Which SIEM platforms have a T1677 detection rule?

df00tech provides T1677 (Poisoned Pipeline Execution) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Poisoned Pipeline Execution (T1677)?

Detecting Poisoned Pipeline Execution requires the following data sources: Microsoft Sentinel, Azure DevOps Auditing, GitHub Advanced Security.

What severity and confidence is the T1677 detection?

The T1677 detection is rated high severity with medium confidence.

What are common false positives for T1677?

Common false positives for T1677 include: Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets; Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation; Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries.

T1677: Poisoned Pipeline Execution — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let CIConfigFiles = dynamic([".github/workflows", ".gitlab-ci.yml", "Jenkinsfile", ".circleci/config", "azure-pipelines.yml", "bitbucket-pipelines.yml", ".travis.yml", "cloudbuild.yaml"]);
let SuspiciousTerms = dynamic(["curl ", "wget ", "base64 -d", "base64 --decode", "printenv", "env |", "| base64", "exfil", "ngrok", "burpcollab", "interactsh", "webhook.site", "requestbin", "pipedream", "SECRET", "TOKEN", "API_KEY", "AWS_", "GITHUB_TOKEN", "CI_JOB_TOKEN"]);
union isfuzzy=true
(
    AzureDevOpsAuditing
    | where TimeGenerated > ago(24h)
    | where OperationName in (
        "Git.Push",
        "Git.RefUpdateBatch",
        "Pipeline.PipelineModified",
        "Build.DefinitionModified",
        "Build.DefinitionCreated"
    )
    | extend DataStr = tostring(Data)
    | where DataStr has_any (CIConfigFiles) or DataStr has_any (SuspiciousTerms)
    | extend
        Actor = ActorUPN,
        Platform = "AzureDevOps",
        OperationType = OperationName,
        SourceIP = IpAddress,
        ProjectContext = ProjectName
    | project TimeGenerated, Actor, Platform, OperationType, SourceIP, ProjectContext, DataStr
),
(
    GitHubAuditLog
    | where TimeGenerated > ago(24h)
    | where Action in (
        "workflows.created",
        "workflows.updated",
        "git.push",
        "protected_branch.update_allow_force_pushes",
        "repo.create"
    )
    | extend DataStr = tostring(Data)
    | where DataStr has_any (CIConfigFiles) or DataStr has_any (SuspiciousTerms)
    | extend
        Actor = Actor,
        Platform = "GitHub",
        OperationType = Action,
        SourceIP = coalesce(IPAddress, "Unknown"),
        ProjectContext = tostring(Data.repo)
    | project TimeGenerated, Actor, Platform, OperationType, SourceIP, ProjectContext, DataStr
)
| extend RiskScore = case(
    DataStr has_any ("base64 -d", "base64 --decode", "interactsh", "ngrok", "webhook.site", "burpcollab"), 95,
    DataStr has_any ("printenv", "env |", "AWS_SECRET", "GITHUB_TOKEN", "CI_JOB_TOKEN"), 85,
    DataStr has_any ("curl ", "wget ", "| base64", "SECRET", "API_KEY"), 70,
    50
)
| where RiskScore >= 70
| sort by RiskScore desc, TimeGenerated desc

Detects suspicious modifications to CI/CD configuration files in Azure DevOps and GitHub environments. Queries AzureDevOpsAuditing and GitHubAuditLog tables for push or pipeline definition change events that reference known CI configuration file paths combined with suspicious command patterns indicating credential exfiltration (curl/wget with env vars, base64 decoding, exfiltration infrastructure hostnames). Risk-scores results based on observed command patterns to prioritize highest-confidence pipeline poisoning attempts.

high severity medium confidence

Data Sources

Microsoft Sentinel Azure DevOps Auditing GitHub Advanced Security

Required Tables

AzureDevOpsAuditing GitHubAuditLog

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries
Developers experimenting with pipeline debugging steps that temporarily echo environment context — common during onboarding
Automated dependency update bots (Renovate, Dependabot) modifying workflow files or build scripts as part of their normal operation

