Techniques
Sample rules
GitHub Workflow File Creation or Modification
- source: splunk
- technicques:
- T1574.006
- T1554
- T1195
Description
The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization’s Linux or Windows endpoints. This hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise. GitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers. By monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don’t typically contain workflows. This data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Filesystem where
Filesystem.file_path IN (
"*/.github/workflows/*.yaml",
"*/.github/workflows/*.yml",
"*\\.github\\workflows\\*.yaml",
"*\\.github\\workflows\\*.yml"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time
Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_workflow_file_creation_or_modification_filter`