New GitHub Self Hosted Action Runner

  1[metadata]
  2creation_date = "2025/11/28"
  3integration = ["github"]
  4maturity = "production"
  5updated_date = "2026/04/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries
 11may abuse self-hosted runners to execute workflow jobs on customer infrastructure.
 12"""
 13false_positives = [
 14    "Authorized self-hosted GitHub actions runner.",
 15]
 16from = "now-9m"
 17index = ["logs-github.audit-*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "New GitHub Self Hosted Action Runner"
 21note = """## Triage and analysis
 22
 23### Investigating New GitHub Self Hosted Action Runner
 24
 25Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host.
 26
 27### Possible investigation steps
 28
 29- Validate the user is authoried to perform this change
 30- Review the purpose of the self-hosted action runner and what actions will be executed.
 31- Verify if there is any adjascent  sensitive file access or collection.
 32- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.
 33
 34### False positive analysis
 35
 36- Authorized github self-hosted actions runner.
 37
 38### Response and remediation
 39
 40- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
 41- Terminate any suspicious child processes that were initiated by the Github actions runner.
 42- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.
 43- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
 44- Implement application whitelisting to prevent unauthorized execution.
 45- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
 46references = [
 47    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
 48    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
 49    "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack"
 50]
 51risk_score = 47
 52rule_id = "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1"
 53severity = "medium"
 54tags = [
 55    "Domain: Cloud",
 56    "Use Case: Threat Detection",
 57    "Tactic: Initial Access",
 58    "Data Source: Github",
 59    "Resources: Investigation Guide",
 60]
 61timestamp_override = "event.ingested"
 62type = "new_terms"
 63
 64query = '''
 65data_stream.dataset:"github.audit" and
 66    event.category:"configuration" and
 67    event.action: (
 68        "repo.register_self_hosted_runner" or
 69        "org.register_self_hosted_runner" or
 70        "enterprise.register_self_hosted_runner"
 71    )
 72'''
 73
 74[[rule.threat]]
 75framework = "MITRE ATT&CK"
 76
 77[[rule.threat.technique]]
 78id = "T1195"
 79name = "Supply Chain Compromise"
 80reference = "https://attack.mitre.org/techniques/T1195/"
 81
 82[[rule.threat.technique.subtechnique]]
 83id = "T1195.001"
 84name = "Compromise Software Dependencies and Development Tools"
 85reference = "https://attack.mitre.org/techniques/T1195/001/"
 86
 87[[rule.threat.technique.subtechnique]]
 88id = "T1195.002"
 89name = "Compromise Software Supply Chain"
 90reference = "https://attack.mitre.org/techniques/T1195/002/"
 91
 92[rule.threat.tactic]
 93id = "TA0001"
 94name = "Initial Access"
 95reference = "https://attack.mitre.org/tactics/TA0001/"
 96[rule.new_terms]
 97field = "new_terms_fields"
 98value = ["user.name", "github.actor_ip"]
 99
100[[rule.new_terms.history_window_start]]
101field = "history_window_start"
102value = "now-5d"```