Merge PR #5782 from @Koifman - Add Github Self-Hosted Runner Execution

new: Github Self-Hosted Runner Execution --------- Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
2025-12-04 01:55:53 +02:00
parent d9c93074d4
commit 0aa29891df
4 changed files with 185 additions and 0 deletions
@@ -0,0 +1,132 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-02T13:40:15.065147Z"
+        }
+      },
+      "EventRecordID": 129581,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3712,
+          "ThreadID": 5804
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "SUPPORTHUB",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-02 13:40:15.062",
+      "ProcessGuid": "39845534-EC3F-692E-AC01-000000007A00",
+      "ProcessId": 2252,
+      "Image": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Listener.exe",
+      "FileVersion": "2.329.0.0",
+      "Description": "Runner.Listener",
+      "Product": "Runner.Listener",
+      "Company": "Runner.Listener",
+      "OriginalFileName": "Runner.Listener.dll",
+      "CommandLine": "\"C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Listener.exe\"  configure --url https://github.com/Koifman/shaihulud --token ACJKO5TZBN2V54V7WQEQMMLJF34ZQ",
+      "CurrentDirectory": "C:\\Users\\Lab\\Downloads\\actions-runner\\",
+      "User": "SUPPORTHUB\\Lab",
+      "LogonGuid": "39845534-EA70-692E-18E8-080000000000",
+      "LogonId": "0x8e818",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=F2D98E1A81C92345E9FB4C3A8BA80DA9,SHA256=0C90A42A6BE0078726279708539FF3275A40031BCCC6D31FCF77D0A03B6F6BBB,IMPHASH=6A91EB82BFD19D2706C7D43C46F7064E",
+      "ParentProcessGuid": "39845534-EC3E-692E-AA01-000000007A00",
+      "ParentProcessId": 9300,
+      "ParentImage": "C:\\Windows\\System32\\cmd.exe",
+      "ParentCommandLine": "C:\\Windows\\system32\\cmd.exe /c \"\"C:\\Users\\Lab\\Downloads\\actions-runner\\config.cmd\" --url https://github.com/Koifman/shaihulud --token ACJKO5TZBN2V54V7WQEQMMLJF34ZQ\"",
+      "ParentUser": "SUPPORTHUB\\Lab"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2025-12-02T13:40:43.642304Z"
+        }
+      },
+      "EventRecordID": 129609,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3712,
+          "ThreadID": 5804
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "SUPPORTHUB",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2025-12-02 13:40:43.639",
+      "ProcessGuid": "39845534-EC5B-692E-B601-000000007A00",
+      "ProcessId": 6588,
+      "Image": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Worker.exe",
+      "FileVersion": "2.329.0.0",
+      "Description": "Runner.Worker",
+      "Product": "Runner.Worker",
+      "Company": "Runner.Worker",
+      "OriginalFileName": "Runner.Worker.dll",
+      "CommandLine": "\"C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Worker.exe\" spawnclient 2076 2088",
+      "CurrentDirectory": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\",
+      "User": "SUPPORTHUB\\Lab",
+      "LogonGuid": "39845534-EA70-692E-18E8-080000000000",
+      "LogonId": "0x8e818",
+      "TerminalSessionId": 1,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=B8B5BE3A38732DE389D648044B798146,SHA256=08A676AE543078E5C6163B94E17F9C38D3193A1D59E8BA94ADE43FA0BCA8312C,IMPHASH=6A91EB82BFD19D2706C7D43C46F7064E",
+      "ParentProcessGuid": "39845534-EC43-692E-AF01-000000007A00",
+      "ParentProcessId": 7392,
+      "ParentImage": "C:\\Users\\Lab\\Downloads\\actions-runner\\bin\\Runner.Listener.exe",
+      "ParentCommandLine": "\"C:\\Users\\Lab\\Downloads\\actions-runner\\\\bin\\Runner.Listener.exe\"  run",
+      "ParentUser": "SUPPORTHUB\\Lab"
+    }
+  }
+}
@@ -0,0 +1,12 @@
+id: 94e5ba8c-3bdf-4e12-9300-f7684530d301
+description: Includes two process events that will match against the linked SIGMA rule for both conditions
+date: 2025-12-02
+author: Daniel Koifman (KoifSec)
+rule_metadata:
+    - id: 5bac7a56-da88-4c27-922e-c81e113b20cb
+      title: Github Self-Hosted Runner Execution
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/5bac7a56-da88-4c27-922e-c81e113b20cb.evtx
@@ -0,0 +1,41 @@
+title: Github Self-Hosted Runner Execution
+id: 5bac7a56-da88-4c27-922e-c81e113b20cb
+status: test
+description: |
+    Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
+    Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
+    It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
+references:
+    - https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
+    - https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
+author: Daniel Koifman (KoifSec)
+date: 2025-11-29
+tags:
+    - attack.command-and-control
+    - attack.t1102.002
+    - attack.t1071
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_worker_img:  # Example command C:\Users\Lab\actions-runner\bin\Runner.Worker.exe spawnclient 1288 1252
+        - Image|endswith: '\Runner.Worker.exe'
+        - OriginalFileName: 'Runner.Worker.dll'
+    selection_worker_cli:
+        CommandLine|contains: 'spawnclient'
+    selection_listener_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Listener.exe  configure --url https://github.com/ABC/ABC --token 123123
+        - Image|endswith: '\Runner.Listener.exe'
+        - OriginalFileName: 'Runner.Listener.dll'
+    selection_listener_cli:
+        CommandLine|contains:
+            - 'run'
+            - 'configure'
+    condition: all of selection_worker_* or all of selection_listener_*
+falsepositives:
+    - Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
+    - Authorized runner deployments by DevOps/Platform teams following change management
+    - Scheduled runner updates or reconfigurations on existing build agents
+    - Self-hosted runners that follow expected/known naming patterns
+    - Installation via expected/known configuration management tools (reflected mostly as parent process name)
+level: medium
+regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml