{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/devops/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Actions"],"_cs_severities":["low"],"_cs_tags":["github","self-hosted-runner","audit-log","devops","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting changes to self-hosted runner configurations within GitHub environments. Self-hosted runners are systems deployed and managed by users to execute jobs from GitHub Actions, providing flexibility and control over the execution environment. Monitoring these runners is crucial because unauthorized modifications can lead to various malicious activities, including data collection, persistence, privilege escalation, or even initial access. The rule provided detects such changes based on audit logs, requiring administrators to validate the changes through the GitHub UI for complete context. Detecting these modifications early can help prevent or mitigate potential security breaches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub organization or repository with permissions to manage self-hosted runners. This could be achieved through compromised credentials (T1078.004) or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the configuration of an existing self-hosted runner group or creates a new runner group (org.runner_group_created).\u003c/li\u003e\n\u003cli\u003eThe attacker adds or removes runners from a runner group (org.runner_group_runners_added, org.runner_group_runner_removed, org.runner_group_updated).\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker registers a new self-hosted runner within the environment (repo.register_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker removes an existing self-hosted runner from the environment (repo.remove_self_hosted_runner, org.remove_self_hosted_runner).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised runner or runner group to execute malicious code within the GitHub Actions workflow, potentially collecting sensitive data or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised runner to establish persistence within the GitHub environment, ensuring continued access.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the compromised runner to gain initial access to other systems or networks connected to the GitHub environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised self-hosted runners can lead to a range of impacts, including data exfiltration, code injection, and privilege escalation within the targeted GitHub environment. Successful attacks could result in unauthorized access to sensitive repositories, modification of code, or deployment of malicious software. The impact can vary depending on the scope of the compromised runner and the permissions associated with it. The effects could extend beyond the GitHub environment if the compromised runner has access to other systems or networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the audit log streaming feature in GitHub to capture events related to self-hosted runner modifications, as required by the logsource definition.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Self Hosted Runner Changes Detected\u0026rdquo; to your SIEM and tune for your specific environment to detect suspicious configuration changes.\u003c/li\u003e\n\u003cli\u003eRegularly review the audit logs in the GitHub UI to validate any detected changes to self-hosted runners and runner groups to ensure legitimate modifications.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for managing self-hosted runners, limiting permissions to only authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:30:00Z","date_published":"2024-01-03T14:30:00Z","id":"/briefs/2024-01-github-runner-changes/","summary":"Detection of changes to self-hosted runner configurations in GitHub environments can indicate potential impact, discovery, collection, persistence, privilege escalation, initial access, or stealth activities.","title":"GitHub Self-Hosted Runner Configuration Changes Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-github-runner-changes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["github-actions","supply-chain","execution","devops"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat focuses on the exploitation of GitHub Actions runners by malicious actors. By gaining the ability to modify or trigger workflows in a linked GitHub repository, attackers can execute arbitrary commands on the runner host. The attack leverages the \u003ccode\u003eRunner.Worker\u003c/code\u003e process or shell interpreters launched via runner entrypoint scripts. Successful exploitation can lead to malicious workflow activity, including code execution, reconnaissance, credential harvesting, and network exfiltration. This presents a significant risk, particularly for organizations relying on self-hosted runners, as it allows attackers to potentially compromise the underlying infrastructure and sensitive data. The Elastic detection rule aims to identify such malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository linked to a self-hosted runner.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing workflow or creates a new one to inject malicious commands.\u003c/li\u003e\n\u003cli\u003eThe compromised workflow is triggered, initiating the \u003ccode\u003eRunner.Worker\u003c/code\u003e process on the runner host.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRunner.Worker\u003c/code\u003e process executes a shell interpreter (e.g., bash, sh, zsh) via an entrypoint script.\u003c/li\u003e\n\u003cli\u003eThe shell interpreter executes malicious commands specified in the compromised workflow, such as downloading a payload using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, establishing a reverse shell connection to an attacker-controlled server using \u003ccode\u003enc\u003c/code\u003e or \u003ccode\u003esocat\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, credential harvesting, or lateral movement within the runner host and connected network.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated from the compromised runner host to the attacker\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete compromise of the self-hosted runner environment. This could result in the theft of sensitive source code, credentials, and other proprietary information. The attack can also be used as a stepping stone for further attacks on the organization\u0026rsquo;s internal network and infrastructure. Affected sectors include software development, DevOps, and any organization using GitHub Actions with self-hosted runners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExecution via GitHub Actions Runner\u003c/code\u003e to your SIEM to detect suspicious commands executed by the GitHub Actions Runner.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for commands like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003enc\u003c/code\u003e, \u003ccode\u003esocat\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, and \u003ccode\u003essh\u003c/code\u003e spawned by \u003ccode\u003eRunner.Worker\u003c/code\u003e or shell interpreters with \u003ccode\u003eentrypoint.sh\u003c/code\u003e in their command line (see Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for GitHub repositories and workflows to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Actions workflows for suspicious or unexpected commands.\u003c/li\u003e\n\u003cli\u003eIsolate self-hosted runners in a segmented network to limit the impact of a potential compromise.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide detailed process execution information for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-github-actions-runner-execution/","summary":"Adversaries compromising GitHub Actions workflows can execute arbitrary commands on runner hosts, leading to code execution, reconnaissance, credential harvesting, or network exfiltration.","title":"Execution via GitHub Actions Runner","url":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Devops","version":"https://jsonfeed.org/version/1.1"}