An attacker who compromises your CI/CD pipeline owns every artefact you ship from that point forward. AWS CodeBuild and CodePipeline expose four distinct compromise surfaces that most cloud SOCs do not monitor. This article ships the detection logic for all four.
The CI/CD layer of AWS has become a high-value target. The infrastructure that builds and deploys your code runs with privileged credentials, has access to source code and secrets, and produces artefacts that downstream services trust implicitly. Compromising a CI/CD pipeline is functionally equivalent to compromising every service it deploys to.
Part 4 of the AWS Threat Hunting series covers the four most-exploited CI/CD compromise patterns observed in 2025-2026 incident response: the buildspec backdoor, the runner takeover, the secrets exfiltration during build, and the artefact poisoning chain.
HuntIntel ships continuously refreshed adversary cluster attribution and MITRE technique mappings — the data that turns a static hunt into a living one. Stop hunting yesterday’s IOCs. Hunt today’s techniques.
01 · Why this hunt matters
CI/CD attacks in AWS are increasingly viable because of three structural factors. First, build-runner IAM roles are often broadly scoped — engineering teams configure them with deployment-friendly permissions that are also exfiltration-friendly. Second, buildspec.yml files live in source control where any committer can modify them, but the resulting pipeline actions execute with the build role’s privileges. Third, secrets are routinely passed into build environments through environment variables, command-line arguments, or fetched-at-runtime patterns that all leave artefacts in build logs.
02 · Adversary tradecraft
Pattern 01 — Buildspec backdoor
The attacker submits a pull request modifying buildspec.yml to add a malicious shell command (curl to exfil destination, AWS CLI call to enumerate secrets). If the PR is merged or if branch-protection rules are misconfigured, the next build executes the malicious command with the build role’s privileges.
Pattern 02 — Runner takeover
The attacker exploits a vulnerability in a dependency the build downloads (a malicious npm package, a poisoned container image) to gain code execution inside the build runner. From there they have access to the build role credentials via the instance metadata service.
Pattern 03 — Secrets exfiltration during build
The build environment receives secrets through environment variables. The attacker who has any form of code execution in the build (legitimate test code, a postinstall script, a Lambda layer) reads the environment and exfiltrates the secrets through DNS queries, HTTP requests, or build-log injection.
Pattern 04 — Artefact poisoning
The build produces deployment artefacts (Docker images, Lambda packages, CloudFormation templates) that are stored in S3 or ECR. An attacker with write access to the artefact store modifies the artefact between build and deploy. The deploy stage then ships poisoned code as if it were the legitimate build output.
03 · Telemetry needed
- CodeBuild project change events — UpdateProject, BatchPutCodeCoverages, StartBuild.
- CodePipeline state change events — pipeline configuration updates and stage transitions.
- CloudWatch Logs from the build environment — capture every command and output for forensic visibility.
- S3 / ECR write events on artefact stores — captured through data events.
- VPC Flow Logs from build runners — outbound network connections.
- Source-control commit events — buildspec.yml modifications need to be flagged at commit time.
Run this hunt against real adversary intelligence.
HuntIntel exposes every catalogued IOC with provenance, confidence, MITRE technique, and adversary cluster pre-mapped. Export Sigma in two clicks, push to your SIEM, ship coverage in minutes.
04 · Hunt queries
Hunt query 01 — Buildspec file modification followed by build trigger
WITH spec_changes AS (
SELECT commit_sha, author, modified_files, commit_time
FROM source_control_audit
WHERE 'buildspec.yml' = ANY(modified_files)
AND commit_time BETWEEN '2026-06-08' AND '2026-06-14'
),
builds AS (
SELECT project_name, build_id, source_commit, started_at
FROM codebuild_events
WHERE started_at BETWEEN '2026-06-08' AND '2026-06-14'
)
SELECT s.author, s.commit_sha, b.project_name, b.build_id, b.started_at
FROM spec_changes s
JOIN builds b ON b.source_commit = s.commit_sha
WHERE s.author NOT IN (SELECT principal FROM trusted_pipeline_authors);
Hunt query 02 — Build runner outbound to non-baseline destination
SELECT build_id, project_name, dst_ip, dst_host, COUNT(*) AS conn_count FROM vpc_flow_logs_with_build_attribution WHERE ts BETWEEN '2026-06-08' AND '2026-06-14' AND dst_ip NOT IN (SELECT ip FROM build_baseline_destinations) GROUP BY build_id, project_name, dst_ip, dst_host HAVING COUNT(*) > 1;
Hunt query 03 — IAM credential enumeration from build environment
SELECT eventTime, userIdentity.arn AS principal, sourceIPAddress,
eventName, requestParameters
FROM cloudtrail_logs
WHERE eventName IN ('GetCallerIdentity', 'ListRoles', 'GetRolePolicy',
'ListAttachedRolePolicies', 'ListUsers', 'ListAccessKeys')
AND userIdentity.arn LIKE '%codebuild%'
AND eventTime BETWEEN '2026-06-08' AND '2026-06-14'
AND sourceIPAddress NOT IN (SELECT ip FROM build_runner_known_ips);
05 · Sigma rule
title: CodeBuild Runner Outbound to Non-Baseline Destination
id: 8d5e6f77-9a0b-4c12-ad1e-2f3a4b5c6d7e
status: experimental
description: |
Detects a CodeBuild runner producing outbound network connections
to destinations outside its 30-day baseline — surfaces runner takeover
and secrets exfiltration during build.
author: HackForLab
date: 2026/06/16
references:
- https://hackforlab.com/aws-cicd-compromise-hunt-2026/
tags:
- attack.exfiltration
- attack.t1041
- attack.initial_access
- attack.t1195.002
logsource:
product: aws
service: vpc_flow
detection:
selection:
src_eni_owner|contains: 'codebuild'
filter_baseline:
dst_ip|expand: '%BUILD_BASELINE_DESTINATIONS%'
condition: selection and not filter_baseline
fields:
- src_eni
- dst_ip
- dst_port
- bytes
falsepositives:
- Newly added approved external dependencies (update baseline)
level: high
06 · Ship as a production detection
The hardest engineering step is build-runner attribution in VPC Flow Logs. Build runners are short-lived; their ENI ownership rotates. Maintain a near-real-time table of active build-runner ENIs (sourced from EC2 events) that the Flow Log join can use. Map detections to T1195.002 (Supply Chain Compromise) and T1041 (Exfiltration Over C2 Channel). — or pull pre-mapped clusters from HuntIntel
07 · False-positive considerations
New external dependencies added to the build pipeline are the dominant FP source. Mitigate by integrating the detection with the dependency-update PR review process — new dependencies must come through a reviewed change. Allowlist additions happen by approval, not by silent suppression.
08 · Response actions
Response: immediately freeze the affected pipeline; rotate the build role’s session credentials; audit all artefacts produced by the build in the last 30 days; pull the buildspec.yml file from the affected build and review for unauthorised modifications; investigate the committer if a buildspec change is implicated. — Sign in to huntintel.hackforlab.com to pull the live catalogue and pivot on the cluster directly.
09 · FAQ
Why isn’t this just a developer-tooling concern?
CI/CD compromise produces full cloud-environment impact through the deploy step. It is a security operations concern by every reasonable definition.
Should we block all outbound from build runners?
Yes, with a curated egress allowlist. Most builds need only a few well-defined destinations (package registries, container registries, deploy targets). Everything else is suspicious.
How do we monitor source-control commit events from inside AWS?
If your source-control system is in AWS (CodeCommit), CloudTrail captures commit events. For external systems, integrate the webhook stream with your SIEM.
What about third-party CI/CD platforms?
Same patterns apply. The buildspec backdoor, runner takeover, secrets exfil, and artefact poisoning are platform-agnostic. The detection telemetry shifts to the third-party platform’s audit log.
How often should buildspec.yml files change?
Rarely. A weekly anomaly check on buildspec.yml change frequency is a useful lightweight detection. Sudden spikes warrant review.
HuntIntel turns adversary intelligence into hunt-ready queries and production detection rules — without the spreadsheet engineering. Run the hunt. Ship the rule. Track the coverage.
AWS Hunt Library (hub) ·
Threat Hunting pillar ·
Cloud Threat Hunting ·
Detection Engineering ·
All Cyber Threat posts
