Skip to content
Threat Feed
medium advisory

Detection of Unauthorized GitHub Actions Runner Registration

The configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary can indicate malicious activity aimed at establishing remote code execution via malicious GitHub workflows.

This threat brief focuses on the malicious registration of GitHub Actions self-hosted runners. The attack involves adversaries registering a machine as a runner to a remote GitHub repository. Once registered, the attacker gains the ability to execute arbitrary workflow commands on the host. This can lead to supply chain compromise, remote code execution, and potentially lateral movement within a network. The rule detects the execution of Runner.Listener or Runner.Listener.exe with the configure, --url, and --token arguments, which are indicative of runner registration. This activity is particularly concerning as it provides a persistent remote access mechanism that bypasses traditional security controls.

Attack Chain

  1. Attacker gains initial access to a system via various methods (e.g., compromised credentials, phishing, exploiting vulnerabilities).
  2. Attacker downloads the GitHub Actions Runner software to the compromised host.
  3. Attacker executes Runner.Listener or Runner.Listener.exe with the configure argument.
  4. The attacker provides the --url argument, pointing to a malicious or attacker-controlled GitHub repository.
  5. The attacker provides the --token argument, authenticating the runner against the malicious repository.
  6. The compromised system registers as a self-hosted runner within the attacker's GitHub repository.
  7. The attacker creates or modifies workflows in the GitHub repository to execute arbitrary commands on the registered runner.
  8. The attacker triggers the malicious workflow, leading to command execution on the compromised host, potentially enabling data exfiltration, lateral movement, or the deployment of malware.

Impact

Successful exploitation allows attackers to execute arbitrary code on the registered runner machine. This can lead to data exfiltration, installation of malware, or use of the compromised system as a pivot point for further lateral movement within the network. The compromise can also lead to supply chain attacks if the runner has access to sensitive build processes or deployment pipelines. The scope of impact depends on the privileges of the account running the GitHub Actions Runner and the resources accessible from that host.

Recommendation

  • Deploy the Sigma rule "Remote GitHub Actions Runner Registration" to detect the execution of Runner.Listener with suspicious arguments (logsource: process_creation).
  • Investigate any alerts triggered by the Sigma rule "Remote GitHub Actions Runner Registration", focusing on the associated network and file activities.
  • Implement application whitelisting to prevent unauthorized execution of binaries like Runner.Listener and Runner.Listener.exe (logsource: process_creation).
  • Review GitHub repository details for any suspicious workflows or run commands, particularly in the .github/workflows folder (reference: https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise).

Detection coverage 3

Remote GitHub Actions Runner Registration

medium

Detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary.

sigma tactics: command_and_control, execution, initial_access techniques: T1059, T1195, T1219 sources: process_creation, windows

Suspicious GitHub Actions Runner Process Arguments

high

Detects suspicious process arguments used during GitHub Actions runner registration.

sigma tactics: command_and_control, execution, initial_access techniques: T1059, T1195, T1219 sources: process_creation, windows

Linux GitHub Actions Runner Registration

medium

Detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary on Linux.

sigma tactics: command_and_control, execution, initial_access techniques: T1059, T1195, T1219 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →