https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/up-to-date-detections-for-teampcp-malware-used-in-trivy-and/m-p/1250823#M9215 <P>Hi, we're currently using the data collected via XDR and other sensors to hunt for IOCs of the recently observed attacks against aquasecurity Trivy Github actions, as well as Checkmarx KICS. This, obviously, focuses mainly on network-based IOCs like C2 domain and IPs, as well as file hashes and version strings in filenames.<BR />However, the attackers could easily change their malicious scripts to have a new hash, or point it to another domain and IP for C2. I'm thus evaluating what other options we'd have to scan for suspicious behaviour, particularly the way the malicious script scans for credentials and exfiltrates the collected information.<BR />How can we get more information if PaloAlto is already working on such (BIOC) detection rules, and when they will be available?</P> Tue, 24 Mar 2026 09:51:51 GMT MarekKreul 2026-03-24T09:51:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/up-to-date-detections-for-teampcp-malware-used-in-trivy-and/m-p/1250823#M9215 <P>Hi, we're currently using the data collected via XDR and other sensors to hunt for IOCs of the recently observed attacks against aquasecurity Trivy Github actions, as well as Checkmarx KICS. This, obviously, focuses mainly on network-based IOCs like C2 domain and IPs, as well as file hashes and version strings in filenames.<BR />However, the attackers could easily change their malicious scripts to have a new hash, or point it to another domain and IP for C2. I'm thus evaluating what other options we'd have to scan for suspicious behaviour, particularly the way the malicious script scans for credentials and exfiltrates the collected information.<BR />How can we get more information if PaloAlto is already working on such (BIOC) detection rules, and when they will be available?</P> Tue, 24 Mar 2026 09:51:51 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/up-to-date-detections-for-teampcp-malware-used-in-trivy-and/m-p/1250823#M9215 MarekKreul 2026-03-24T09:51:51Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/up-to-date-detections-for-teampcp-malware-used-in-trivy-and/m-p/1250832#M9216 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1450776839">@MarekKreul</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P><SPAN>Palo Alto Networks has actively researched and implemented behavioral detection rules for the supply chain attacks targeting CI/CD pipelines, such as&nbsp;</SPAN><STRONG>Aqua Security Trivy</STRONG><SPAN>&nbsp;and&nbsp;</SPAN><STRONG>Checkmarx KICS</STRONG><SPAN>. These attacks are primarily associated with the&nbsp;</SPAN><STRONG>Shai Hulud</STRONG><SPAN>&nbsp;(or Arrakis) campaign, which utilizes malicious scripts to scan for credentials and perform exfiltration on GitHub Actions runners.</SPAN></P> <P>&nbsp;</P> <P data-end="212" data-start="62"><STRONG data-end="109" data-start="62">1. Available Detection and Prevention Rules</STRONG><BR data-end="112" data-start="109" />Palo Alto Networks provides several rules to detect and block behaviors associated with this threat:</P> <UL data-end="855" data-start="214"> <LI data-end="648" data-start="214" data-section-id="1er04rk"><STRONG data-end="248" data-start="216">Malicious Credential Access:</STRONG> The rule <CODE data-end="281" data-start="258">ioc.linux.shaihulud.2</CODE> is designed to detect activity associated with malicious credential-access tools on Linux systems, specifically targeting GitHub Action runners (e.g., processes running under the <CODE data-end="469" data-start="461">github</CODE> user or within <CODE data-end="522" data-start="485">/usr/local/actions-runner/runsvc.sh</CODE>). This rule aligns with MITRE ATT&amp;CK techniques T1552 (Unsecured Credentials) and T1555 (Credentials from Password Stores).</LI> <LI data-end="855" data-start="650" data-section-id="tk7i21"><STRONG data-end="680" data-start="652">Enhanced Blocking Rules:</STRONG> While the initial rules were released in "report" mode to ensure stability, improved detection rules aimed at blocking this attack were shipped in Content Update (CU) 2060.</LI> </UL> <P data-end="1052" data-start="862">&nbsp;</P> <P data-end="1052" data-start="862"><STRONG data-end="942" data-start="862">2. Monitoring for Suspicious Behavior (Credential Scanning and Exfiltration)</STRONG><BR data-end="945" data-start="942" />Beyond static IOCs, you can leverage the following Cortex XDR features to hunt for the behaviors described:</P> <UL data-end="1814" data-start="1054"> <LI data-end="1332" data-start="1054" data-section-id="mttdx8"><STRONG data-end="1104" data-start="1056">Behavioral Indicators of Compromise (BIOCs):</STRONG> You can create custom BIOC rules under the Credential Access and Exfiltration categories to monitor for suspicious patterns, such as unusual file reads in credential directories or large data uploads to external IP addresses.</LI> <LI data-end="1585" data-start="1334" data-section-id="15bezxz"><STRONG data-end="1390" data-start="1336">Cortex Query Language (XQL) and Correlation Rules:</STRONG> Use XQL to craft specific threat hunting queries for relationship-based events. These queries can be saved as Correlation Rules for continuous, near-real-time monitoring of CI/CD environments.</LI> <LI data-end="1814" data-start="1587" data-section-id="1ftnhxs"><STRONG data-end="1618" data-start="1589">Analytics BIOCs (ABIOCs):</STRONG> If enabled, the Analytics engine can detect deviations from baseline behavior, such as a GitHub runner process initiating a network connection or script execution it has never performed before.</LI> </UL> <P data-end="1857" data-start="1821"><STRONG data-end="1855" data-start="1821">===================================</STRONG></P> <P data-end="1857" data-start="1821"><STRONG data-end="1855" data-start="1821">How to Get More Information</STRONG></P> <UL data-end="2418" data-start="1859"> <LI data-end="2072" data-start="1859" data-section-id="11j0r68"><STRONG data-end="1885" data-start="1861">Check Release Notes:</STRONG> Monitor the Cortex XDR Analytics Content Release Notes for the latest updates on global BIOC and Analytics rules. Palo Alto Networks typically releases new content roughly once a week.</LI> <LI data-end="2255" data-start="2074" data-section-id="9cwt5c"><STRONG data-end="2097" data-start="2076">Direct Inquiries:</STRONG> For specific information on emerging threats or to request detection status, you can contact the research team directly at <A class="decorated-link cursor-pointer" rel="noopener" data-end="2252" data-start="2221" target="_blank">detections@paloaltonetworks.com</A>.</LI> <LI data-end="2418" data-start="2257" data-section-id="ahlpc4"><STRONG data-end="2280" data-start="2259">Unit 42 Research:</STRONG> Refer to Unit 42's technical briefs for deep dives into specific campaigns like Shai Hulud to understand the exact TTPs being targeted.</LI> </UL> <P>If you feel this has answered your query, please let us know by clicking like and <STRONG>"Mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> Tue, 24 Mar 2026 14:46:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/up-to-date-detections-for-teampcp-malware-used-in-trivy-and/m-p/1250832#M9216 susekar 2026-03-24T14:46:05Z