Skip to content

Hide Navigation Hide TOC

Github Self-Hosted Runner Execution (5bac7a56-da88-4c27-922e-c81e113b20cb)

Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.

Cluster A Galaxy A Cluster B Galaxy B Level
Github Self-Hosted Runner Execution (5bac7a56-da88-4c27-922e-c81e113b20cb) Sigma-Rules Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 1
Github Self-Hosted Runner Execution (5bac7a56-da88-4c27-922e-c81e113b20cb) Sigma-Rules Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2