem/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@pergel/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@posthog/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@postman/[email protected]*", "*@pradhumngautam/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@productdevbook/[email protected]*", "*@pruthvi21/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@quick-start-soft/[email protected]*", "*@relyt/[email protected]*", "*@relyt/[email protected]*", "*@relyt/[email protected]*", "*@sameepsi/[email protected]*", "*@sameepsi/[email protected]*", "*@seezo/[email protected]*", "*@seung-ju/[email protected]*", "*@seung-ju/[email protected]*", "*@seung-ju/[email protected]*", "*@seung-ju/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@silgi/[email protected]*", "*@sme-ui/[email protected]*", "*@strapbuild/[email protected]*", "*@strapbuild/[email protected]*", "*@strapbuild/[email protected]*", "*@strapbuild/[email protected]*", "*@suraj_h/[email protected]*", "*@thedelta/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@tiaanduplessis/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trackstar/[email protected]*", "*@trefox/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trigo/[email protected]*", "*@trpc-rate-limiter/[email protected]*", "*@trpc-rate-limiter/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@varsityvibe/[email protected]*", "*@viapip/[email protected]*", "*@vishadtyagi/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@voiceflow/[email protected]*", "*@vucod/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*@zapier/[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*", "*[email protected]*"))))
view Sigma YAML 
title: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
id: 514f533b-f56e-421d-80b0-f7706a3e9d23
related:
    - id: bae7c70b-8569-44e9-accf-b30073da8a5d
      type: similar
status: experimental
description: |
    Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
    - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
    - https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
    - attack.initial-access
    - attack.execution
    - attack.t1195.002
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '\node'
        CommandLine|contains:
            - 'install'
            - ' i '
  # List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
    selection_packages:
        CommandLine|contains:
            - '[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@accordproject/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@actbase/[email protected]'
            - '@afetcan/[email protected]'
            - '@afetcan/[email protected]'
            - '@alaan/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexadark/[email protected]'
            - '@alexcolls/[email protected]'
            - '@alexcolls/[email protected]'
            - '@alexcolls/[email protected]'
            - '@alexcolls/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@antstackio/[email protected]'
            - '@aryanhussain/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@asyncapi/[email protected]'
            - '@bdkinc/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@browserbasehq/[email protected]'
            - '@caretive/[email protected]'
            - '@chtijs/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@clausehq/[email protected]'
            - '@cllbk/[email protected]'
            - '@commute/[email protected]'
            - '@commute/[email protected]'
            - '@commute/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@dev-blinq/[email protected]'
            - '@elsedev/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@ensdomains/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@everreal/[email protected]'
            - '@faq-component/[email protected]'
            - '@faq-component/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@fishingbooker/[email protected]'
            - '@hapheus/[email protected]'
            - '@hover-design/[email protected]'
            - '@hover-design/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@huntersofbook/[email protected]'
            - '@hyperlook/[email protected]'
            - '@ifelsedeveloper/[email protected]'
            - '@ifelsedeveloper/[email protected]'
            - '@ifings/[email protected]'
            - '@ifings/[email protected]'
            - '@jayeshsadhwani/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@kvytech/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@lessondesk/[email protected]'
            - '@livecms/[email protected]'
            - '@livecms/[email protected]'
            - '@lokeswari-satyanarayanan/[email protected]'
            - '@louisle2/[email protected]'
            - '@louisle2/[email protected]'
            - '@lpdjs/[email protected]'
            - '@lui-ui/[email protected]'
            - '@lui-ui/[email protected]'
            - '@lui-ui/[email protected]'
            - '@markvivanco/[email protected]'
            - '@markvivanco/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@mcp-use/[email protected]'
            - '@micado-digital/[email protected]'
            - '@mizzle-dev/[email protected]'
            - '@mparpaillon/[email protected]'
            - '@mparpaillon/[email protected]'
            - '@mparpaillon/[email protected]'
            - '@ntnx/[email protected]'
            - '@ntnx/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@oku-ui/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@orbitgtbelgium/[email protected]'
            - '@osmanekrem/[email protected]'
            - '@osmanekrem/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@pergel/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@posthog/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@postman/[email protected]'
            - '@pradhumngautam/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@productdevbook/[email protected]'
