Back to Intelligence

Living Off the Pipeline: Detecting Poisoned Pipeline Execution in CI/CD Environments

SA
Security Arsenal Team
May 16, 2026
6 min read

Introduction

The concept of "Living off the Land" (LotL) has plagued defenders for years, as adversaries bypass detection by abusing native system binaries. Now, this tactic has evolved into "Living off the Pipeline" (LotP), where attackers weaponize the very tools we trust to build and deploy software. By subverting Continuous Integration/Continuous Deployment (CI/CD) orchestrators like Jenkins, GitHub Actions, and GitLab CI, threat actors can execute malicious code, exfiltrate secrets, and move laterally—all while appearing as legitimate build traffic.

This is not theoretical. SentinelOne’s recent analysis highlights how adversaries are leveraging Poisoned Pipeline Execution (PPE) to manipulate build scripts and configuration files. Defenders can no longer treat build servers as benign environments; they are now the primary battlefield for software supply chain warfare.

Technical Analysis

Affected Platforms:

  • Jenkins: Java-based automation server, often running as a high-privileged service.
  • GitHub Actions / GitLab CI: Cloud-based and self-hosted runners executing YAML-defined workflows.
  • Build Agents: Linux and Windows containers or bare-metal machines performing the compilation.

The Attack Vector: Poisoned Pipeline Execution (PPE) Unlike traditional malware that relies on dropping binaries, LotP focuses on altering the definition files that control the build process:

  1. CI Configuration Injection: Adversaries compromise a developer's git credentials and submit a malicious pull request (PR) or commit directly to a repository. This modification injects commands into Jenkinsfile, .github/workflows/*.yml, or .gitlab-ci.yml.
  2. Script Abuse: The malicious instructions leverage pre-installed tools on the build agent—bash, python, curl, or git—to download payloads or exfiltrate environment variables (e.g., AWS_SECRET_ACCESS_KEY, GITHUB_TOKEN).
  3. Execution: The CI controller triggers the build based on the event (push/PR). The build agent executes the attacker's script under the guise of a legitimate job.

Exploitation Status:

  • Active: Confirmed in the wild targeting software vendors and development environments.
  • Technique: Abuse of trusted features, not necessarily a software vulnerability (CVE). However, misconfigurations (CWE-732) enable the subversion.

Detection & Response

Detecting LotP requires shifting monitoring from endpoint anomalies to behavioral context within the build pipeline. We must hunt for deviations in the "parent-child" relationships of build processes and unauthorized network connections originating from build agents.

Sigma Rules

YAML
---
title: Potential Poisoned Pipeline Execution - Jenkins Process Anomaly
id: 8a2b3c4d-5e6f-4a5b-8c6d-7e8f9a0b1c2d
status: experimental
description: Detects suspicious child processes spawned by the Jenkins service or agents, indicative of command execution via a compromised Jenkinsfile.
references:
  - https://attack.mitre.org/techniques/T1195/
  - https://www.sentinelone.com/blog/living-off-the-pipeline-defending-against-ci-cd-subversion/
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.execution
  - attack.t1059.004
  - attack.software_supply_chain
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/java'
      - '/jenkins-agent'
      - '/jenkins-slave'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/python'
      - '/perl'
  selection_network:
    CommandLine|contains:
      - 'curl '
      - 'wget '
      - 'nc '
      - 'socket'
  condition: selection_parent and selection_child and selection_network
falsepositives:
  - Legitimate build scripts that download dependencies (validate allowlists)
level: high
---
title: Git Hook Execution via CI Runner
id: 9b3c4d5e-6f7a-5b6c-9d7e-0f1a2b3c4d5e
status: experimental
description: Detects execution of git hooks (e.g., post-merge, pre-push) which are often abused in CI environments to establish persistence or trigger malicious code.
references:
  - https://www.sentinelone.com/blog/living-off-the-pipeline-defending-against-ci-cd-subversion/
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.persistence
  - attack.t1546
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    Image|endswith: '/git'
    CommandLine|contains:
      - 'hook'
      - '.git/hooks/'
  filter_main:
    ParentImage|endswith:
      - '/git' # Normal git ops
      - '/ssh' # Git over ssh
  condition: selection and not filter_main
falsepositives:
  - Rare manual git hook execution by developers (investigate context)
level: medium
---
title: GitHub Actions Runner Spawning Reverse Shell
id: 1c2d3e4f-7g8h-6i7j-0e1f-2g3h4i5j6k7l
status: experimental
description: Detects GitHub Actions Runner worker processes spawning network utilities commonly used for reverse shells.
references:
  - https://www.sentinelone.com/blog/living-off-the-pipeline-defending-against-ci-cd-subversion/
author: Security Arsenal
date: 2025/04/01
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|contains:
      - 'Runner.Worker'
      - 'bin/Runner.Listener'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
  selection_suspicious_cli:
    CommandLine|contains:
      - '/dev/tcp/'
      - 'bash -i'
      - 'exec 5<>/'
  condition: selection_parent and selection_child and selection_suspicious_cli
falsepositives:
  - Unlikely; highly indicative of abuse
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for CI tools spawning unauthorized network connections
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in (\"java\", \"Runner.Worker\", \"gitlab-runner\", \"javaw\")
| where ProcessFileName in (\"curl\", \"wget\", \"python\", \"python3\", \"perl\", \"bash\", \"sh\", \"nc\")
| extend ProcessCmdLine = coalesce(ProcessCommandLine, \"\")
| where ProcessCmdLine matches regex @\"http[s]?://[^\s]+\" 
       or ProcessCmdLine contains \"/dev/tcp/\"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessFileName, ProcessCommandLine, AccountName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for recently modified git hooks in common CI directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs=\"/*/.git/hooks/*\")
WHERE Mtime > now() - 24h
   AND Mode.ModeString =~ \"x\"

