Elastic Security Detection Rules

Execution via GitHub Actions Runner

Last updated 9 days ago on 2025-11-26
Created 9 days ago on 2025-11-26

About

This rule detects potentially dangerous commands spawned by the GitHub Actions Runner.Worker process on self-hosted runner machines. Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. This behavior may indicate malicious or unexpected workflow activity, including code execution, file manipulation, or network exfiltration initiated through a compromised repository or unauthorized workflow.
Tags
Domain: EndpointOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: ExecutionTactic: Initial AccessData Source: Elastic EndgameData Source: Elastic DefendData Source: Windows Security Event LogsData Source: Microsoft Defender for EndpointData Source: SysmonData Source: SentinelOneData Source: CrowdstrikeData Source: Auditd ManagerLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

Command and Scripting Interpreter (T1059)(opens in a new tab or window)

Initial Access (TA0001)(opens in a new tab or window)

Supply Chain Compromise (T1195)(opens in a new tab or window)

False Positive Examples
Authorized GitHub actions runner with no malicious workflow actions.
License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*logs-system.security*logs-windows.forwarded*logs-windows.sysmon_operational-*winlogbeat-*auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

system(opens in a new tab or window)

m365_defender(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

crowdstrike(opens in a new tab or window)

auditd_manager(opens in a new tab or window)

Query
process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 process.parent.name in ("Runner.Worker", "Runner.Worker.exe") and
 (
   process.name like ("curl", "curl.exe", "wget", "wget.exe", "powershell.exe", "cmd.exe", "pwsh.exe", "certutil.exe", "rundll32.exe", "bash", "sh", "zsh", "tar", "rm",
                     "sed", "osascript", "chmod", "nohup", "setsid", "dash", "ash", "tcsh", "csh", "ksh", "fish", "python*", "perl*", "ruby*", "lua*", "php*", "node", "node.exe") or
   process.executable : ("/tmp/*", "/private/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/*", "/var/run/*", "?:\\Users\\*")
 )

Install detection rules in Elastic Security

Detect Execution via GitHub Actions Runner in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).