GitHub Enterprise Self-Hosted Runner Registration

This alert identifies the creation of a self-hosted runner in GitHub Enterprise by monitoring GitHub Enterprise audit logs. Self-hosted runners execute workflow jobs on customer-controlled infrastructure. Attackers can abuse compromised runners to execute malicious code, access sensitive data, or pivot to other systems within the environment. While self-hosted runners are a legitimate feature, their creation should be carefully controlled as compromised runners pose significant security risks. It is crucial to investigate any unexpected runner creation events to ensure they are authorized and properly secured, especially if initiated by unfamiliar users or in unusual contexts. This activity may indicate a supply chain attack or other malicious activity.

Attack Chain

1. An attacker gains access to a GitHub Enterprise account or obtains sufficient privileges to register a self-hosted runner.
2. The attacker registers a new self-hosted runner within the GitHub Enterprise organization or enterprise account. This action is logged in the GitHub Enterprise audit logs.
3. The newly registered runner is configured to execute workflow jobs within the GitHub Enterprise environment.
4. The attacker modifies or injects malicious code into a GitHub workflow that will be executed by the compromised runner. This may involve actions such as pull requests or direct commits to the repository.
5. The compromised runner executes the malicious workflow job, allowing the attacker to execute arbitrary code on the runner infrastructure.
6. The attacker leverages the compromised runner to access sensitive data stored within the GitHub environment or accessible to the runner.
7. The attacker pivots from the compromised runner to other systems within the network, potentially gaining access to additional resources and sensitive information.
8. The attacker may exfiltrate data from the environment or maintain persistence on the compromised systems for future malicious activities.

Impact

Successful exploitation via a compromised self-hosted runner can lead to remote code execution, data exfiltration, and lateral movement within the targeted environment. A compromised runner allows attackers to execute arbitrary code, access sensitive data, and potentially pivot to other systems, resulting in significant damage and potential data breaches. The scope of the impact depends on the permissions and access levels of the compromised runner.

Recommendation

• Enable GitHub Enterprise Audit log streaming to a SIEM like Splunk, as described in the GitHub documentation, to capture runner registration events.
• Deploy the Sigma rule GitHub Enterprise Register Self Hosted Runner to detect unauthorized or suspicious runner creations.
• Monitor the user_agent field in the audit logs for unusual or unexpected values associated with runner registration events.
• Investigate any alerts generated by the Sigma rule, focusing on the actor, actor_id, and user_agent fields.
• Implement strong access controls and multi-factor authentication for GitHub Enterprise accounts, especially those with permissions to manage runners.
• Regularly review and audit the list of registered self-hosted runners in GitHub Enterprise to identify any unauthorized or suspicious entries.