Execution via GitHub Actions Runner
Compromised GitHub Actions workflows allow attackers to execute arbitrary commands on self-hosted runners, leading to code execution, file manipulation, and potential data exfiltration.
Attackers can exploit self-hosted GitHub Actions runners by gaining the ability to modify or trigger workflows in a linked GitHub repository. This allows the execution of arbitrary commands on the runner host, potentially leading to malicious or unexpected workflow activity. This includes unauthorized code execution, file manipulation, and network exfiltration, all initiated through a compromised repository. The attacks observed leverage a variety of scripting languages and tools, including curl, wget, PowerShell, and others, to achieve their objectives, which necessitates comprehensive monitoring across different platforms. The incident observed aligns with supply chain compromise attack vectors.
Attack Chain
- An attacker gains control of a GitHub repository linked to a self-hosted Actions runner, potentially through compromised credentials or a vulnerable dependency.
- The attacker modifies a workflow file (.yml) in the repository to include malicious commands, such as downloading and executing a reverse shell.
- The compromised workflow is triggered, either manually or by a scheduled event, causing the GitHub Actions Runner to execute the attacker's malicious code.
- The
Runner.Workerprocess spawns a command interpreter (e.g.,powershell.exe,bash) to execute the attacker-controlled commands embedded in the workflow. - The attacker utilizes tools like
curlorwgetto download additional payloads or scripts from external sources to the runner machine. - Using
certutil.exethe attacker downloads and decodes additional payloads. - The attacker establishes persistence by adding a scheduled task or modifying registry keys using commands executed via the GitHub Actions runner.
- The attacker exfiltrates sensitive data from the runner host to an external server using tools like
curlorpowershell.
Impact
Successful exploitation allows attackers to execute arbitrary code on the self-hosted runner machine. This can lead to the compromise of sensitive data stored on the runner, such as credentials or API keys. Attackers can also use the compromised runner as a pivot point to gain access to other internal systems. Observed attacks have focused on supply chain compromises with an unknown number of victims. The impact can range from data breaches and financial loss to reputational damage.
Recommendation
- Deploy the Sigma rule "Execution via GitHub Actions Runner - Suspicious Tools" to detect the execution of common attacker tools spawned by the GitHub Actions runner (rule: Execution via GitHub Actions Runner - Suspicious Tools).
- Monitor process execution logs for child processes of
Runner.WorkerorRunner.Worker.exethat execute suspicious commands (log source: process_creation). - Implement application whitelisting to prevent unauthorized execution of binaries on the self-hosted runner machines (general hardening guidance).
- Review and audit GitHub workflow configurations for any unauthorized or suspicious modifications (GitHub audit logs).
Detection coverage 2
Execution via GitHub Actions Runner - Suspicious Tools
mediumDetects suspicious tools spawned by the GitHub Actions Runner process, indicating potential malicious activity.
Execution via GitHub Actions Runner - Suspicious Location
highDetects suspicious execution from /tmp or similar directories by a Github Actions runner.
Detection queries are available on the platform. Get full rules →