From 176b9047fbd7cb4a545e1aae34b07a2159804193 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 9 Dec 2025 10:54:40 -0500 Subject: [PATCH 1/6] [New Rule] GitHub Actions Workflow Injection Blocked Fixes #5431 --- ...ub_actions_workflow_injection_blocked.toml | 120 ++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml diff --git a/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml new file mode 100644 index 00000000000..52b6b55f390 --- /dev/null +++ b/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml @@ -0,0 +1,120 @@ +[metadata] +creation_date = "2025/12/05" +integration = ["github"] +maturity = "production" +updated_date = "2025/12/05" + +[rule] +author = ["Elastic"] +description = """ +Detects when a GitHub Actions workflow attempts to create or modify workflow files in a protected branch but is blocked +due to insufficient permissions. This behavior is indicative of a supply chain attack where a malicious package or +compromised CI/CD pipeline attempts to inject persistent backdoor workflows into a repository. The Shai Hulud 2.0 attack +demonstrated this technique by using npm preinstall hooks to push malicious workflow files that enable command injection +or secrets exfiltration. +""" +false_positives = [ + """ + Legitimate CI/CD automation that requires workflow file modifications may trigger this alert if not properly + configured with the necessary permissions. Review the workflow configuration and ensure the GITHUB_TOKEN or PAT has + the required 'workflows' permission if the modification is intentional. + """, +] +from = "now-9m" +interval = "8m" +language = "esql" +license = "Elastic License v2" +name = "GitHub Actions Workflow Injection Blocked" +note = """## Triage and analysis + +### Investigating GitHub Actions Workflow Injection Blocked + +This rule detects attempts to push workflow files to a GitHub repository from within a GitHub Actions workflow that are blocked by GitHub's security controls. This is a key indicator of supply chain attacks where malicious code attempts to establish persistence by injecting backdoor workflows. + +### Possible investigation steps + +- Review the `github.repo` field to identify which repository was targeted. +- Examine the `github.actor` to determine if the action was triggered by a bot (`github-actions[bot]`) or a user account (PAT-based). +- Check recent workflow runs in the repository for suspicious activity, especially in jobs that run `npm install` or other package manager commands. +- Review the repository's dependencies for recently added or updated packages that may contain malicious preinstall/postinstall hooks. +- Examine the `github.reasons.message` field for details on which workflow file was being created or modified. +- Search for other repositories in the organization that may have the same malicious dependency. +- Review GitHub audit logs for successful workflow file modifications that may have occurred before protections were enabled. + +### False positive analysis + +- Legitimate automation tools that manage workflow files may trigger this alert. Verify if the repository uses tools like Dependabot, Renovate, or custom automation that modifies workflows. +- CI/CD pipelines that intentionally update workflow files should use a PAT with the 'workflows' scope and be documented. + +### Response and remediation + +- If this is a confirmed attack attempt, immediately audit all dependencies in the affected repository. +- Remove any suspicious packages and regenerate lock files. +- Rotate any secrets that may have been exposed during the CI run. +- Review and revoke any PATs that may have been compromised. +- Enable branch protection rules requiring pull request reviews for workflow file changes. +- Consider implementing CODEOWNERS for `.github/workflows/` directory. +- Search for indicators of compromise such as unexpected workflow files (e.g., `discussion_*.yaml`, `formatter_*.yml`). +""" +references = ["https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack"] +risk_score = 47 +rule_id = "e8b37f18-4804-4819-8602-4aba1169c9f4" +severity = "medium" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Execution", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +from logs-github.audit-* metadata _id, _index, _version +| where + data_stream.dataset == "github.audit" and + event.action == "protected_branch.rejected_ref_update" and + github.category == "protected_branch" and + github.reasons.code == "workflow_updates" and + match(github.reasons.message::STRING, "refusing to allow a GitHub App to create or update workflow") +| keep * +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + + +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + From db23c2e3b43ab9890d0c9c600304feb897aee7c2 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 9 Dec 2025 11:34:49 -0500 Subject: [PATCH 2/6] adjusts MITRE ATT&CK mappings --- ...thub_actions_workflow_injection_blocked.toml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml index 52b6b55f390..0f2bbcf356d 100644 --- a/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml +++ b/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml @@ -63,6 +63,7 @@ severity = "medium" tags = [ "Domain: Cloud", "Use Case: Threat Detection", + "Tractic: Initial Access", "Tactic: Persistence", "Tactic: Execution", "Data Source: Github", @@ -95,16 +96,11 @@ name = "Compromise Software Supply Chain" reference = "https://attack.mitre.org/techniques/T1195/002/" -[[rule.threat.technique]] -id = "T1546" -name = "Event Triggered Execution" -reference = "https://attack.mitre.org/techniques/T1546/" - [rule.threat.tactic] -id = "TA0003" -name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -112,6 +108,11 @@ id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique]] +id = "T1546" +name = "Event Triggered Execution" +reference = "https://attack.mitre.org/techniques/T1546/" + [rule.threat.tactic] id = "TA0002" From 654a3078583923c0c8400370cdc95b5a77013567 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 9 Dec 2025 11:49:15 -0500 Subject: [PATCH 3/6] adjusting file name --- ...initial_access_github_actions_workflow_injection_blocked.toml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/integrations/github/{persistence_github_actions_workflow_injection_blocked.toml => initial_access_github_actions_workflow_injection_blocked.toml} (100%) diff --git a/rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml b/rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml similarity index 100% rename from rules/integrations/github/persistence_github_actions_workflow_injection_blocked.toml rename to rules/integrations/github/initial_access_github_actions_workflow_injection_blocked.toml From 27e583c1019ea57a2776a9988101cd1850004a57 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 9 Dec 2025 15:16:21 -0500 Subject: [PATCH 4/6] updating GitHub integration schema; fixed MITRE mappings --- .../etc/integration-manifests.json.gz | Bin 24534 -> 24534 bytes .../etc/integration-schemas.json.gz | Bin 7511532 -> 7511532 bytes pyproject.toml | 2 +- ...ub_actions_workflow_injection_blocked.toml | 16 +++++++++++----- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index d2591e1661125732fe5d8678955ebaa63a605644..d391bf784f40721babfcf65caafe2765a21c75ec 100644 GIT binary patch delta 18 Zcmcb%pYhs$Mt1pb4i5W9i;e8(;{io72Fw5e delta 18 acmcb%pYhs$Mt1pb4vtxS%{H>1j|Tur4F_QW diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 0e20cf3d1ab8a6d1404212bf38c15570b8608335..1de37bb92e6693980acd25115ae9d99133e48c33 100644 GIT binary patch delta 362 zcmWN_wN(QE06@V90e*0I3GS}J-7UDgyKF%5D`sE}DmGvbI);Gan*06w4*dQj^d1aG z-okH4ltfEFVkB1L5;JXN}u%0fDFoz49kd&%9xDH zgiOkmOv{YS%ACy0f-K6CEK5XIWL4H=T{dJ>wq#p&WLNfNUk>C@j^tQQdFfij4gp#b_I`ywFNWW!%SQQ?1-yaxio z@6a0(A(0X#(GnxE@}B{TlXyvxL`jllNs&}ZlXS_DOv#dL$&p;ilYA+VLMf7BDUnhs zlX9t$N~w}+sgYW#lX_{8Mro2}2}+B!N}IGxhjdCvx};lrq*wZ+Uj}4QhGbYqWK_mv zTqa~vres=XWLD;6UKV6gmSkC0WL4H=T{dJ>wq#p&WLNfNUk>C@j^tQQ Date: Wed, 10 Dec 2025 10:17:14 -0500 Subject: [PATCH 5/6] revert manifests / schemas to main --- .../etc/integration-manifests.json.gz | Bin 24534 -> 24534 bytes .../etc/integration-schemas.json.gz | Bin 7511532 -> 7511532 bytes pyproject.toml | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index d391bf784f40721babfcf65caafe2765a21c75ec..d2591e1661125732fe5d8678955ebaa63a605644 100644 GIT binary patch delta 18 acmcb%pYhs$Mt1pb4vtxS%{H>1j|Tur4F_QW delta 18 Zcmcb%pYhs$Mt1pb4i5W9i;e8(;{io72Fw5e diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 1de37bb92e6693980acd25115ae9d99133e48c33..0e20cf3d1ab8a6d1404212bf38c15570b8608335 100644 GIT binary patch delta 362 zcmWN_wNV5B006;3?{Rl`=h4UA-QC@_1A>dFfij4gp#b_I`ywFNWW!%SQQ?1-yaxio z@6a0(A(0X#(GnxE@}B{TlXyvxL`jllNs&}ZlXS_DOv#dL$&p;ilYA+VLMf7BDUnhs zlX9t$N~w}+sgYW#lX_{8Mro2}2}+B!N}IGxhjdCvx};lrq*wZ+Uj}4QhGbYqWK_mv zTqa~vres=XWLD;6UKV6gmSkC0WL4H=T{dJ>wq#p&WLNfNUk>C@j^tQQ5;JXN}u%0fDFoz49kd&%9xDH zgiOkmOv{YS%ACy0f-K6CEK5XIWL4H=T{dJ>wq#p&WLNfNUk>C@j^tQQ Date: Wed, 10 Dec 2025 10:20:33 -0500 Subject: [PATCH 6/6] added dynamic github fields to non-ecs file --- detection_rules/etc/non-ecs-schema.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index eae5d6174a8..432d575a0a4 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -150,6 +150,10 @@ "kibana.alert.rule.type": "keyword", "kibana.alert.rule.threat.tactic.name": "keyword" }, + "logs-github.audit-*": { + "github.reasons.code": "keyword", + "github.reasons.message": "text" + }, "logs-google_workspace*": { "gsuite.admin": "keyword", "gsuite.admin.new_value": "keyword",