Github Self-Hosted Runner Execution

Original Source: [Sigma source]

Title: Github Self-Hosted Runner Execution
Status: test
Description:Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
References:
-https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
-https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
Author: Daniel Koifman (KoifSec)
Date: 2025-11-29
modified:None
Tags:

-'attack.command-and-control'
-'attack.t1102.002'
-'attack.t1071'

Logsource:

category: process_creation
product: windows

Detection:
selection_worker_img:
Image|endswith:'\Runner.Worker.exe' OriginalFileName:'Runner.Worker.dll' selection_worker_cli:
CommandLine|contains: 'spawnclient'
selection_listener_img:
Image|endswith:'\Runner.Listener.exe' OriginalFileName:'Runner.Listener.dll' selection_listener_cli:
CommandLine|contains:
-'run'
-'configure'

condition:all of selection_worker_* or all of selection_listener_*
Falsepositives:
-Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
-Authorized runner deployments by DevOps/Platform teams following change management
-Scheduled runner updates or reconfigurations on existing build agents
-Self-hosted runners that follow expected/known naming patterns
-Installation via expected/known configuration management tools (reflected mostly as parent process name)
Level: medium

Sign Up to Personalize and Manage Your Detection

Github Self-Hosted Runner Execution