Elastic Security Detection Rules

Remote GitHub Actions Runner Registration

Last updated 9 days ago on 2025-11-26
Created 9 days ago on 2025-11-26

About

This rule detects the configuration of a GitHub Actions self-hosted runner using the Runner.Listener binary. When a machine is registered to a remote repository, its owner gains the ability to execute arbitrary workflow commands on that host. Unexpected or unauthorized runner registration may indicate adversarial activity aimed at establishing remote code execution via malicious GitHub workflows.
Tags
Domain: EndpointOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: ExecutionTactic: Initial AccessData Source: Elastic EndgameData Source: Elastic DefendData Source: Windows Security Event LogsData Source: Microsoft Defender for EndpointData Source: SysmonData Source: SentinelOneData Source: CrowdstrikeData Source: Auditd ManagerLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

Command and Scripting Interpreter (T1059)(opens in a new tab or window)

Initial Access (TA0001)(opens in a new tab or window)

Supply Chain Compromise (T1195)(opens in a new tab or window)

False Positive Examples
Authorized github repository with no malicious workflow actions.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*logs-system.security*logs-windows.forwarded*logs-windows.sysmon_operational-*winlogbeat-*auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

system(opens in a new tab or window)

m365_defender(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

auditd_manager(opens in a new tab or window)

Query
process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.name in ("Runner.Listener", "Runner.Listener.exe") and
 process.args == "configure" and process.args == "--url" and process.args == "--token"

Install detection rules in Elastic Security

Detect Remote GitHub Actions Runner Registration in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).