This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Up-to-date detections for TeamPCP malware used in Trivy and Checkmarx compromises available?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Up-to-date detections for TeamPCP malware used in Trivy and Checkmarx compromises available?

Go to solution
MarekKreul
L1 Bithead

‎03-24-2026 02:51 AM

Hi, we're currently using the data collected via XDR and other sensors to hunt for IOCs of the recently observed attacks against aquasecurity Trivy Github actions, as well as Checkmarx KICS. This, obviously, focuses mainly on network-based IOCs like C2 domain and IPs, as well as file hashes and version strings in filenames.
However, the attackers could easily change their malicious scripts to have a new hash, or point it to another domain and IP for C2. I'm thus evaluating what other options we'd have to scan for suspicious behaviour, particularly the way the malicious script scans for credentials and exfiltrates the collected information.
How can we get more information if PaloAlto is already working on such (BIOC) detection rules, and when they will be available?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
susekar
L5 Sessionator

‎03-24-2026 07:46 AM

Hello @MarekKreul ,

 

Greetings for the day.

 

Palo Alto Networks has actively researched and implemented behavioral detection rules for the supply chain attacks targeting CI/CD pipelines, such as Aqua Security Trivy and Checkmarx KICS. These attacks are primarily associated with the Shai Hulud (or Arrakis) campaign, which utilizes malicious scripts to scan for credentials and perform exfiltration on GitHub Actions runners.

 

1. Available Detection and Prevention Rules
Palo Alto Networks provides several rules to detect and block behaviors associated with this threat:

  • Malicious Credential Access: The rule ioc.linux.shaihulud.2 is designed to detect activity associated with malicious credential-access tools on Linux systems, specifically targeting GitHub Action runners (e.g., processes running under the github user or within /usr/local/actions-runner/runsvc.sh). This rule aligns with MITRE ATT&CK techniques T1552 (Unsecured Credentials) and T1555 (Credentials from Password Stores).
  • Enhanced Blocking Rules: While the initial rules were released in "report" mode to ensure stability, improved detection rules aimed at blocking this attack were shipped in Content Update (CU) 2060.

 

2. Monitoring for Suspicious Behavior (Credential Scanning and Exfiltration)
Beyond static IOCs, you can leverage the following Cortex XDR features to hunt for the behaviors described:

  • Behavioral Indicators of Compromise (BIOCs): You can create custom BIOC rules under the Credential Access and Exfiltration categories to monitor for suspicious patterns, such as unusual file reads in credential directories or large data uploads to external IP addresses.
  • Cortex Query Language (XQL) and Correlation Rules: Use XQL to craft specific threat hunting queries for relationship-based events. These queries can be saved as Correlation Rules for continuous, near-real-time monitoring of CI/CD environments.
  • Analytics BIOCs (ABIOCs): If enabled, the Analytics engine can detect deviations from baseline behavior, such as a GitHub runner process initiating a network connection or script execution it has never performed before.

===================================

How to Get More Information

  • Check Release Notes: Monitor the Cortex XDR Analytics Content Release Notes for the latest updates on global BIOC and Analytics rules. Palo Alto Networks typically releases new content roughly once a week.
  • Direct Inquiries: For specific information on emerging threats or to request detection status, you can contact the research team directly at detections@paloaltonetworks.com.
  • Unit 42 Research: Refer to Unit 42's technical briefs for deep dives into specific campaigns like Shai Hulud to understand the exact TTPs being targeted.

If you feel this has answered your query, please let us know by clicking like and "Mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

View solution in original post

1 REPLY 1

Go to solution
susekar
L5 Sessionator

‎03-24-2026 07:46 AM

Hello @MarekKreul ,

 

Greetings for the day.

 

Palo Alto Networks has actively researched and implemented behavioral detection rules for the supply chain attacks targeting CI/CD pipelines, such as Aqua Security Trivy and Checkmarx KICS. These attacks are primarily associated with the Shai Hulud (or Arrakis) campaign, which utilizes malicious scripts to scan for credentials and perform exfiltration on GitHub Actions runners.

 

1. Available Detection and Prevention Rules
Palo Alto Networks provides several rules to detect and block behaviors associated with this threat:

  • Malicious Credential Access: The rule ioc.linux.shaihulud.2 is designed to detect activity associated with malicious credential-access tools on Linux systems, specifically targeting GitHub Action runners (e.g., processes running under the github user or within /usr/local/actions-runner/runsvc.sh). This rule aligns with MITRE ATT&CK techniques T1552 (Unsecured Credentials) and T1555 (Credentials from Password Stores).
  • Enhanced Blocking Rules: While the initial rules were released in "report" mode to ensure stability, improved detection rules aimed at blocking this attack were shipped in Content Update (CU) 2060.

 

2. Monitoring for Suspicious Behavior (Credential Scanning and Exfiltration)
Beyond static IOCs, you can leverage the following Cortex XDR features to hunt for the behaviors described:

  • Behavioral Indicators of Compromise (BIOCs): You can create custom BIOC rules under the Credential Access and Exfiltration categories to monitor for suspicious patterns, such as unusual file reads in credential directories or large data uploads to external IP addresses.
  • Cortex Query Language (XQL) and Correlation Rules: Use XQL to craft specific threat hunting queries for relationship-based events. These queries can be saved as Correlation Rules for continuous, near-real-time monitoring of CI/CD environments.
  • Analytics BIOCs (ABIOCs): If enabled, the Analytics engine can detect deviations from baseline behavior, such as a GitHub runner process initiating a network connection or script execution it has never performed before.

===================================

How to Get More Information

  • Check Release Notes: Monitor the Cortex XDR Analytics Content Release Notes for the latest updates on global BIOC and Analytics rules. Palo Alto Networks typically releases new content roughly once a week.
  • Direct Inquiries: For specific information on emerging threats or to request detection status, you can contact the research team directly at detections@paloaltonetworks.com.
  • Unit 42 Research: Refer to Unit 42's technical briefs for deep dives into specific campaigns like Shai Hulud to understand the exact TTPs being targeted.

If you feel this has answered your query, please let us know by clicking like and "Mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

 

  • 1 accepted solution
  • 1449 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks