Github Self Hosted Runner Changes Detected

calendar Feb 26, 2024 · attack.impact attack.discovery attack.collection attack.defense_evasion attack.persistence attack.privilege_escalation attack.initial_access attack.t1526 attack.t1213.003 attack.t1078.004  ·
Share on: linkedin copy

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Sigma rule (View on GitHub)

 1title: Github Self Hosted Runner Changes Detected
 2id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
 3status: test
 4description: |
 5    A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
 6    This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,
 7    it should be validated from GitHub UI because the log entry may not provide full context.    
 8author: Muhammad Faisal (@faisalusuf)
 9date: 2023/01/27
10references:
11    - https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners#about-self-hosted-runners
12    - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#search-based-on-operation
13tags:
14    - attack.impact
15    - attack.discovery
16    - attack.collection
17    - attack.defense_evasion
18    - attack.persistence
19    - attack.privilege_escalation
20    - attack.initial_access
21    - attack.t1526
22    - attack.t1213.003
23    - attack.t1078.004
24logsource:
25    product: github
26    service: audit
27    definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming'
28detection:
29    selection:
30        action:
31            - 'org.remove_self_hosted_runner'
32            - 'org.runner_group_created'
33            - 'org.runner_group_removed'
34            - 'org.runner_group_runner_removed'
35            - 'org.runner_group_runners_added'
36            - 'org.runner_group_runners_updated'
37            - 'org.runner_group_updated'
38            - 'repo.register_self_hosted_runner'
39            - 'repo.remove_self_hosted_runner'
40    condition: selection
41falsepositives:
42    - Allowed self-hosted runners changes in the environment.
43    - A self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 14 days.
44    - An ephemeral self-hosted runner is automatically removed from GitHub if it has not connected to GitHub Actions for more than 1 day.
45level: low

References

Related rules

to-top