CI-RUNNER-TAKEOVERPrivilege Escalation

Self-Hosted Runner Takeover

Public repos with self-hosted runners — first attacker PR runs on the runner, persists a backdoor for every subsequent job.

§ Where this technique fits

CI-RUNNER-TAKEOVER is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Self-hosted runner takeover → persistent CI compromise
A public repo with self-hosted GitHub runners accepts external PRs. First malicious PR runs on the runner; the workflow drops a runner-hook that fires before every future job.
step 2 / 6

§ What commonly comes next

01
Command and Scripting Interpreter
T1059 · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Self-hosted runner takeover → persistent CI compromise

§ What commonly comes next