authorized github actions runner with no malicious workflow actions.

Techniques

Sample rules

Execution via GitHub Actions Runner

source: elastic
technicques:
- T1059
- T1195
- T1218

Description

This rule detects potentially dangerous commands spawned by the GitHub Actions Runner.Worker process or by shell interpreters launched via a runner entrypoint script on self-hosted runner machines. Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. This behavior may indicate malicious or unexpected workflow activity, including code execution, reconnaissance, credential harvesting, or network exfiltration initiated through a compromised repository or unauthorized workflow.

Detection logic

process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 (
   /* Direct child of the GitHub Actions Runner.Worker process */
   process.parent.name in ("Runner.Worker", "Runner.Worker.exe") or

   /* Child of a shell interpreter launched via a runner entrypoint script
      (e.g. /home/runner/runners/<ver>/run/entrypoint.sh or similar paths) */
   (
     process.parent.name in ("sh", "bash", "zsh") and
     process.parent.command_line like "*runner*entrypoint.sh"
   )
 ) and
 (
   process.name : (
     /* Network / download utilities */
     "curl", "curl.exe", "wget", "wget.exe",
     /* Windows scripting & LOLBins */
     "powershell.exe", "cmd.exe", "pwsh.exe", "certutil.exe", "rundll32.exe",
     /* Unix shells */
     "bash", "sh", "zsh", "dash", "ash", "tcsh", "csh", "ksh", "fish", "mksh", "busybox", "pwsh",
     /* File / archive manipulation */
     "tar", "gzip", "rm", "sed", "chmod",
     /* macOS-specific */
     "osascript",
     /* Process persistence helpers */
     "nohup", "setsid",
     /* Scripting runtimes */
     "python*", "perl*", "ruby*", "lua*", "php*", "node", "nodejs", "node.exe",
     /* Discovery & reconnaissance */
     "pgrep", "grep", "find", "printenv", "env", "nmap",
     /* Crypto / encoding (potential exfiltration or C2 channel) */
     "openssl", "base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16", "xxd",
     /* Data manipulation / inspection */
     "tr", "cat",
     /* Network relay / tunneling */
     "nc", "ncat", "netcat", "nc.traditional", "nc.openbsd", "socat", "wg", "wg-quick",
     /* Remote access */
     "ssh", "ssh.exe", "ftp", "tftp", "scp", "sftp",
     /* Kubernetes / infrastructure */
     "kubectl", "helm", "docker", "ctr", "crictl",
     /* Secret management */
     "vault",
     /* GitHub CLI */
     "gh",
     /* AWS CLI */
     "aws",
     /*Azure CLI */
     "az",
     /*GCP CLI */
     "gcloud",
     /* Google Workspace CLI */
     "gws"
   ) or
   process.executable : ("/tmp/*", "/private/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/*", "/var/run/*", "?:\\Users\\*")
 )