Codecov Breach - Bash Uploader
This playbook includes the following tasks: - Search for the Security Notice email sent from Codecov. - Collect indicators to be used in your threat hunting process. - Query network logs to detect related activity. - Search for the use of Codecov bash uploader in GitHub repositories - Query Panorama to search for logs with related anti-spyware signatures - Data Exfiltration Traffic Detection - Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: [Codecov Security Notice](https://about.codecov.io/security-update/)
Rapid Breach Response · 25 tasks · 6 inputs · 0 outputs
Inputs
KnownRelatedIOCs— Known related IOCs to the Codecov Bash Uploader breach to hunt.CustomIOCs— Add your own custom Codecov Bash Uploader breach IOCs to hunt.EWSSearchQuery— The EWS query to find the Codecov security notice emailEWSSearchQuery_Limit— The limit of results to return from the searchGithub_Code_Search_query— Github query to search for Codecov bash uploader use.InternalRange— A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).
Commands used
GitHub-search-code
ews-search-mailbox
extractIndicators