Codecov Breach - Bash Uploader

This playbook includes the following tasks: - Search for the Security Notice email sent from Codecov. - Collect indicators to be used in your threat hunting process. - Query network logs to detect related activity. - Search for the use of Codecov bash uploader in GitHub repositories - Query Panorama to search for logs with related anti-spyware signatures - Data Exfiltration Traffic Detection - Malicious Modified Shell Script Detection Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. More information: [Codecov Security Notice](https://about.codecov.io/security-update/)

Rapid Breach Response · 25 tasks · 6 inputs · 0 outputs

Inputs

  • KnownRelatedIOCs — Known related IOCs to the Codecov Bash Uploader breach to hunt.
  • CustomIOCs — Add your own custom Codecov Bash Uploader breach IOCs to hunt.
  • EWSSearchQuery — The EWS query to find the Codecov security notice email
  • EWSSearchQuery_Limit — The limit of results to return from the search
  • Github_Code_Search_query — Github query to search for Codecov bash uploader use.
  • InternalRange — A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).

Commands used

GitHub-search-code ews-search-mailbox extractIndicators

Flowchart

yes yes Yes Yes yes Start Start Extract IOCs Extract IOCs Hunt IOCs Hunt IOCs Is EWS enabled? Is EWS enabled? Check if compromised Check if compromised Codecov security notice email check Codecov security notice e... Search for Codecov security notice email - ews-search-mailbox Search for Codecov securi... ews-search-mailbox Found Codecov security notice emails? Found Codecov security no... Check for affected Bash Uploader possible impact Check for affected Bash U... Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting SIEM Hunting SIEM Hunting Hunt Network Logs Hunt Network Logs Extract indicators from known and custom inputs - extractIndicators Extract indicators from k... extractIndicators Remediation Steps Remediation Steps Re-roll affected users Re-roll affected users Check env command in your CI pipeline Check env command in your... Used local stored version of a Bash Uploader? Used local stored version... Check using version Check using version Done Done Panorama search thread-ids in threat logs - Panorama Query Logs Panorama search thread-id... Panorama Query Logs Scope affected repositories Scope affected repositories Search Codecov in Git repository - GitHub-search-code Search Codecov in Git rep... GitHub-search-code Is GitHub integration enabled? Is GitHub integration ena...