Detection of Unauthorized GitHub Actions Runner Registration
The configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary can indicate malicious activity aimed at establishing remote code execution via malicious GitHub workflows.
This threat brief focuses on the malicious registration of GitHub Actions self-hosted runners. The attack involves adversaries registering a machine as a runner to a remote GitHub repository. Once registered, the attacker gains the ability to execute arbitrary workflow commands on the host. This can lead to supply chain compromise, remote code execution, and potentially lateral movement within a network. The rule detects the execution of Runner.Listener or Runner.Listener.exe with the configure, --url, and --token arguments, which are indicative of runner registration. This activity is particularly concerning as it provides a persistent remote access mechanism that bypasses traditional security controls.
Attack Chain
- Attacker gains initial access to a system via various methods (e.g., compromised credentials, phishing, exploiting vulnerabilities).
- Attacker downloads the GitHub Actions Runner software to the compromised host.
- Attacker executes
Runner.ListenerorRunner.Listener.exewith theconfigureargument. - The attacker provides the
--urlargument, pointing to a malicious or attacker-controlled GitHub repository. - The attacker provides the
--tokenargument, authenticating the runner against the malicious repository. - The compromised system registers as a self-hosted runner within the attacker's GitHub repository.
- The attacker creates or modifies workflows in the GitHub repository to execute arbitrary commands on the registered runner.
- The attacker triggers the malicious workflow, leading to command execution on the compromised host, potentially enabling data exfiltration, lateral movement, or the deployment of malware.
Impact
Successful exploitation allows attackers to execute arbitrary code on the registered runner machine. This can lead to data exfiltration, installation of malware, or use of the compromised system as a pivot point for further lateral movement within the network. The compromise can also lead to supply chain attacks if the runner has access to sensitive build processes or deployment pipelines. The scope of impact depends on the privileges of the account running the GitHub Actions Runner and the resources accessible from that host.
Recommendation
- Deploy the Sigma rule "Remote GitHub Actions Runner Registration" to detect the execution of
Runner.Listenerwith suspicious arguments (logsource: process_creation). - Investigate any alerts triggered by the Sigma rule "Remote GitHub Actions Runner Registration", focusing on the associated network and file activities.
- Implement application whitelisting to prevent unauthorized execution of binaries like
Runner.ListenerandRunner.Listener.exe(logsource: process_creation). - Review GitHub repository details for any suspicious workflows or run commands, particularly in the
.github/workflowsfolder (reference: https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise).
Detection coverage 3
Remote GitHub Actions Runner Registration
mediumDetects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary.
Suspicious GitHub Actions Runner Process Arguments
highDetects suspicious process arguments used during GitHub Actions runner registration.
Linux GitHub Actions Runner Registration
mediumDetects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary on Linux.
Detection queries are available on the platform. Get full rules →