Script Interpreter Spawning Credential Scanner - Windows

Hunt Hypothesis

Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets,

Detection Rule

Sigma (Original)

title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
    - id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
      type: similar
status: experimental
description: |
    Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
    This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
    - https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
    - https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
    - https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
    - https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
    - attack.credential-access
    - attack.t1552
    - attack.collection
    - attack.execution
    - attack.t1005
    - attack.t1059.007
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
           # Add more script interpreters as needed
            - '\node.exe'
            - '\bun.exe'
    selection_child:
        - Image|endswith:
              - 'trufflehog.exe'
              - 'gitleaks.exe'
        - CommandLine|contains:
              - 'trufflehog'
              - 'gitleaks'
    condition: all of selection_*
falsepositives:
    - Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\node.exe" or ParentProcessName endswith "\\bun.exe") or (ActingProcessName endswith "\\node.exe" or ActingProcessName endswith "\\bun.exe")) and ((TargetProcessName endswith "trufflehog.exe" or TargetProcessName endswith "gitleaks.exe") or (TargetProcessCommandLine contains "trufflehog" or TargetProcessCommandLine contains "gitleaks"))

Required Data Sources

False Positive Guidance

• **Scenario: Developer using Node.js to run Trufflehog

MITRE ATT&CK Context

• Tactic: Credential Access
• Tactic: Collection
• Tactic: Execution
• Technique: T1552 — T1552
• Technique: T1005 — T1005
• Technique: T1059.007 — T1059.007

References

• https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
• https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
• https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
• https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
• SigmaHQ Rule