title: Poisoned Pipeline Execution (T1677)
id: df00tech-t1677
status: experimental
description: "This detection identifies adversaries attempting to poison CI/CD pipelines through direct modification of CI configuration files, injection of malicious code into pipeline-referenced build artifacts, or exploitation of fork-based pull request workflows that expose pipeline secrets. Detections span three attack vectors: (1) Direct pipeline execution — changes to CI config files (e.g., .github/workflows, .gitlab-ci.yml, Jenkinsfile) containing suspicious commands such as credential exfiltration via curl/wget, base64-encoded payloads, or environment variable dumping; (2) Indirect pipeline execution — modifications to Makefiles, linters, test suites, or build scripts that are invoked by trusted CI configurations; (3) Public pipeline execution — fork-based pull requests targeting pull_request_target workflows or injecting malicious branch names that are processed as trusted inputs by pipeline steps. Detection coverage includes Azure DevOps audit logs, GitHub audit log events, and process telemetry from CI runner hosts."
references:
  - https://attack.mitre.org/techniques/T1677/
  - https://df00tech.com/detections/T1677
author: df00tech
date: 2026/03/20
tags:
  - attack.t1677
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate DevOps engineers updating pipeline definitions to add new build steps or integrations — validate against change management tickets
  - "Authorized security scanning tools (Snyk, Dependabot, GitHub Advanced Security) modifying workflow files during automated PR creation"
  - Infrastructure-as-code pipelines that legitimately use curl/wget to download build dependencies or SDKs from trusted artifact registries
  - Developers experimenting with pipeline debugging steps that temporarily echo environment context — common during onboarding
  - "Automated dependency update bots (Renovate, Dependabot) modifying workflow files or build scripts as part of their normal operation"
level: high