-- Identify running processes that look like CI agents
SELECT Pid, Name, Exe, Username, CommandLine, Ctime
FROM pslist()
WHERE Name =~ \"java\" 
   OR Name =~ \"Runner\"
   OR Exe =~ \"jenkins\"

Remediation Script (Bash)

This script scans for common hardcoded secret patterns in CI configuration files (Jenkinsfiles, YAML workflows) and verifies file permissions on git hooks.

Bash / Shell
#!/bin/bash

# Audit CI/CD Repositories for hardcoded secrets and risky hooks
echo \"[*] Starting CI/CD Security Audit...\"

# Define directories to scan (modify based on your environment)
SCAN_DIRS=(\"/var/jenkins_home\" \"/home/gitlab-runner/builds\" \"/opt/actions-runner\")

# 1. Check for exposed secrets in YAML/Jenkinsfiles
echo \"[*] Scanning for hardcoded secrets in CI definitions...\"
KEYWORDS=(\"password\" \"secret\" \"api_key\" \"private_key\" \"aws_access\" \"token\")

for dir in \"${SCAN_DIRS[@]}\"; do
    if [ -d \"$dir\" ]; then
        echo \"    Scanning $dir ...\"
        find \"$dir\" -type f \\( -name \"Jenkinsfile\" -o -name \"*.yml\" -o -name \"*.yaml\" \\) -exec grep -i -l -E \"(${KEYWORDS[*]})\" {} \\;
    fi
done

# 2. Audit Git Hooks for suspicious modifications
echo \"[*] Scanning for recently modified Git hooks...\"
find / -type d -name \".git\" 2>/dev/null | while read gitdir; do
    hooksdir=\"$gitdir/hooks\"
    if [ -d \"$hooksdir\" ]; then
        # Find hooks modified in the last 24 hours or are world-writable
        find \"$hooksdir\" -type f -perm -o+w -o -mtime -1
    fi
done

echo \"[*] Audit complete. Review findings manually.\"

Remediation

To defend against CI/CD subversion, organizations must implement a "Zero Trust" approach to build pipelines:

  1. Enforce Branch Protection: Require pull request reviews and status checks before merging to main branches. This prevents direct injection of malicious code.
  2. Restrict CI/CD Credentials: Use short-lived, role-based tokens (e.g., OpenID Connect in AWS/GCP) instead of long-lived static secrets stored in environment variables.
  3. Allowlist Workflows: Many CI platforms (like GitHub Actions) allow you to restrict which actions can run. Prevent the use of unverified, third-party actions.
  4. Infrastructure Isolation: Run build agents in ephemeral, isolated containers (e.g., using Kubernetes or Firecracker microVMs). Agents should be destroyed immediately after the build completes.
  5. Audit Pipeline Permissions: Regularly audit who has permission to modify Jenkinsfile or workflow YAML files.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemci-cdsupply-chaindevsecops

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action