Codecov Breach - Bash Uploader
Rapid Breach Response Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 5.5.0 and later.
This playbook includes the following tasks:
- Search for the Security Notice email sent from Codecov.
- Collect indicators to be used in your threat hunting process.
- Query network logs to detect related activity.
- Search for the use of Codecov bash uploader in GitHub repositories
- Query Panorama to search for logs with related anti-spyware signatures
- Data Exfiltration Traffic Detection
- Malicious Modified Shell Script Detection
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
More information: Codecov Security Notice
This playbook uses the following sub-playbooks, integrations, and scripts.
- Splunk Indicator Hunting
- QRadar Indicator Hunting V2
- Palo Alto Networks - Hunting And Threat Detection
|KnownRelatedIOCs||Known related IOCs to the Codecov Bash Uploader breach to hunt.||126.96.36.199||Optional|
|CustomIOCs||Add your own custom Codecov Bash Uploader breach IOCs to hunt.||Optional|
|EWSSearchQuery||The EWS query to find the Codecov security notice email||From:firstname.lastname@example.org AND Subject:Bash Uploader Security Notice AND Received:three months||Optional|
|EWSSearchQuery_Limit||The limit of results to return from the search||50||Optional|
There are no outputs for this playbook.