Splunk

spl

index=* (sourcetype="github:audit" OR sourcetype="github_webhook" OR sourcetype="gitlab:audit" OR sourcetype="azure:devops:audit")
| eval ci_config_modified=if(
    match(coalesce(repository_file, file, head_commit.modified{}, ""),
    "(\.github/workflows|\.gitlab-ci\.yml|Jenkinsfile|\.circleci/config|azure-pipelines\.yml|bitbucket-pipelines\.yml|\.travis\.yml|cloudbuild\.yaml)"),
    1, 0)
| eval suspicious_content=if(
    match(coalesce(commit_message, diff, payload, script, command, ""),
    "(curl |wget |base64 -d|base64 --decode|printenv|env \\||\\| base64|ngrok|interactsh|webhook\.site|requestbin|GITHUB_TOKEN|CI_JOB_TOKEN|AWS_SECRET|API_KEY)"),
    1, 0)
| where ci_config_modified=1 OR suspicious_content=1
| eval risk_score=case(
    match(coalesce(diff, script, command, payload, ""), "(base64 -d|base64 --decode|interactsh|ngrok|webhook\.site|burpcollaborator)"), 95,
    match(coalesce(diff, script, command, payload, ""), "(printenv|GITHUB_TOKEN|CI_JOB_TOKEN|AWS_SECRET_ACCESS_KEY)"), 85,
    match(coalesce(diff, script, command, payload, ""), "(curl |wget |\\| base64|API_KEY|SECRET)"), 70,
    50
)
| where risk_score >= 70
| eval actor=coalesce(actor, user, pusher.name, triggering_actor.login)
| eval source_ip=coalesce(actor_location.ip, ip, client_ip)
| eval repo=coalesce(repo, repository.full_name, project_path)
| eval event_action=coalesce(action, event_type, operation)
| table _time, actor, source_ip, repo, event_action, risk_score, ci_config_modified, suspicious_content
| sort - risk_score, - _time

Detects CI/CD pipeline poisoning via audit and webhook events from GitHub, GitLab, and Azure DevOps. Identifies modification of known CI configuration files and suspicious command patterns consistent with credential exfiltration, encoded payload delivery, or use of out-of-band data collection infrastructure (ngrok, interactsh, webhook.site). Risk-scores each event to surface highest-priority pipeline tampering attempts first.

high severity medium confidence

Data Sources

GitHub Audit Logs (Splunk Add-on for GitHub) GitLab Audit Events Azure DevOps Audit Logs

Required Sourcetypes

github:audit github_webhook gitlab:audit azure:devops:audit

False Positives

Authorized pipeline modifications by DevOps engineers — cross-reference with approved change management system records
Legitimate use of curl/wget in build steps for downloading compile-time dependencies from approved artifact registries (Maven, PyPI, npm)
Security tooling bots (Renovate, Dependabot, Snyk) that programmatically update workflow files and reference external URLs
Developers using base64 encoding for legitimate non-secret data transformation within build scripts
Onboarding automation scripts that dump environment details for troubleshooting — should be gated behind a CICD_DEBUG flag

Elastic Security (EQL)

eql

file where event.type in ("creation", "change") and (
  file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*") and
  file.extension in ("exe", "dll", "bat", "ps1", "vbs", "hta", "js")
) and not process.code_signature.trusted == true

Elastic EQL detection for Poisoned Pipeline Execution (T1677). Identifies poisoned pipeline execution activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

high severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.file-*

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    sourceip AS SourceIP,
    "CommandLine" AS CommandLine,
    CASE
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        WHEN "CommandLine" ILIKE '%-enc%' THEN 80
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

IBM QRadar AQL detection for Poisoned Pipeline Execution (T1677). Queries QRadar event pipeline for indicators consistent with poisoned pipeline execution adversary techniques using MITRE ATT&CK-aligned event categorization.

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

Sumo Logic CSE

sql

_sourceCategory=windows/* OR _sourceCategory=endpoint/*
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where process_cmdline matches /(-enc|-bypass|-hidden)/i
| if(process_cmdline matches /-enc/i, 80, 60) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, risk_score
| sort - risk_score

Sumo Logic detection for Poisoned Pipeline Execution (T1677). Identifies adversary poisoned pipeline execution behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/* OR _sourceCategory=endpoint/*

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

Google Chronicle / SecOps

yaral

rule detection_t1677 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Poisoned Pipeline Execution - T1677"
    severity = "HIGH"
    mitre_attack = "T1677"
    reference = "https://attack.mitre.org/techniques/T1677/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript)\.exe$`) and
    re.regex($e.target.process.command_line, `(?i)(-enc|-bypass|invoke-expression)`)
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for detecting Poisoned Pipeline Execution (T1677). Uses Chronicle UDM event model to identify poisoned pipeline execution behaviors across endpoint and cloud telemetry.

high severity medium confidence

Data Sources

EDR Platform

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| CommandLine = /(?i)(-enc|-bypass|invoke-expression)/
| case {
    CommandLine = /(?i)-enc/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    * | DetectionType := "SuspiciousExecution"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, ProcessId])
| sort(@timestamp, order=desc, limit=100)

CrowdStrike LogScale CQL detection for Poisoned Pipeline Execution (T1677). Queries Falcon telemetry for poisoned pipeline execution behavioral indicators aligned with MITRE ATT&CK T1677.

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

Poisoned Pipeline Execution

What is T1677 Poisoned Pipeline Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1677

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1677 Poisoned Pipeline Execution?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1677

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox