1. EXECUTIVE SUMMARY
[cite_start]Ghost-Pipeline is a sophisticated security research framework designed to audit the trust relationship between modern CI/CD environments and Cloud Service Providers[cite: 25]. [cite_start]By targeting ephemeral OpenID Connect (OIDC) identities rather than static secrets, Ghost-Pipeline demonstrates a critical shift in the attack surface of modern DevOps: Identity is the new perimeter[cite: 26].
CORE ATTACK VECTORS
- [cite_start]Target: OIDC/Cloud Ephemeral Identities[cite: 17].
- [cite_start]The Vector: Modern runners swap a GitHub JWT for short-lived cloud credentials[cite: 31].
- [cite_start]The Gap: Traditional scanners miss temporary JWTs generated in-memory during a build[cite: 32].
2. DEVELOPMENT LIFECYCLE (PHASES 0-5)
| PHASE | DESCRIPTION |
|---|---|
| Phase 0: Research | [cite_start]Researching the AssumeRoleWithWebIdentity API and OIDC/JWT vectors[cite: 32]. |
| Phase 1: The Weaver | [cite_start]A Go-based agent (static binary) that intercepts $ACTIONS_ID_TOKEN_REQUEST_TOKEN[cite: 34, 36]. |
| Phase 2: AES-256-GCM | [cite_start]Cryptographic integrity layer with a 32-byte auto-padding engine to bypass DLP scanners[cite: 37, 39]. |
| Phase 3: Relay/C2 | [cite_start]An asynchronous Python/Flask “Mailbox” relay utilizing ngrok for encrypted tunneling[cite: 41, 42]. |
| Phase 4: Triage Engine | [cite_start]Automated log-sniffing for the net/v1.0.4 signature to decrypt stolen identities in real-time[cite: 46, 47]. |
| Phase 5: Recursive Sync | [cite_start]Uses Linux dd for recursive chunking (50KB segments) to bypass HTTP log truncation[cite: 50, 51]. |
3. MITRE ATT&CK® MAPPING
| Tactic | Technique Name | ID | Implementation |
|---|---|---|---|
| Initial Access | Supply Chain Compromise | T1195.002 | [cite_start]Injecting weaver into the build process[cite: 57]. |
| Credential Access | Steal Application Access Token | T1528 | [cite_start]Intercepting the GitHub OIDC JWT[cite: 57]. |
| Defense Evasion | Obfuscated Information | T1027 | [cite_start]AES-256-GCM encryption in STDOUT logs[cite: 57]. |
| C2 | Application Layer Protocol | T1071.001 | [cite_start]Using HTTPS Webhooks via ngrok[cite: 57]. |
| Exfiltration | Transfer Data to Cloud Account | T1537 | [cite_start]Moving stolen data to an attacker S3 bucket[cite: 57]. |
4. INCIDENT RESPONSE (IR) PLAYBOOK
If the signature net/v1.0.4 is detected in CI/CD logs:
- [cite_start]Immediate Revocation: Use
aws iam put-role-policyto deny all actions for the affected IAM Role[cite: 64]. - [cite_start]Session Invalidation: Terminate all active STS sessions associated with the OIDC provider[cite: 65].
- [cite_start]Audit Workflows: Search for unauthorized binary execution or modified YAML steps[cite: 66].
- [cite_start]Harden OIDC Claims: Restrict the
subclaim in IAM Trust Policies to specific branches[cite: 67].
5. RULES OF ENGAGEMENT & LEGAL
- [cite_start]Authorization: Written permission is mandatory[cite: 72].
- [cite_start]Cleanup: Execute the
exitcommand to purge relay buffers and local logs[cite: 74]. - Disclaimer: Ghost-Pipeline is provided “as-is” for authorized testing. [cite_start]The developer (Jose Maria Micoli) assumes no liability for illegal use[cite: 78].
THE UNCOVER
[cite_start]“SECURITY IS A PROCESS OF CONSTANT R&D. THE ADVERSARY IS ALWAYS BUILDING; WE MUST BUILD FASTER.” [cite: 116, 117]