Techniques
Sample rules
Github Self-Hosted Runner Execution
- source: sigma
- technicques:
- t1071
- t1102
- t1102.002
Description
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
Detection logic
condition: all of selection_worker_* or all of selection_listener_*
selection_listener_cli:
CommandLine|contains:
- run
- configure
selection_listener_img:
- Image|endswith: \Runner.Listener.exe
- OriginalFileName: Runner.Listener.dll
selection_worker_cli:
CommandLine|contains: spawnclient
selection_worker_img:
- Image|endswith: \Runner.Worker.exe
- OriginalFileName: Runner.Worker.dll