T1677 Poisoned Pipeline Execution Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let CIConfigFiles = dynamic([".github/workflows", ".gitlab-ci.yml", "Jenkinsfile", ".circleci/config", "azure-pipelines.yml", "bitbucket-pipelines.yml", ".travis.yml", "cloudbuild.yaml"]);
let SuspiciousTerms = dynamic(["curl ", "wget ", "base64 -d", "base64 --decode", "printenv", "env |", "| base64", "exfil", "ngrok", "burpcollab", "interactsh", "webhook.site", "requestbin", "pipedream", "SECRET", "TOKEN", "API_KEY", "AWS_", "GITHUB_TOKEN", "CI_JOB_TOKEN"]);
union isfuzzy=true
(
    AzureDevOpsAuditing
    | where TimeGenerated > ago(24h)
    | where OperationName in (
        "Git.Push",
        "Git.RefUpdateBatch",
        "Pipeline.PipelineModified",
        "Build.DefinitionModified",
        "Build.DefinitionCreated"
    )
    | extend DataStr = tostring(Data)
    | where DataStr has_any (CIConfigFiles) or DataStr has_any (SuspiciousTerms)
    | extend
        Actor = ActorUPN,
        Platform = "AzureDevOps",
        OperationType = OperationName,
        SourceIP = IpAddress,
        ProjectContext = ProjectName
    | project TimeGenerated, Actor, Platform, OperationType, SourceIP, ProjectContext, DataStr
),
(
    GitHubAuditLog
    | where TimeGenerated > ago(24h)
    | where Action in (
        "workflows.created",
        "workflows.updated",
        "git.push",
        "protected_branch.update_allow_force_pushes",
        "repo.create"
    )
    | extend DataStr = tostring(Data)
    | where DataStr has_any (CIConfigFiles) or DataStr has_any (SuspiciousTerms)
    | extend
        Actor = Actor,
        Platform = "GitHub",
        OperationType = Action,
        SourceIP = coalesce(IPAddress, "Unknown"),
        ProjectContext = tostring(Data.repo)
    | project TimeGenerated, Actor, Platform, OperationType, SourceIP, ProjectContext, DataStr
)
| extend RiskScore = case(
    DataStr has_any ("base64 -d", "base64 --decode", "interactsh", "ngrok", "webhook.site", "burpcollab"), 95,
    DataStr has_any ("printenv", "env |", "AWS_SECRET", "GITHUB_TOKEN", "CI_JOB_TOKEN"), 85,
    DataStr has_any ("curl ", "wget ", "| base64", "SECRET", "API_KEY"), 70,
    50
)
| where RiskScore >= 70
| sort by RiskScore desc, TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Sentinel Azure DevOps Auditing GitHub Advanced Security

Required Tables

AzureDevOpsAuditing GitHubAuditLog

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries
Developers experimenting with pipeline debugging steps that temporarily echo environment context — common during onboarding
Automated dependency update bots (Renovate, Dependabot) modifying workflow files or build scripts as part of their normal operation

Splunk

spl

index=* (sourcetype="github:audit" OR sourcetype="github_webhook" OR sourcetype="gitlab:audit" OR sourcetype="azure:devops:audit")
| eval ci_config_modified=if(
    match(coalesce(repository_file, file, head_commit.modified{}, ""),
    "(\.github/workflows|\.gitlab-ci\.yml|Jenkinsfile|\.circleci/config|azure-pipelines\.yml|bitbucket-pipelines\.yml|\.travis\.yml|cloudbuild\.yaml)"),
    1, 0)
| eval suspicious_content=if(
    match(coalesce(commit_message, diff, payload, script, command, ""),
    "(curl |wget |base64 -d|base64 --decode|printenv|env \\||\\| base64|ngrok|interactsh|webhook\.site|requestbin|GITHUB_TOKEN|CI_JOB_TOKEN|AWS_SECRET|API_KEY)"),
    1, 0)
| where ci_config_modified=1 OR suspicious_content=1
| eval risk_score=case(
    match(coalesce(diff, script, command, payload, ""), "(base64 -d|base64 --decode|interactsh|ngrok|webhook\.site|burpcollaborator)"), 95,
    match(coalesce(diff, script, command, payload, ""), "(printenv|GITHUB_TOKEN|CI_JOB_TOKEN|AWS_SECRET_ACCESS_KEY)"), 85,
    match(coalesce(diff, script, command, payload, ""), "(curl |wget |\\| base64|API_KEY|SECRET)"), 70,
    50
)
| where risk_score >= 70
| eval actor=coalesce(actor, user, pusher.name, triggering_actor.login)
| eval source_ip=coalesce(actor_location.ip, ip, client_ip)
| eval repo=coalesce(repo, repository.full_name, project_path)
| eval event_action=coalesce(action, event_type, operation)
| table _time, actor, source_ip, repo, event_action, risk_score, ci_config_modified, suspicious_content
| sort - risk_score, - _time

high severity medium confidence

Data Sources

GitHub Audit Logs (Splunk Add-on for GitHub) GitLab Audit Events Azure DevOps Audit Logs

Required Sourcetypes

github:audit github_webhook gitlab:audit azure:devops:audit

False Positives

Authorized pipeline modifications by DevOps engineers — cross-reference with approved change management system records
Legitimate use of curl/wget in build steps for downloading compile-time dependencies from approved artifact registries (Maven, PyPI, npm)
Security tooling bots (Renovate, Dependabot, Snyk) that programmatically update workflow files and reference external URLs
Developers using base64 encoding for legitimate non-secret data transformation within build scripts
Onboarding automation scripts that dump environment details for troubleshooting — should be gated behind a CICD_DEBUG flag

Elastic Security (EQL)

eql

file where event.type in ("creation", "change") and (
  file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*") and
  file.extension in ("exe", "dll", "bat", "ps1", "vbs", "hta", "js")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.file-*

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    sourceip AS SourceIP,
    "CommandLine" AS CommandLine,
    CASE
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        WHEN "CommandLine" ILIKE '%-enc%' THEN 80
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

Sumo Logic CSE

sql

_sourceCategory=windows/* OR _sourceCategory=endpoint/*
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where process_cmdline matches /(-enc|-bypass|-hidden)/i
| if(process_cmdline matches /-enc/i, 80, 60) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/* OR _sourceCategory=endpoint/*

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

Google Chronicle / SecOps

yaral

rule detection_t1677 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Poisoned Pipeline Execution - T1677"
    severity = "HIGH"
    mitre_attack = "T1677"
    reference = "https://attack.mitre.org/techniques/T1677/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript)\.exe$`) and
    re.regex($e.target.process.command_line, `(?i)(-enc|-bypass|invoke-expression)`)
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

EDR Platform

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta)\.exe$/
| CommandLine = /(?i)(-enc|-bypass|invoke-expression)/
| case {
    CommandLine = /(?i)-enc/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    * | DetectionType := "SuspiciousExecution"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, ProcessId])
| sort(@timestamp, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2

False Positives

Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries

Poisoned Pipeline Execution

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections