diff --git a/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml new file mode 100644 index 00000000000..d7ccc3da7c4 --- /dev/null +++ b/rules/integrations/github/initial_access_github_actions_bot_first_push_to_repo.toml @@ -0,0 +1,120 @@ +[metadata] +creation_date = "2025/12/09" +integration = ["github"] +maturity = "production" +updated_date = "2025/12/09" + +[rule] +author = ["Elastic"] +description = """ +Detects when the github-actions[bot] pushes code to a repository where it has not performed this behavior before in a certain time window. This may +indicate a supply chain attack where malicious code running in a CI workflow attempts to modify repository contents, +such as injecting backdoor workflow files. The Shai-Hulud 2.0 attack used npm preinstall hooks to push malicious +workflow files from within GitHub Actions runners. +""" +false_positives = [ + """ + Legitimate CI/CD automation that commits and pushes changes (e.g., auto-formatting, changelog updates, version + bumps, Dependabot auto-merge) will trigger this alert on first use in a repository. Review the repository's + workflow configurations to determine if bot pushes are expected. + """, +] +from = "now-9m" +index = ["logs-github.audit-*"] +language = "kuery" +license = "Elastic License v2" +name = "GitHub Actions Bot Pushed to Repository for First Time" +note = """## Triage and analysis + +### Investigating GitHub Actions Bot Pushed to Repository for First Time + +This rule detects when the GitHub Actions bot pushes to a repository where it hasn't pushed before. While this can be +legitimate automation, it may also indicate a supply chain attack where malicious code executes during CI and attempts +to modify repository contents. + +### Possible investigation steps + +- Review the `github.repo` field to identify the affected repository. +- Check recent workflow runs in the repository to identify which workflow triggered the push. +- Examine the repository's commit history to see what files were modified by the bot push. +- Look for newly added or modified files in `.github/workflows/` directory. +- Review the repository's dependencies for recently added or updated packages with preinstall/postinstall hooks. +- Check if the repository has legitimate automation that would explain bot pushes (Dependabot, Renovate, release automation). +- Correlate with `protected_branch.rejected_ref_update` events to see if workflow injection was blocked. +- Search for other repositories in the organization with similar suspicious activity. + +### False positive analysis + +- Repositories with auto-commit workflows (formatting, changelog generation, version bumps) will trigger on first run. +- Dependabot or Renovate auto-merge configurations cause legitimate bot pushes. +- GitHub Pages deployment workflows may push to gh-pages branches. +- Release automation that updates version files or generates artifacts. + +### Response and remediation + +- If the push is unexpected, immediately review the commit contents for malicious files. +- Check for suspicious workflow files (e.g., `discussion_*.yaml`, `formatter_*.yml`). +- Audit all dependencies in the affected repository for malicious packages. +- Rotate any secrets that may have been exposed during the workflow run. +- Enable branch protection rules to require PR reviews for all changes. +- Consider restricting GITHUB_TOKEN permissions in workflow files using `permissions:` key. +""" +references = [ + "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack", + "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise", +] +risk_score = 21 +rule_id = "03245b25-3849-4052-ab48-72de65a82c35" +severity = "low" +tags = [ + "Domain: Cloud", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Persistence", + "Data Source: Github", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "github.audit" and + event.action: "git.push" and + user.name: "github-actions[bot]" +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1195" +name = "Supply Chain Compromise" +reference = "https://attack.mitre.org/techniques/T1195/" +[[rule.threat.technique.subtechnique]] +id = "T1195.002" +name = "Compromise Software Supply Chain" +reference = "https://attack.mitre.org/techniques/T1195/002/" + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[rule.new_terms] +field = "new_terms_fields" +value = ["github.org_id","github.repo"] + +[[rule.new_terms.history_window_start]] +field = "history_window_start" +value = "now-7d"