Elastic Security Detection Rules

Execution via GitHub Actions Runner

Last updated 20 days ago on 2026-04-22
Created 6 months ago on 2025-11-26

About

This rule detects potentially dangerous commands spawned by the GitHub Actions Runner.Worker process or by shell interpreters launched via a runner entrypoint script on self-hosted runner machines. Adversaries who gain the ability to modify or trigger workflows in a linked GitHub repository can execute arbitrary commands on the runner host. This behavior may indicate malicious or unexpected workflow activity, including code execution, reconnaissance, credential harvesting, or network exfiltration initiated through a compromised repository or unauthorized workflow.
Tags
Domain: EndpointOS: LinuxOS: WindowsOS: macOSUse Case: Threat DetectionTactic: ExecutionTactic: Initial AccessData Source: Elastic EndgameData Source: Elastic DefendData Source: Windows Security Event LogsData Source: Microsoft Defender XDRData Source: SysmonData Source: SentinelOneData Source: CrowdstrikeData Source: Auditd ManagerLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Execution (TA0002)(external, opens in a new tab or window)

Command and Scripting Interpreter (T1059)(external, opens in a new tab or window)

Initial Access (TA0001)(external, opens in a new tab or window)

Supply Chain Compromise (T1195)(external, opens in a new tab or window)

Defense Evasion (TA0005)(external, opens in a new tab or window)

System Binary Proxy Execution (T1218)(external, opens in a new tab or window)

False Positive Examples
Authorized GitHub actions runner with no malicious workflow actions.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
endgame-*logs-crowdstrike.fdr*logs-endpoint.events.process-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*logs-system.security*logs-windows.forwarded*logs-windows.sysmon_operational-*winlogbeat-*auditbeat-*logs-auditd_manager.auditd-*
Related Integrations

endpoint(external, opens in a new tab or window)

windows(external, opens in a new tab or window)

system(external, opens in a new tab or window)

m365_defender(external, opens in a new tab or window)

sentinel_one_cloud_funnel(external, opens in a new tab or window)

crowdstrike(external, opens in a new tab or window)

auditd_manager(external, opens in a new tab or window)

Query
text code block:
process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
 (
   /* Direct child of the GitHub Actions Runner.Worker process */
   process.parent.name in ("Runner.Worker", "Runner.Worker.exe") or

   /* Child of a shell interpreter launched via a runner entrypoint script
      (e.g. /home/runner/runners/<ver>/run/entrypoint.sh or similar paths) */
   (
     process.parent.name in ("sh", "bash", "zsh") and
     process.parent.command_line like "*runner*entrypoint.sh"
   )
 ) and
 (
   process.name : (
     /* Network / download utilities */
     "curl", "curl.exe", "wget", "wget.exe",
     /* Windows scripting & LOLBins */
     "powershell.exe", "cmd.exe", "pwsh.exe", "certutil.exe", "rundll32.exe",
     /* Unix shells */
     "bash", "sh", "zsh", "dash", "ash", "tcsh", "csh", "ksh", "fish", "mksh", "busybox", "pwsh",
     /* File / archive manipulation */
     "tar", "gzip", "rm", "sed", "chmod",
     /* macOS-specific */
     "osascript",
     /* Process persistence helpers */
     "nohup", "setsid",
     /* Scripting runtimes */
     "python*", "perl*", "ruby*", "lua*", "php*", "node", "nodejs", "node.exe",
     /* Discovery & reconnaissance */
     "pgrep", "grep", "find", "printenv", "env", "nmap",
     /* Crypto / encoding (potential exfiltration or C2 channel) */
     "openssl", "base64", "basez", "base64plain", "base64url", "base64mime", "base64pem", "basenc", "base32", "base16", "xxd",
     /* Data manipulation / inspection */
     "tr", "cat",
     /* Network relay / tunneling */
     "nc", "ncat", "netcat", "nc.traditional", "nc.openbsd", "socat", "wg", "wg-quick",
     /* Remote access */
     "ssh", "ssh.exe", "ftp", "tftp", "scp", "sftp",
     /* Kubernetes / infrastructure */
     "kubectl", "helm", "docker", "ctr", "crictl",
     /* Secret management */
     "vault",
     /* GitHub CLI */
     "gh",
     /* AWS CLI */
     "aws",
     /*Azure CLI */
     "az",
     /*GCP CLI */
     "gcloud",
     /* Google Workspace CLI */
     "gws"
   ) or
   process.executable : ("/tmp/*", "/private/tmp/*", "/var/tmp/*", "/dev/shm/*", "/run/*", "/var/run/*", "?:\\Users\\*")
 )

Install detection rules in Elastic Security

Detect Execution via GitHub Actions Runner in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).