Skip to main content

GitHub self hosted runner registered

ID:github_register_self_hosted_runner
Data type:GitHub
Severity:
Informational
MITRE ATT&CK:TA0040:T1496

Description

AlphaSOC detected that a GitHub self hosted runner was registered. Self hosted runners are machines that execute GitHub Actions workflows on infrastructure controlled by the organization. Threat actors can register malicious self hosted runners to gain persistent access to an organization's CI/CD pipeline, execute arbitrary code within the build environment, and potentially access secrets and credentials used in workflows.

Impact

Registration of unauthorized self hosted runners could allow adversaries to intercept sensitive data from CI/CD pipelines, inject malicious code into software builds, or establish persistent access to the organization's development infrastructure.

Severity

SeverityCondition
Informational
GitHub self hosted runner registered

Investigation and Remediation

Review the GitHub audit logs to verify the legitimacy of the runner registration, checking the user who performed the action, the repository or organization where it was registered, and whether this action was authorized. If unauthorized, immediately remove the runner from the GitHub settings, revoke any associated tokens and potentially compromised credentials, audit recent workflow executions for suspicious activity, and consider implementing additional controls on runner registration permissions.