Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_worker_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Worker.exe spawnclient 1288 1252
- Image|endswith: '\Runner.Worker.exe'
- OriginalFileName: 'Runner.Worker.dll'
selection_worker_cli:
CommandLine|contains: 'spawnclient'
selection_listener_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Listener.exe configure --url https://github.com/ABC/ABC --token 123123
- Image|endswith: '\Runner.Listener.exe'
- OriginalFileName: 'Runner.Listener.dll'
selection_listener_cli:
CommandLine|contains:
- 'run'
- 'configure'
condition: all of selection_worker_* or all of selection_listener_*Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
Authorized runner deployments by DevOps/Platform teams following change management
Scheduled runner updates or reconfigurations on existing build agents
Self-hosted runners that follow expected/known naming patterns
Installation via expected/known configuration management tools (reflected mostly as parent process name)
Tactics
Techniques
Sub-techniques