Conversation
adds execution from GH runner entrypoint script to the rule scope as well as few binaries.
Contributor
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
|
⛔️ Test failed Results
|
DefSecSentinel
approved these changes
Apr 1, 2026
Contributor
DefSecSentinel
left a comment
There was a problem hiding this comment.
Thanks for the responses. Looks good.
| /* Secret management */ | ||
| "vault", | ||
| /* GitHub CLI */ | ||
| "gh" |
Contributor
There was a problem hiding this comment.
Suggested change
| "gh" | |
| "gh", | |
| /* AWS CLI */ | |
| aws, | |
| /*Azure CLI */ | |
| az, | |
| /*GCP CLI */ | |
| gcloud, | |
| /* Google Workspace CLI */ | |
| gws |
We can add cloud CLIs, but there is a chance that FPs will increase especially if these are runners whom leverage these to accomplish auth/ops.
terrancedejesus
approved these changes
Apr 1, 2026
| /* Crypto / encoding (potential exfiltration or C2 channel) */ | ||
| "openssl", "base64", | ||
| /* Data manipulation / inspection */ | ||
| "tr", "cat", |
Contributor
There was a problem hiding this comment.
curious if we should add grep, sed, awk here for common credential recon.
Aegrah
approved these changes
Apr 9, 2026
| /* Windows scripting & LOLBins */ | ||
| "powershell.exe", "cmd.exe", "pwsh.exe", "certutil.exe", "rundll32.exe", | ||
| /* Unix shells */ | ||
| "bash", "sh", "zsh", "dash", "ash", "tcsh", "csh", "ksh", "fish", |
Contributor
There was a problem hiding this comment.
Suggested change
| "bash", "sh", "zsh", "dash", "ash", "tcsh", "csh", "ksh", "fish", | |
| "bash", "sh", "zsh", "dash", "ash", "tcsh", "csh", "ksh", "fish", "mksh", "busybox", "pwsh", |
| /* Unix shells */ | ||
| "bash", "sh", "zsh", "dash", "ash", "tcsh", "csh", "ksh", "fish", | ||
| /* File / archive manipulation */ | ||
| "tar", "rm", "sed", "chmod", |
Contributor
There was a problem hiding this comment.
Suggested change
| "tar", "rm", "sed", "chmod", | |
| "tar", "gzip", "rm", "sed", "chmod", |
| /* Process persistence helpers */ | ||
| "nohup", "setsid", | ||
| /* Scripting runtimes */ | ||
| "python*", "perl*", "ruby*", "lua*", "php*", "node", "node.exe", |
Contributor
There was a problem hiding this comment.
Suggested change
| "python*", "perl*", "ruby*", "lua*", "php*", "node", "node.exe", | |
| "python*", "perl*", "ruby*", "lua*", "php*", "node", "nodejs", "node.exe", |
| /* Discovery & reconnaissance */ | ||
| "pgrep", "grep", "find", "printenv", "env", "nmap", | ||
| /* Crypto / encoding (potential exfiltration or C2 channel) */ | ||
| "openssl", "base64", |
Contributor
There was a problem hiding this comment.
Suggested change
| "openssl", "base64", | |
| "openssl", "base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16", "xxd", |
| /* Data manipulation / inspection */ | ||
| "tr", "cat", | ||
| /* Network relay / tunneling */ | ||
| "nc", "ncat", "netcat", "socat", "wg", "wg-quick", |
Contributor
There was a problem hiding this comment.
Suggested change
| "nc", "ncat", "netcat", "socat", "wg", "wg-quick", | |
| "nc", "ncat", "netcat", "nc.traditional", "nc.openbsd", "socat", "wg", "wg-quick", |
| /* Network relay / tunneling */ | ||
| "nc", "ncat", "netcat", "socat", "wg", "wg-quick", | ||
| /* Remote access */ | ||
| "ssh", "ssh.exe", |
Contributor
There was a problem hiding this comment.
Suggested change
| "ssh", "ssh.exe", | |
| "ssh", "ssh.exe", "ftp", "tftp", "scp", "sftp", |
| /* Remote access */ | ||
| "ssh", "ssh.exe", | ||
| /* Kubernetes / infrastructure */ | ||
| "kubectl", "helm", |
Contributor
There was a problem hiding this comment.
Suggested change
| "kubectl", "helm", | |
| "kubectl", "helm", "docker", "ctr", "crictl", |
Comment on lines
+162
to
+163
| /* GitHub CLI */ | ||
| "gh" |
Contributor
There was a problem hiding this comment.
Suggested change
| /* GitHub CLI */ | |
| "gh" | |
| /* GitHub CLI */ | |
| "gh", | |
| /* Misc. */ | |
| "kill", "killall", "pkill", "getcap", "capsh", "chpasswd", "dd" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
adds execution from GH runner entrypoint script to the rule scope as well as few binaries.