Product
high
advisory
AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
2 rules 2 TTPsAttackers are stealing AWS credentials configured as GitHub Actions secrets and using them from non-CI/CD infrastructure, indicating potential credential theft and unauthorized access to AWS resources.
AWS IAM +1
cloud
aws
github
credential-theft
initial-access
lateral-movement
2r
2t
low
advisory
Detection of New GitHub Actions Secrets Creation
3 rules 3 TTPsThis analytic detects the creation of new GitHub Actions secrets at the organization, environment, codespaces, or repository level, potentially indicating malicious persistence or privilege escalation.
GitHub Actions
github
persistence
privilege-escalation
initial-access
3r
3t
low
advisory
GitHub Self-Hosted Runner Configuration Changes Detected
3 rules 8 TTPsDetection of changes to self-hosted runner configurations in GitHub environments can indicate potential impact, discovery, collection, persistence, privilege escalation, initial access, or stealth activities.
GitHub Actions
github
self-hosted-runner
audit-log
devops
supply-chain
3r
8t