            - '@pruthvi21/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@quick-start-soft/[email protected]'
            - '@relyt/[email protected]'
            - '@relyt/[email protected]'
            - '@relyt/[email protected]'
            - '@sameepsi/[email protected]'
            - '@sameepsi/[email protected]'
            - '@seezo/[email protected]'
            - '@seung-ju/[email protected]'
            - '@seung-ju/[email protected]'
            - '@seung-ju/[email protected]'
            - '@seung-ju/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@silgi/[email protected]'
            - '@sme-ui/[email protected]'
            - '@strapbuild/[email protected]'
            - '@strapbuild/[email protected]'
            - '@strapbuild/[email protected]'
            - '@strapbuild/[email protected]'
            - '@suraj_h/[email protected]'
            - '@thedelta/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@tiaanduplessis/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trackstar/[email protected]'
            - '@trefox/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trigo/[email protected]'
            - '@trpc-rate-limiter/[email protected]'
            - '@trpc-rate-limiter/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@varsityvibe/[email protected]'
            - '@viapip/[email protected]'
            - '@vishadtyagi/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@voiceflow/[email protected]'
            - '@vucod/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '@zapier/[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
            - '[email protected]'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Shai-Hulud Malicious Bun Execution
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 5299fadf-f228-4526-8274-251db1960be9
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\node.exe" and 
 (action_process_image_path contains "\bun.exe" and 
 (action_process_image_command_line in ("*bun_environment.js*", "*https://github.com/actions/runner/releases/download/v2.330.0*")))))
view Sigma YAML 
title: Shai-Hulud Malicious Bun Execution
id: 5299fadf-f228-4526-8274-251db1960be9
related:
    - id: eb827bbd-670a-4d58-8446-c464d8ac2323
      type: similar
status: experimental
description: |
    Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
    The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
    - https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
    - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.t1195.002
    - attack.t1203
    - attack.execution
    - attack.initial-access
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\node.exe'
    selection_child_bun_script:
        Image|endswith: '\bun.exe'
        CommandLine|contains:
            - 'bun_environment.js'
            - 'https://github.com/actions/runner/releases/download/v2.330.0'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_node_bun_execution/info.yml
Convert to SIEM query
high Strong Medium FP
Shai-Hulud Malicious Bun Execution - Linux
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id eb827bbd-670a-4d58-8446-c464d8ac2323
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (actor_process_image_path contains "/node" and 
 ((action_process_image_path contains "/bun" and 
 (action_process_image_command_line in ("*bun_environment.js*", "*https://github.com/actions/runner/releases/download/v2.330.0*"))) or 
 (action_process_image_command_line contains "curl " and 
 action_process_image_command_line contains "-fsSL" and 
 action_process_image_command_line contains "https://bun.sh/install" and 
 action_process_image_command_line contains "bash") or 
 (action_process_image_command_line contains "bash -c \"source " and 
 action_process_image_command_line contains "&& echo"))))
view Sigma YAML 
title: Shai-Hulud Malicious Bun Execution - Linux
id: eb827bbd-670a-4d58-8446-c464d8ac2323
related:
    - id: 5299fadf-f228-4526-8274-251db1960be9
      type: similar
status: experimental
description: |
    Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
    The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
    - https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
    - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.t1195.002
    - attack.t1203
    - attack.execution
    - attack.initial-access
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection_parent:
        ParentImage|endswith: '/node'
    selection_child_bun:
        Image|endswith: '/bun'
        CommandLine|contains:
            - 'bun_environment.js'
            - 'https://github.com/actions/runner/releases/download/v2.330.0'
    selection_child_setup_curl:
        CommandLine|contains|all:
            - 'curl '
            - '-fsSL'
            - 'https://bun.sh/install'
            - 'bash'
    selection_child_path_reload:
        CommandLine|contains|all:
            - 'bash -c "source '
            - '&& echo'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
Convert to SIEM query
high Moderate High FP
Shai-Hulud Malicious GitHub Workflow Creation
Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 0aba5685-6db6-486f-88ef-29a99c545cfd
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_file_name in ("*.github/workflows/shai-hulud-workflow.yaml", "*.github/workflows/shai-hulud-workflow.yml", "*.github/workflows/shai-hulud.yaml", "*.github/workflows/shai-hulud.yml")))
view Sigma YAML 
title: Shai-Hulud Malicious GitHub Workflow Creation
id: 0aba5685-6db6-486f-88ef-29a99c545cfd
status: experimental
description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
references:
    - https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2026-01-24
tags:
    - attack.persistence
    - attack.credential-access
    - attack.t1552.001
    - attack.collection
    - attack.t1119
    - detection.emerging-threats
logsource:
    product: linux
    category: file_event
detection:
    selection:
        TargetFilename|endswith:
            - '.github/workflows/shai-hulud-workflow.yaml'
            - '.github/workflows/shai-hulud-workflow.yml'
            - '.github/workflows/shai-hulud.yaml'
            - '.github/workflows/shai-hulud.yml'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Shai-Hulud Malware Indicators - Linux
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id 11bb9b26-4179-4a06-afcb-1ec31fce1627
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_command_line in ("*Shai-Hulud*", "*SHA1HULUD*")))
view Sigma YAML 
title: Shai-Hulud Malware Indicators - Linux
id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
related:
    - id: 540703fb-a874-4385-a9d6-7cd1bfab268c
      type: similar
    - id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
      type: similar
status: experimental
description: |
    Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
    - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
    - https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|contains:
            - 'Shai-Hulud'
            - 'SHA1HULUD'
    condition: selection
falsepositives:
    - Legitimate software containing similar strings
level: high
Convert to SIEM query
high Moderate High FP
Shai-Hulud Malware Indicators - Windows
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id 540703fb-a874-4385-a9d6-7cd1bfab268c
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line in ("*Shai-Hulud*", "*SHA1HULUD*")))
view Sigma YAML 
title: Shai-Hulud Malware Indicators - Windows
id: 540703fb-a874-4385-a9d6-7cd1bfab268c
related:
    - id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
      type: similar
    - id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
      type: similar
status: experimental
description: |
    Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
    - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
    - https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'Shai-Hulud'
            - 'SHA1HULUD'
    condition: selection
falsepositives:
    - Legitimate software containing similar strings
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_indicator/info.yml
Convert to SIEM query
high Moderate High FP
Shai-Hulud NPM Package Malicious Exfiltration via Curl
Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK technique id efd2eb09-b72e-4a61-8dc7-b1382a1e8983
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/curl" and 
 (action_process_image_command_line contains "curl" and 
 action_process_image_command_line contains "-d" and 
 action_process_image_command_line contains "webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7")))
view Sigma YAML 
title: Shai-Hulud NPM Package Malicious Exfiltration via Curl
id: efd2eb09-b72e-4a61-8dc7-b1382a1e8983
status: experimental
description: Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
references:
    - https://www.getsafety.com/blog-posts/shai-hulud-npm-attack
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
tags:
    - attack.exfiltration
    - attack.t1041
    - attack.collection
    - attack.t1005
    - detection.emerging-threats
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/curl'
        CommandLine|contains|all:
            - 'curl'
            - '-d'
            - 'webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Shell Execution GCC - Linux
Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
status test author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) ATT&CK technique id 9b5de532-a757-4d70-946c-1f3e44f48b4d
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (((action_process_image_path in ("*/c89", "*/c99", "*/gcc")) and 
 action_process_image_command_line contains "-wrapper") and 
 (action_process_image_command_line in ("*/bin/bash,-s*", "*/bin/dash,-s*", "*/bin/fish,-s*", "*/bin/sh,-s*", "*/bin/zsh,-s*"))))
view Sigma YAML 
title: Shell Execution GCC  - Linux
id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
status: test
description: |
    Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/gcc/#shell
    - https://gtfobins.github.io/gtfobins/c89/#shell
    - https://gtfobins.github.io/gtfobins/c99/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/c89'
            - '/c99'
            - '/gcc'
        CommandLine|contains: '-wrapper'
    selection_cli:
        CommandLine|contains:
            - '/bin/bash,-s'
            - '/bin/dash,-s'
            - '/bin/fish,-s'
            - '/bin/sh,-s'
            - '/bin/zsh,-s'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Shell Execution Of Process Located In Tmp Directory
Detects execution of shells from a parent process located in a temporary (/tmp) directory
status test author Joseliyo Sanchez, @Joseliyo_Jstnk ATT&CK tactic-only id 2fade0b6-7423-4835-9d4f-335b39b83867
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (actor_process_image_path contains "/tmp/" and 
 (action_process_image_path in ("*/bash", "*/csh", "*/dash", "*/fish", "*/ksh", "*/sh", "*/zsh"))))
view Sigma YAML 
title: Shell Execution Of Process Located In Tmp Directory
id: 2fade0b6-7423-4835-9d4f-335b39b83867
status: test
description: Detects execution of shells from a parent process located in a temporary (/tmp) directory
references:
    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
    - attack.execution
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        ParentImage|startswith: '/tmp/'
        Image|endswith:
            - '/bash'
            - '/csh'
            - '/dash'
            - '/fish'
            - '/ksh'
            - '/sh'
            - '/zsh'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Shell Execution via Find - Linux
Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
status test author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) ATT&CK technique id 6adfbf8f-52be-4444-9bac-81b539624146
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path contains "/find" and 
 (action_process_image_command_line contains " . " and 
 action_process_image_command_line contains "-exec")) and 
 (action_process_image_command_line in ("*/bin/bash*", "*/bin/dash*", "*/bin/fish*", "*/bin/sh*", "*/bin/zsh*"))))
view Sigma YAML 
title: Shell Execution via Find - Linux
id: 6adfbf8f-52be-4444-9bac-81b539624146
status: test
description: |
    Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
references:
    - https://gtfobins.github.io/gtfobins/find/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/find'
        CommandLine|contains|all:
            - ' . '
            - '-exec'
    selection_cli:
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Shell Execution via Flock - Linux
Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
status test author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) ATT&CK technique id 4b09c71e-4269-4111-9cdd-107d8867f0cc
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path contains "/flock" and 
 action_process_image_command_line contains " -u ") and 
 (action_process_image_command_line in ("*/bin/bash*", "*/bin/dash*", "*/bin/fish*", "*/bin/sh*", "*/bin/zsh*"))))
view Sigma YAML 
title: Shell Execution via Flock - Linux
id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
status: test
description: |
    Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/flock/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/flock'
        CommandLine|contains: ' -u '
    selection_cli:
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Shell Execution via Git - Linux
Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
status test author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) ATT&CK technique id 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (actor_process_image_path contains "/git" and 
 (actor_process_command_line contains " -p " and 
 actor_process_command_line contains "help") and 
 (action_process_image_command_line in ("*bash 0<&1*", "*dash 0<&1*", "*sh 0<&1*"))))
view Sigma YAML 
title: Shell Execution via Git - Linux
id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
status: test
description: |
    Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/git/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|endswith: '/git'
        ParentCommandLine|contains|all:
            - ' -p '
            - 'help'
        CommandLine|contains:
            - 'bash 0<&1'
            - 'dash 0<&1'
            - 'sh 0<&1'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Shell Execution via Nice - Linux
Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
status test author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) ATT&CK technique id 093d68c7-762a-42f4-9f46-95e79142571a
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/nice" and 
 (action_process_image_command_line in ("*/bin/bash", "*/bin/dash", "*/bin/fish", "*/bin/sh", "*/bin/zsh"))))
view Sigma YAML 
title: Shell Execution via Nice - Linux
id: 093d68c7-762a-42f4-9f46-95e79142571a
status: test
description: |
    Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/nice/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
tags:
    - attack.discovery
    - attack.t1083
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/nice'
        CommandLine|endswith:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Shell Execution via Rsync - Linux
Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
status experimental author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth ATT&CK technique id e2326866-609f-4015-aea9-7ec634e8aa04
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (((action_process_image_path in ("*/rsync", "*/rsyncd")) and 
 action_process_image_command_line contains " -e ") and 
 (action_process_image_command_line in ("*/ash *", "*/bash *", "*/dash *", "*/csh *", "*/sh *", "*/zsh *", "*/tcsh *", "*/ksh *", "*'ash *", "*'bash *", "*'dash *", "*'csh *", "*'sh *", "*'zsh *", "*'tcsh *", "*'ksh *"))))
view Sigma YAML 
title: Shell Execution via Rsync - Linux
id: e2326866-609f-4015-aea9-7ec634e8aa04
status: experimental
description: |
    Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/rsync/#shell
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.), Florian Roth
date: 2024-09-02
modified: 2025-01-18
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith:
            - '/rsync'
            - '/rsyncd'
        CommandLine|contains: ' -e '
    selection_cli:
        CommandLine|contains:
            - '/ash '
            - '/bash '
            - '/dash '
            - '/csh '
            - '/sh '
            - '/zsh '
            - '/tcsh '
            - '/ksh '
            - "'ash "
            - "'bash "
            - "'dash "
            - "'csh "
            - "'sh "
            - "'zsh "
            - "'tcsh "
            - "'ksh "
    condition: all of selection_*
falsepositives:
    - Legitimate cases in which "rsync" is used to execute a shell
level: high
Convert to SIEM query
high Moderate Medium FP
Shell Invocation Via Ssh - Linux
Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
status test author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) ATT&CK technique id 8737b7f6-8df3-4bb7-b1da-06019b99b687
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 ((action_process_image_path contains "/ssh" and 
 (action_process_image_command_line in ("*ProxyCommand=;*", "*permitlocalcommand=yes*", "*localhost*"))) and 
 (action_process_image_command_line in ("*/bin/bash*", "*/bin/dash*", "*/bin/fish*", "*/bin/sh*", "*/bin/zsh*", "*sh 0<&2 1>&2*", "*sh 1>&2 0<&2*"))))
view Sigma YAML 
title: Shell Invocation Via Ssh - Linux
id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
status: test
description: |
    Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
references:
    - https://gtfobins.github.io/gtfobins/ssh/
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-08-29
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: linux
detection:
