Detection rules › Splunk
GitHub Workflow File Creation or Modification
The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints. This hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise. GitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers. By monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows. This data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195 Supply Chain Compromise |
| Persistence | T1554 Compromise Host Software Binary, T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking |
| Privilege Escalation | T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking |
| Defense Evasion | T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE Filesystem.file_path IN ("*/.github/workflows/*.yaml", "*/.github/workflows/*.yml", "*\\.github\\workflows\\*.yaml", "*\\.github\\workflows\\*.yml") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product
Stage 2: search
search
Stage 3: search
search
Stage 4: search
search
Stage 5: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.file_path | in |
|