Talk Intermediate 13:15 - 14:00 August 11, 2023

Yusuke Kubo

Kiyohito Yamamoto

We are investigating new attack vectors regarding a CICD service called Github Actions. Through an analysis of GitHub Actions behavior on Windows, our research has discovered two attack techniques

・Malicious Custom Action  It is an attack technique to execute arbitrary TTPs from custom actions. Introduce two types, “Malicious JScript Composite Action” and “Malicious JavaScript Custom Action”.

・GitHub Actions C2  We will demonstrate a new C2 framework using self-hosted runner in GitHub Actions

In this presentation, we will provide a detailed explanation of these attack techniques, along with PoC code and demonstrations. We will also discuss real-world threats and provide insight on detection and mitigation strategies.

Yusuke Kubo

NTT Communications, TechLead & Offensive Security Researcher

Yusuke Kubo works as an Offensive Security Researcher at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. And he contributed to MITRE ATT&CK regarding Safe Mode BooT1562.009).


Kiyohito Yamamoto

NTT Communications Corporation

Kiyohito Yamamoto has 8 years of experience as a Security Engineer at NTT Communications, and is also NTT Group Certified Security Principal. He served as a Senior Response Expert during the Tokyo Olympics and also conducted TLPT tests.