T1677 IBM QRadar · QRadar

Detect Poisoned Pipeline Execution in IBM QRadar

This detection identifies adversaries attempting to poison CI/CD pipelines through direct modification of CI configuration files, injection of malicious code into pipeline-referenced build artifacts, or exploitation of fork-based pull request workflows that expose pipeline secrets. Detections span three attack vectors: (1) Direct pipeline execution — changes to CI config files (e.g., .github/workflows, .gitlab-ci.yml, Jenkinsfile) containing suspicious commands such as credential exfiltration via curl/wget, base64-encoded payloads, or environment variable dumping; (2) Indirect pipeline execution — modifications to Makefiles, linters, test suites, or build scripts that are invoked by trusted CI configurations; (3) Public pipeline execution — fork-based pull requests targeting pull_request_target workflows or injecting malicious branch names that are processed as trusted inputs by pipeline steps. Detection coverage includes Azure DevOps audit logs, GitHub audit log events, and process telemetry from CI runner hosts.

MITRE ATT&CK

Tactic
Execution
Technique
T1677 Poisoned Pipeline Execution
Canonical reference
https://attack.mitre.org/techniques/T1677/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    sourceip AS SourceIP,
    "CommandLine" AS CommandLine,
    CASE
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        WHEN "CommandLine" ILIKE '%-enc%' THEN 80
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
high severity medium confidence

IBM QRadar AQL detection for Poisoned Pipeline Execution (T1677). Queries QRadar event pipeline for indicators consistent with poisoned pipeline execution adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
  • Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation
  • Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries
Download portable Sigma rule (.yml)

Other platforms for T1677

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Direct CI Config Poisoning - GitHub Actions Credential Exfiltration Simulation

    Expected signal: GitHubAuditLog: Action=git.push with repository_file matching .github/workflows path and DataStr containing 'curl' and 'TOKEN'. AzureDevOpsAuditing: OperationName=Git.Push with Data containing workflow file path and suspicious curl command.

  2. Test 2Indirect Pipeline Poisoning - Malicious npm postinstall Script Injection

    Expected signal: DeviceProcessEvents: InitiatingProcessFileName=npm spawning sh/bash with ProcessCommandLine containing 'printenv'. Sysmon Event ID 1: ParentImage=npm, CommandLine matching printenv/grep pattern. linux_secure or auditd: execve syscall for printenv spawned under npm process.

  3. Test 3Public Pipeline Execution - Fork PR with Malicious Branch Name Injection

    Expected signal: GitHubAuditLog: Action=pull_request.opened with pull_request.head.repo.full_name != pull_request.base.repo.full_name (fork indicator). Branch name field containing shell metacharacters triggers IsSuspiciousBranch=true in hunting query.

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1677 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1195Supply Chain CompromiseT1552Unsecured CredentialsT1059.007JavaScriptT1053.007Container Orchestration JobT1204.002Malicious FileT1078Valid Accounts

Same Tactic: Execution

Popular Detections