    selection_img:
        Image|endswith: '/ssh'
        CommandLine|contains:
            - 'ProxyCommand=;'
            - 'permitlocalcommand=yes'
            - 'localhost'
    selection_cli:
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
            - 'sh 0<&2 1>&2'
            - 'sh 1>&2 0<&2'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
status test author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.) ATT&CK sub-technique id bed978f8-7f3a-432b-82c5-9286a9b3031a
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 (action_process_image_path contains "/env" and 
 (action_process_image_command_line in ("*/bin/bash*", "*/bin/dash*", "*/bin/fish*", "*/bin/sh*", "*/bin/zsh*"))))
view Sigma YAML 
title: Shell Invocation via Env Command - Linux
id: bed978f8-7f3a-432b-82c5-9286a9b3031a
status: test
description: |
    Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
references:
    - https://gtfobins.github.io/gtfobins/env/#shell
    - https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
modified: 2026-01-08
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/env'
        CommandLine|contains:
            - '/bin/bash'
            - '/bin/dash'
            - '/bin/fish'
            - '/bin/sh'
            - '/bin/zsh'
    condition: selection
falsepositives:
    - Github operations such as ghe-backup
level: high
Convert to SIEM query
high Strong Medium FP
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
status stable author Florian Roth (Nextron Systems) ATT&CK technique id b0524451-19af-4efa-a46f-562a977f792e
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_command_line contains "rundll32" and 
 action_process_image_command_line contains "apphelp.dll") and 
 (action_process_image_command_line in ("*ShimFlushCache*", "*#250*"))) or 
 ((action_process_image_command_line contains "rundll32" and 
 action_process_image_command_line contains "kernel32.dll") and 
 (action_process_image_command_line in ("*BaseFlushAppcompatCache*", "*#46*")))))
view Sigma YAML 
title: ShimCache Flush
id: b0524451-19af-4efa-a46f-562a977f792e
status: stable
description: Detects actions that clear the local ShimCache and remove forensic evidence
references:
    - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e
author: Florian Roth (Nextron Systems)
date: 2021-02-01
tags:
    - attack.persistence
    - attack.defense-impairment
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    selection1a:
        CommandLine|contains|all:
            - 'rundll32'
            - 'apphelp.dll'
    selection1b:
        CommandLine|contains:
            - 'ShimFlushCache'
            - '#250'
    selection2a:
        CommandLine|contains|all:
            - 'rundll32'
            - 'kernel32.dll'
    selection2b:
        CommandLine|contains:
            - 'BaseFlushAppcompatCache'
            - '#46'
    condition: ( selection1a and selection1b ) or ( selection2a and selection2b )
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Small Sieve Malware CommandLine Indicator
Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 21117127-21c8-437a-ae03-4b51e5a8a088
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 action_process_image_command_line contains ".exe Platypus")
view Sigma YAML 
title: Small Sieve Malware CommandLine Indicator
id: 21117127-21c8-437a-ae03-4b51e5a8a088
status: test
description: Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.execution
    - attack.stealth
    - attack.t1574.001
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|endswith: '.exe Platypus'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
status test author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) ATT&CK sub-technique id 39466c42-c189-476a-989f-8cdb135c163a
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((((action_file_name contains ":\Users\" and 
 action_file_name contains "\AppData\") and 
 (action_file_name in ("*\Roaming\*", "*\Local\*"))) and 
 action_file_name contains "Microsift") or 
 action_file_name contains "\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt"))
view Sigma YAML 
title: Small Sieve Malware File Indicator Creation
id: 39466c42-c189-476a-989f-8cdb135c163a
status: test
description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2023-05-19
tags:
    - attack.stealth
    - attack.t1036.005
    - detection.emerging-threats
logsource:
    product: windows
    category: file_event
detection:
    selection_typo_path:
        TargetFilename|contains|all:
            - ':\Users\'
            - '\AppData\'
        TargetFilename|contains:
            - '\Roaming\'
            - '\Local\'
    selection_typo_keyword:
        TargetFilename|contains: 'Microsift'
    selection_ioc:
        TargetFilename|endswith: '\AppData\Local\MicrosoftWindowsOutlookDataPlus.txt'
    condition: all of selection_typo_* or selection_ioc
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate High FP
Small Sieve Malware Registry Persistence
Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK tactic-only id 65c6e3c1-fb28-4c03-a51e-84919d8185f1
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "\Microsoft\Windows\CurrentVersion\Run\" and 
 (action_registry_key_name contains "Microsift" or 
 (action_registry_value_name contains ".exe Platypus" or 
 action_registry_data contains ".exe Platypus"))))
view Sigma YAML 
title: Small Sieve Malware Registry Persistence
id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
status: test
description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
references:
    - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-19
modified: 2023-08-17
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    category: registry_set
    product: windows
detection:
    selection_path:
        TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Run\'
    selection_value:
        - TargetObject|contains: 'Microsift'
