{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/self_hosted_runner/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com"],"_cs_severities":["medium"],"_cs_tags":["github","supply_chain","self_hosted_runner"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis alert identifies the creation of a self-hosted runner in GitHub Enterprise by monitoring GitHub Enterprise audit logs. Self-hosted runners execute workflow jobs on customer-controlled infrastructure. Attackers can abuse compromised runners to execute malicious code, access sensitive data, or pivot to other systems within the environment. While self-hosted runners are a legitimate feature, their creation should be carefully controlled as compromised runners pose significant security risks. It is crucial to investigate any unexpected runner creation events to ensure they are authorized and properly secured, especially if initiated by unfamiliar users or in unusual contexts. This activity may indicate a supply chain attack or other malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a GitHub Enterprise account or obtains sufficient privileges to register a self-hosted runner.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a new self-hosted runner within the GitHub Enterprise organization or enterprise account. This action is logged in the GitHub Enterprise audit logs.\u003c/li\u003e\n\u003cli\u003eThe newly registered runner is configured to execute workflow jobs within the GitHub Enterprise environment.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or injects malicious code into a GitHub workflow that will be executed by the compromised runner. This may involve actions such as pull requests or direct commits to the repository.\u003c/li\u003e\n\u003cli\u003eThe compromised runner executes the malicious workflow job, allowing the attacker to execute arbitrary code on the runner infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised runner to access sensitive data stored within the GitHub environment or accessible to the runner.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots from the compromised runner to other systems within the network, potentially gaining access to additional resources and sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate data from the environment or maintain persistence on the compromised systems for future malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via a compromised self-hosted runner can lead to remote code execution, data exfiltration, and lateral movement within the targeted environment. A compromised runner allows attackers to execute arbitrary code, access sensitive data, and potentially pivot to other systems, resulting in significant damage and potential data breaches. The scope of the impact depends on the permissions and access levels of the compromised runner.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub Enterprise Audit log streaming to a SIEM like Splunk, as described in the GitHub documentation, to capture runner registration events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Enterprise Register Self Hosted Runner\u003c/code\u003e to detect unauthorized or suspicious runner creations.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003euser_agent\u003c/code\u003e field in the audit logs for unusual or unexpected values associated with runner registration events.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003eactor_id\u003c/code\u003e, and \u003ccode\u003euser_agent\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and multi-factor authentication for GitHub Enterprise accounts, especially those with permissions to manage runners.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit the list of registered self-hosted runners in GitHub Enterprise to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-github-enterprise-runner/","summary":"A self-hosted runner was created in GitHub Enterprise, which could be exploited by attackers to execute malicious code, access sensitive data, or pivot to other systems.","title":"GitHub Enterprise Self-Hosted Runner Registration","url":"https://feed.craftedsignal.io/briefs/2024-01-github-enterprise-runner/"}],"language":"en","title":"CraftedSignal Threat Feed — Self_hosted_runner","version":"https://jsonfeed.org/version/1.1"}