Techniques
Sample rules
Remote GitHub Actions Runner Registration
- source: elastic
- technicques:
- T1059
- T1195
Description
This rule detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary. When a machine is registered to a remote repository, its owner gains the ability to execute arbitrary workflow commands on that host. Unexpected or unauthorized runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows.
Detection logic
process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name in ("Runner.Listener", "Runner.Listener.exe") and
process.args == "configure" and process.args == "--url" and process.args == "--token"