        - Details|contains: '.exe Platypus'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community ATT&CK sub-technique id ba778144-5e3d-40cf-8af9-e28fb1df1e20
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((action_process_image_path contains "\rundll32.exe" and 
 (action_process_image_command_line in ("*%LOCALAPPDATA%*", "*\AppData\Local\*"))) and 
 (action_process_image_command_line contains ".dat\"," or 
 (action_process_image_command_line in ("*.dll #1", "*.dll\" #1", "*.dll\",#1")))) and 
 (not 
 action_process_image_command_line contains "\AppData\Local\Temp\")))
view Sigma YAML 
title: Sofacy Trojan Loader Activity
id: ba778144-5e3d-40cf-8af9-e28fb1df1e20
status: test
description: Detects Trojan loader activity as used by APT28
references:
    - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/
    - https://www.hybrid-analysis.com/sample/ff808d0a12676bfac88fd26f955154f8884f2bb7c534b9936510fd6296c543e8?environmentId=110
    - https://twitter.com/ClearskySec/status/960924755355369472
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2018-03-01
modified: 2023-05-31
tags:
    - attack.execution
    - attack.stealth
    - attack.g0007
    - attack.t1059.003
    - attack.t1218.011
    - car.2013-10-002
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection_path:
        Image|endswith: '\rundll32.exe'
        CommandLine|contains:
            - '%LOCALAPPDATA%'
            - '\AppData\Local\'
    selection_extensions:
        - CommandLine|contains: '.dat",'
        - CommandLine|endswith:
              - '.dll #1'
              - '.dll" #1'
              - '.dll",#1'
    filter_main_exclude_temp:
        CommandLine|contains: '\AppData\Local\Temp\'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Sudo Privilege Escalation CVE-2019-14287
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
status test author Florian Roth (Nextron Systems) ATT&CK sub-technique id f74107df-b6c6-4e80-bf00-4170b658162b
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_LINUX and 
 action_process_image_command_line contains " -u#")
view Sigma YAML 
title: Sudo Privilege Escalation CVE-2019-14287
id: f74107df-b6c6-4e80-bf00-4170b658162b
status: test
description: Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
references:
    - https://www.openwall.com/lists/oss-security/2019/10/14/1
    - https://access.redhat.com/security/cve/cve-2019-14287
    - https://twitter.com/matthieugarin/status/1183970598210412546
author: Florian Roth (Nextron Systems)
date: 2019-10-15
modified: 2022-10-05
tags:
    - attack.privilege-escalation
    - attack.t1068
    - attack.t1548.003
    - cve.2019-14287
    - detection.emerging-threats
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        CommandLine|contains: ' -u#'
    condition: selection
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Strong Medium FP
Suspicious ASPX File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
status test author Florian Roth (Nextron Systems), MSTI (query, idea) ATT&CK sub-technique id bd1212e5-78da-431e-95fa-c58e3237a8e6
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "\w3wp.exe" and 
 actor_process_command_line contains "MSExchange" and 
 (action_file_name in ("*FrontEnd\HttpProxy\*", "*\inetpub\wwwroot\aspnet_client\*"))) and 
 (action_file_name in ("*.aspx", "*.asp", "*.ashx"))))
view Sigma YAML 
title: Suspicious ASPX File Drop by Exchange
id: bd1212e5-78da-431e-95fa-c58e3237a8e6
related:
    - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
      type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems), MSTI (query, idea)
date: 2022-10-01
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
        TargetFilename|contains:
            - 'FrontEnd\HttpProxy\'           # from GTSC and MSTI reports
            - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
    condition: all of selection*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate High FP
Suspicious Application Allowed Through Exploit Guard
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK technique id 42205c73-75c8-4a63-9db1-e3782e06fda0
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_registry_key_name contains "SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications" and 
 (action_registry_key_name in ("*\Users\Public\*", "*\AppData\Local\Temp\*", "*\Desktop\*", "*\PerfLogs\*", "*\Windows\Temp\*"))))
view Sigma YAML 
title: Suspicious Application Allowed Through Exploit Guard
id: 42205c73-75c8-4a63-9db1-e3782e06fda0
status: test
description: Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
references:
    - https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-08-17
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: registry_set
    product: windows
detection:
    selection_key:
        TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications'
    selection_paths:
        TargetObject|contains:
            # Add more paths you don't allow in your org
            - '\Users\Public\'
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\PerfLogs\'
            - '\Windows\Temp\'
    condition: all of selection_*
falsepositives:
    - Unlikely
level: high
Convert to SIEM query
high Moderate Medium FP
Suspicious ArcSOC.exe Child Process
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
status experimental author Micah Babinski ATT&CK technique id 8e95e73e-ba02-4a87-b4d7-0929b8053038
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((actor_process_image_path contains "\ArcSOC.exe" and 
 (action_process_image_path in ("*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell.exe", "*\pwsh.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\wmic.exe", "*\wscript.exe"))) and 
 (not 
 (action_process_image_path contains "\cmd.exe" and 
 action_process_image_command_line = "cmd.exe /c \"ver\""))))
view Sigma YAML 
title: Suspicious ArcSOC.exe Child Process
id: 8e95e73e-ba02-4a87-b4d7-0929b8053038
status: experimental
description: |
    Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe.
    ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS
    Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding
    service endpoint and remotely execute code from the ArcSOC.exe process.
references:
    - https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
    - https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
    - attack.execution
    - attack.t1059
    - attack.t1203
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ArcSOC.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    filter_main_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine: 'cmd.exe /c "ver"'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Suspicious Binaries and Scripts in Public Folder
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
status experimental author The DFIR Report ATT&CK technique id b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_file_name contains ":\Users\Public\" and 
 (action_file_name in ("*.bat", "*.dll", "*.exe", "*.hta", "*.js", "*.ps1", "*.vbe", "*.vbs"))))
view Sigma YAML 
title: Suspicious Binaries and Scripts in Public Folder
id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
status: experimental
description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
references:
    - https://intel.thedfirreport.com/events/view/30032 # Private Report
    - https://intel.thedfirreport.com/eventReports/view/70 # Private Report
    - https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
author: 'The DFIR Report'
date: 2025-01-23
tags:
    - attack.execution
    - attack.t1204
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains: ':\Users\Public\'
        TargetFilename|endswith:
            - '.bat'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.vbe'
            - '.vbs'
    condition: selection
falsepositives:
    - Administrators deploying legitimate binaries to public folders.
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_public_folder_extension/info.yml
Convert to SIEM query
high Moderate Medium FP
Suspicious Binary In User Directory Spawned From Office Application
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
status test author Jason Lynch ATT&CK sub-technique id aa3a6f94-890e-4e22-b634-ffdfd54792cc
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*\WINWORD.EXE", "*\EXCEL.EXE", "*\POWERPNT.exe", "*\MSPUB.exe", "*\VISIO.exe", "*\MSACCESS.exe", "*\EQNEDT32.exe")) and 
 action_process_image_path contains "C:\users\" and 
 action_process_image_path contains ".exe") and 
 (not 
 action_process_image_path contains "\Teams.exe")))
view Sigma YAML 
title: Suspicious Binary In User Directory Spawned From Office Application
id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
status: test
description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
references:
    - https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
    - https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
author: Jason Lynch
date: 2019-04-02
modified: 2023-02-04
tags:
    - attack.execution
    - attack.t1204.002
    - attack.g0046
    - car.2013-05-002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\WINWORD.EXE'
            - '\EXCEL.EXE'
            - '\POWERPNT.exe'
            - '\MSPUB.exe'
            - '\VISIO.exe'
            - '\MSACCESS.exe'
            - '\EQNEDT32.exe'
            # - '\OUTLOOK.EXE' too many FPs
        Image|startswith: 'C:\users\'
        Image|endswith: '.exe'
    filter:
        Image|endswith: '\Teams.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
status test author Nasreddine Bencherchali (Nextron Systems) ATT&CK sub-technique id 2d367498-5112-4ae5-a06a-96e7bc33a211
cortex_xdr query
config case_sensitive = false | preset=xdr_file | filter event_type = ENUM.FILE and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (((actor_process_image_path in ("*\AnyDesk.exe", "*\AnyDeskMSI.exe")) and 
 (action_file_name in ("*.dll", "*.exe"))) and 
 (not 
 action_file_name contains "\gcapi.dll")))
view Sigma YAML 
title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: test
description: |
    Detects AnyDesk writing binary files to disk other than "gcapi.dll".
