GitHub Actions Workflow Modification Blocked

  1[metadata]
  2creation_date = "2025/12/05"
  3integration = ["github"]
  4maturity = "production"
  5updated_date = "2025/12/05"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a GitHub Actions workflow attempts to create or modify workflow files in a protected branch but is blocked
 11due to insufficient permissions. This behavior is indicative of a supply chain attack where a malicious package or
 12compromised CI/CD pipeline attempts to inject persistent backdoor workflows into a repository.
 13"""
 14false_positives = [
 15    """
 16    Legitimate CI/CD automation that requires workflow file modifications may trigger this alert if not properly
 17    configured with the necessary permissions. Review the workflow configuration and ensure the GITHUB_TOKEN or PAT has
 18    the required 'workflows' permission if the modification is intentional.
 19    """,
 20]
 21from = "now-9m"
 22interval = "8m"
 23language = "esql"
 24license = "Elastic License v2"
 25name = "GitHub Actions Workflow Modification Blocked"
 26note = """## Triage and analysis
 27
 28### Investigating GitHub Actions Workflow Modification Blocked
 29
 30This rule detects attempts to push workflow files to a GitHub repository from within a GitHub Actions workflow that are blocked by GitHub's security controls. This is a key indicator of supply chain attacks where malicious code attempts to establish persistence by injecting backdoor workflows.
 31
 32### Possible investigation steps
 33
 34- Review the `github.repo` field to identify which repository was targeted.
 35- Examine the `github.actor_id` to determine if the action was triggered by a bot (`github-actions[bot]`) or a user account (PAT-based).
 36- Check recent workflow runs in the repository for suspicious activity, especially in jobs that run `npm install` or other package manager commands.
 37- Review the repository's dependencies for recently added or updated packages that may contain malicious preinstall/postinstall hooks.
 38- Examine the `github.reasons.message` field for details on which workflow file was being created or modified.
 39- Search for other repositories in the organization that may have the same malicious dependency.
 40- Review GitHub audit logs for successful workflow file modifications that may have occurred before protections were enabled.
 41
 42### False positive analysis
 43
 44- Legitimate automation tools that manage workflow files may trigger this alert. Verify if the repository uses tools like Dependabot, Renovate, or custom automation that modifies workflows.
 45- CI/CD pipelines that intentionally update workflow files should use a PAT with the 'workflows' scope and be documented.
 46
 47### Response and remediation
 48
 49- If this is a confirmed attack attempt, immediately audit all dependencies in the affected repository.
 50- Remove any suspicious packages and regenerate lock files.
 51- Rotate any secrets that may have been exposed during the CI run.
 52- Review and revoke any PATs that may have been compromised.
 53- Enable branch protection rules requiring pull request reviews for workflow file changes.
 54- Consider implementing CODEOWNERS for `.github/workflows/` directory.
 55- Search for indicators of compromise such as unexpected workflow files (e.g., `discussion_*.yaml`, `formatter_*.yml`).
 56"""
 57references = ["https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack"]
 58risk_score = 47
 59rule_id = "e8b37f18-4804-4819-8602-4aba1169c9f4"
 60severity = "medium"
 61tags = [
 62    "Domain: Cloud",
 63    "Use Case: Threat Detection",
 64    "Tactic: Initial Access",
 65    "Tactic: Persistence",
 66    "Tactic: Execution",
 67    "Data Source: Github",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "esql"
 72
 73query = '''
 74from logs-github.audit-* metadata _id, _index, _version
 75| where
 76    data_stream.dataset == "github.audit" and
 77    event.action == "protected_branch.rejected_ref_update" and
 78    github.category == "protected_branch" and
 79    github.reasons.code == "workflow_updates" and
 80    match(github.reasons.message::STRING, "refusing to allow a GitHub App to create or update workflow")
 81| keep *
 82'''
 83
 84
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1195"
 89name = "Supply Chain Compromise"
 90reference = "https://attack.mitre.org/techniques/T1195/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1195.002"
 93name = "Compromise Software Supply Chain"
 94reference = "https://attack.mitre.org/techniques/T1195/002/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0001"
100name = "Initial Access"
101reference = "https://attack.mitre.org/tactics/TA0001/"
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1059"
106name = "Command and Scripting Interpreter"
107reference = "https://attack.mitre.org/techniques/T1059/"
108
109[rule.threat.tactic]
110id = "TA0002"
111name = "Execution"
112reference = "https://attack.mitre.org/tactics/TA0002/"
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1546"
118name = "Event Triggered Execution"
119reference = "https://attack.mitre.org/techniques/T1546/"
120
121
122[rule.threat.tactic]
123id = "TA0003"
124name = "Persistence"
125reference = "https://attack.mitre.org/tactics/TA0003/"