New GitHub Self Hosted Action Runner

 1[metadata]
 2creation_date = "2025/11/28"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2025/11/28"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects the creation of a self-hosted Github runner from a first time seen user.name in the last 5 days. Adversaries
11may abuse self-hosted runners to execute workflow jobs on customer infrastructure.
12"""
13false_positives = [
14    "Authorized self-hosted GitHub actions runner.",
15]
16from = "now-9m"
17index = ["logs-github.audit-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "New GitHub Self Hosted Action Runner"
21note = """## Triage and analysis
22
23### Investigating New GitHub Self Hosted Action Runner
24
25Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host.
26
27### Possible investigation steps
28
29- Validate the user is authoried to perform this change
30- Review the purpose of the self-hosted action runner and what actions will be executed.
31- Verify if there is any adjascent  sensitive file access or collection.
32- Correlate with other alerts and investiguate if this activity is related to a supply chain attack.
33
34### False positive analysis
35
36- Authorized github self-hosted actions runner.
37
38### Response and remediation
39
40- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
41- Terminate any suspicious child processes that were initiated by the Github actions runner.
42- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.
43- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
44- Implement application whitelisting to prevent unauthorized execution.
45- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
46references = [
47    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
48    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
49]
50risk_score = 47
51rule_id = "40c34c8a-b0bc-43bc-83aa-d2b76bf129e1"
52severity = "medium"
53tags = [
54    "Domain: Cloud",
55    "Use Case: Threat Detection",
56    "Tactic: Initial Access",
57    "Data Source: Github",
58    "Resources: Investigation Guide",
59]
60timestamp_override = "event.ingested"
61type = "new_terms"
62
63query = '''
64event.dataset:"github.audit" and event.category:"configuration" and event.action:"enterprise.register_self_hosted_runner"
65'''
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1195"
71name = "Supply Chain Compromise"
72reference = "https://attack.mitre.org/techniques/T1195/"
73[[rule.threat.technique.subtechnique]]
74id = "T1195.002"
75name = "Compromise Software Supply Chain"
76reference = "https://attack.mitre.org/techniques/T1195/002/"
77
78
79
80[rule.threat.tactic]
81id = "TA0001"
82name = "Initial Access"
83reference = "https://attack.mitre.org/tactics/TA0001/"
84
85
86[rule.new_terms]
87field = "new_terms_fields"
88value = ["user.name", "github.actor_ip"]
89
90[[rule.new_terms.history_window_start]]
91field = "history_window_start"
92value = "now-5d"```