DET0533 Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows

Item	Value
ID	DET0533
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1677 (Poisoned Pipeline Execution)

Analytics

SaaS

AN1473

Detects anomalous CI/CD workflow execution originating from forked repositories, with pull request (PR) metadata or commit messages containing suspicious patterns (e.g., encoded payloads), coupled with the use of insecure pipeline triggers like pull_request_target or excessive API usage of CI/CD secrets. Correlation with unusual artifact generation or secret exfiltration via encoded or external network destination URLs confirms suspicious behavior.

Log Sources

Data Component	Name	Channel
Cloud Service Modification (DC0069)	saas:github	Workflow triggered via pull_request_target from forked repo
Cloud Service Metadata (DC0070)	saas:github	CI/CD secret accessed or exported
Cloud Storage Access (DC0025)	saas:github	Artifact generated includes base64/encoded exfil payload or URL
File Metadata (DC0059)	saas:RepoEvents	New file added or modified in PR targeting CI/CD or build config (e.g., `gitlab-ci.yml`, `build.gradle`, `pom.xml`, `.github/workflows/*.yml`)
Command Execution (DC0064)	saas:PRMetadata	Commit message or branch name contains encoded strings or payload indicators

Mutable Elements

Field	Description
TimeWindow	Time delta between PR creation and workflow execution to flag rapid attempts
UserContext	Forked or external user accounts triggering workflows; may differ across orgs
TriggerTypeAllowlist	CI trigger types (e.g., `pull_request_target`) that should or shouldn’t be used for forks
ArtifactEntropyThreshold	Entropy threshold for detecting encoded payloads in artifacts
SecretAccessRateThreshold	Rate of secret access in a single workflow run that might indicate abuse