Detection of New GitHub Actions Secrets Creation

This detection identifies the creation of new secrets within GitHub Actions. Threat actors may create or modify secrets to gain unauthorized access, establish persistence, or escalate privileges within the GitHub environment. The activity is captured via GitHub’s audit logs. The scope of this detection encompasses the creation of secrets at the organization, environment, codespaces, or repository level. Successful detection of this activity allows security teams to investigate potentially malicious modifications to GitHub Actions secrets, which could lead to supply chain compromise or data exfiltration.

Attack Chain

1. An attacker gains initial access to a GitHub account, potentially through compromised credentials or phishing (T1078.004).
2. The attacker authenticates to the GitHub organization or repository.
3. The attacker navigates to the settings for the organization, environment, codespaces, or repository.
4. The attacker creates a new secret within the GitHub Actions settings, using the GitHub API or web interface.
5. The secret is stored within GitHub’s infrastructure, accessible to GitHub Actions workflows.
6. The attacker modifies or creates a GitHub Actions workflow that utilizes the newly created secret.
7. The workflow executes, using the secret to perform privileged actions such as accessing sensitive data or deploying malicious code.
8. The attacker achieves persistence or elevates their privileges within the GitHub environment, potentially compromising the entire software supply chain.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, code injection, and supply chain compromise. The impact ranges from low, in cases where the secret is used for benign purposes, to critical if the secret is used to deploy malicious code into production environments. While the number of affected organizations is unknown, the potential for widespread impact across the software supply chain makes this a critical area for monitoring.

Recommendation

• Enable GitHub audit log streaming to capture the events necessary for this detection (see logsource definition).
• Deploy the Sigma rule Github New Secret Created to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the “actor” involved in creating the secret.