Skip to main content

Codecov Breach - Bash Uploader

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook includes the following tasks:

  • Search for the Security Notice email sent from Codecov.
  • Collect indicators to be used in your threat hunting process.
  • Query network logs to detect related activity.
  • Search for the use of Codecov bash uploader in GitHub repositories
  • Query Panorama to search for logs with related anti-spyware signatures
    • Data Exfiltration Traffic Detection
    • Malicious Modified Shell Script Detection

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

More information: Codecov Security Notice

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Splunk Indicator Hunting
  • QRadar Indicator Hunting V2
  • Palo Alto Networks - Hunting And Threat Detection

Commands#

  • extractIndicators
  • ews-search-mailbox

Playbook Inputs#


NameDescriptionDefault ValueRequired
KnownRelatedIOCsKnown related IOCs to the Codecov Bash Uploader breach to hunt.104.248.94.23Optional
CustomIOCsAdd your own custom Codecov Bash Uploader breach IOCs to hunt.Optional
EWSSearchQueryThe EWS query to find the Codecov security notice emailFrom:security@codecov.io AND Subject:Bash Uploader Security Notice AND Received:three monthsOptional
EWSSearchQuery_LimitThe limit of results to return from the search50Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Codecov - Bash Uploader Unauthorized Access