Shai-Hulud Malware Indicators - Windows

calendar Mar 29, 2026 · attack.execution attack.t1059 detection.emerging-threats  ·
Share on: linkedin copy

Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.

Sigma rule (View on GitHub)

 1title: Shai-Hulud Malware Indicators - Windows
 2id: 540703fb-a874-4385-a9d6-7cd1bfab268c
 3related:
 4    - id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
 5      type: similar
 6    - id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
 7      type: similar
 8status: experimental
 9description: |
10        Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
11references:
12    - https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
13    - https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
14    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
15author: Swachchhanda Shrawan Poudel (Nextron Systems)
16date: 2025-11-25
17tags:
18    - attack.execution
19    - attack.t1059
20    - detection.emerging-threats
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        CommandLine|contains:
27            - 'Shai-Hulud'
28            - 'SHA1HULUD'
29    condition: selection
30falsepositives:
31    - Legitimate software containing similar strings
32level: high
33regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_indicator/info.yml

References

Related rules

to-top