GitHub workflow run logs deleted then run deleted
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects workflow run logs deleted immediately followed by the deletion of the workflow run itself, matching the evidence cleanup sequence performed by [Nord Stream][1] after secret extraction.
Strategy
This rule monitors GitHub API requests for DELETE calls to workflow run log endpoints followed by deletion of the run record within the same evaluation window. Nord Stream deletes run logs before deleting the run as part of its cleanup phase to remove evidence of the malicious workflow execution. While individual workflow run deletions can be legitimate housekeeping, the ordered sequence of log deletion then run deletion from the same identity is characteristic of automated tool behaviour.
Triage and response
- Identify which workflow runs were deleted by
{{@github.actor}} and determine whether the runs were associated with a legitimate pipeline or a short-lived branch. - Check the repository for recently deleted branches that may correspond to a Nord Stream extraction attempt.
- Review
{{@github.actor}}’s recent activity for preceding secret enumeration or branch protection changes. - Determine whether any secrets accessible to the affected repository were rotated or audited recently.
