title: Github Self-Hosted Runner Execution
id: 5bac7a56-da88-4c27-922e-c81e113b20cb
status: test
description: |
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
references:
- https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
- https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/
author: Daniel Koifman (KoifSec)
date: 2025-11-29
tags:
- attack.command-and-control
- attack.t1102.002
- attack.t1071
logsource:
category: process_creation
product: windows
detection:
selection_worker_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Worker.exe spawnclient 1288 1252
- Image|endswith: '\Runner.Worker.exe'
- OriginalFileName: 'Runner.Worker.dll'
selection_worker_cli:
CommandLine|contains: 'spawnclient'
selection_listener_img: # Example command C:\Users\Lab\actions-runner\bin\Runner.Listener.exe configure --url https://github.com/ABC/ABC --token 123123
- Image|endswith: '\Runner.Listener.exe'
- OriginalFileName: 'Runner.Listener.dll'
selection_listener_cli:
CommandLine|contains:
- 'run'
- 'configure'
condition: all of selection_worker_* or all of selection_listener_*
falsepositives:
- Legitimate GitHub self-hosted runner installations on designated CI/CD infrastructure
- Authorized runner deployments by DevOps/Platform teams following change management
- Scheduled runner updates or reconfigurations on existing build agents
- Self-hosted runners that follow expected/known naming patterns
- Installation via expected/known configuration management tools (reflected mostly as parent process name)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_github_self_hosted_runner/info.yml
title: Telegram API Access
id: b494b165-6634-483d-8c47-2026a6c52372
status: test
description: Detects suspicious requests to Telegram API without the usual Telegram User-Agent
references:
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2023-05-18
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.002
logsource:
category: proxy
detection:
selection:
cs-host: 'api.telegram.org' # Often used by Bots
filter:
c-useragent|contains:
# Used https://core.telegram.org/bots/samples for this list
- 'Telegram'
- 'Bot'
condition: selection and not filter
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium
title: Telegram Bot API Request
id: c64c5175-5189-431b-a55e-6d9882158251
status: test
description: Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
references:
- https://core.telegram.org/bots/faq
- https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/
- https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
- https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
author: Florian Roth (Nextron Systems)
date: 2018-06-05
modified: 2022-10-09
tags:
- attack.command-and-control
- attack.t1102.002
logsource:
category: dns
detection:
selection:
query: 'api.telegram.org' # Telegram Bot API Request https://core.telegram.org/bots/faq
condition: selection
falsepositives:
- Legitimate use of Telegram bots in the company
level: medium