Yusuke Kubo
Kiyohito Yamamoto
We are investigating new attack vectors regarding a CICD service called Github Actions. Through an analysis of GitHub Actions behavior on Windows, our research has discovered two attack techniques
・Malicious Custom Action It is an attack technique to execute arbitrary TTPs from custom actions. Introduce two types, “Malicious JScript Composite Action” and “Malicious JavaScript Custom Action”.
・GitHub Actions C2 We will demonstrate a new C2 framework using self-hosted runner in GitHub Actions
In this presentation, we will provide a detailed explanation of these attack techniques, along with PoC code and demonstrations. We will also discuss real-world threats and provide insight on detection and mitigation strategies.
Yusuke Kubo
NTT Communications, TechLead & Offensive Security Researcher
Yusuke Kubo works as an Offensive Security Researcher at NTT Communications, Japanese Telecommunication Company, and is also NTT Group Certified Security Principal. And he contributed to MITRE ATT&CK regarding Safe Mode BooT1562.009).
Kiyohito Yamamoto
NTT Communications Corporation
Kiyohito Yamamoto has 8 years of experience as a Security Engineer at NTT Communications, and is also NTT Group Certified Security Principal. He served as a Senior Response Expert during the Tokyo Olympics and also conducted TLPT tests.