    According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
    which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
    - https://redcanary.com/blog/misbehaving-rats/
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_dlls:
        TargetFilename|endswith: '\gcapi.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
status experimental author andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems) ATT&CK sub-technique id 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (actor_process_image_path contains "\baaupdate.exe" and 
 (action_process_image_path in ("*\bitsadmin.exe", "*\cmd.exe", "*\cscript.exe", "*\mshta.exe", "*\powershell_ise.exe", "*\powershell.exe", "*\regsvr32.exe", "*\rundll32.exe", "*\schtasks.exe", "*\wmic.exe", "*\wscript.exe"))))
view Sigma YAML 
title: Suspicious BitLocker Access Agent Update Utility Execution
id: 9f38c1db-e2ae-40bf-81d0-5b68f73fb512
related:
    - id: 6e8fe0a8-ba0b-4a93-8f9e-82657e7a5984 # BaaUpdate.exe Suspicious DLL Load
      type: similar
status: experimental
description: |
    Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
    Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
references:
    - https://github.com/rtecCyberSec/BitlockMove
author: andrewdanis, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-18
tags:
    - attack.stealth
    - attack.t1218
    - attack.lateral-movement
    - attack.t1021.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\baaupdate.exe'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell_ise.exe'
            - '\powershell.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\schtasks.exe'
            - '\wmic.exe'
            - '\wscript.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Moderate Medium FP
Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
status test author Florian Roth (Nextron Systems) ATT&CK technique id 737e618a-a410-49b5-bec3-9e55ff7fbc15
cortex_xdr query
config case_sensitive = false | preset=xdr_process | filter (event_type = ENUM.PROCESS and 
 event_sub_type = ENUM.PROCESS_START) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 (action_process_image_command_line contains "\calc.exe " or 
 (action_process_image_path contains "\calc.exe" and 
 (not 
 (action_process_image_path in ("*:\Windows\System32\*", "*:\Windows\SysWOW64\*", "*:\Windows\WinSxS\*"))))))
view Sigma YAML 
title: Suspicious Calculator Usage
id: 737e618a-a410-49b5-bec3-9e55ff7fbc15
status: test
description: |
    Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
references:
    - https://twitter.com/ItsReallyNick/status/1094080242686312448
author: Florian Roth (Nextron Systems)
date: 2019-02-09
modified: 2023-11-09
tags:
    - attack.stealth
    - attack.t1036
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains: '\calc.exe '
    selection_2:
        Image|endswith: '\calc.exe'
    filter_main_known_locations:
        Image|contains:
            - ':\Windows\System32\'
            - ':\Windows\SysWOW64\'
            - ':\Windows\WinSxS\'
    condition: selection_1 or ( selection_2 and not filter_main_known_locations )
falsepositives:
    - Unknown
level: high
Convert to SIEM query
high Strong Medium FP
Suspicious Camera and Microphone Access
Detects Processes accessing the camera and microphone from suspicious folder
status test author Den Iuzvyk ATT&CK technique id 62120148-6b7a-42be-8b91-271c04e281a3
cortex_xdr query
config case_sensitive = false | preset=xdr_registry | filter event_type = ENUM.REGISTRY and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\" and 
 action_registry_key_name contains "\NonPackaged") and 
 (action_registry_key_name in ("*microphone*", "*webcam*")) and 
 (action_registry_key_name in ("*:#Windows#Temp#*", "*:#$Recycle.bin#*", "*:#Temp#*", "*:#Users#Public#*", "*:#Users#Default#*", "*:#Users#Desktop#*"))))
view Sigma YAML 
title: Suspicious Camera and Microphone Access
id: 62120148-6b7a-42be-8b91-271c04e281a3
status: test
description: Detects Processes accessing the camera and microphone from suspicious folder
references:
    - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
author: Den Iuzvyk
date: 2020-06-07
modified: 2022-10-09
tags:
    - attack.collection
    - attack.t1125
    - attack.t1123
logsource:
    category: registry_event
    product: windows
detection:
    selection_1:
        TargetObject|contains|all:
            - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\'
            - '\NonPackaged'
    selection_2:
        TargetObject|contains:
            - microphone
            - webcam
    selection_3:
        TargetObject|contains:
            - ':#Windows#Temp#'
            - ':#$Recycle.bin#'
            - ':#Temp#'
            - ':#Users#Public#'
            - ':#Users#Default#'
            - ':#Users#Desktop#'
    condition: all of selection_*
falsepositives:
    - Unlikely, there could be conferencing software running from a Temp folder accessing the devices
level: high
Convert to SIEM query
Showing 501-550 of 763
Prev 11 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh