This detection rule identifies potentially malicious commands executed by the GitHub Actions Runner.Worker process on self-hosted runners. It focuses on threats where adversaries modify or trigger workflows in a GitHub repository, allowing arbitrary command execution on the runner host. This behavior can signal significant risks, including unauthorized code execution, file manipulation, or network exfiltration. The rule leverages EQL queries to detect process executions that match certain conditions, particularly targeting common command executables and file paths associated with suspicious activities. False positives may arise from authorized actions by legitimate GitHub workflows. Remediation steps include isolating affected systems, reviewing logs for unauthorized changes, and potentially restoring from backups. It's crucial to initiate investigation promptly to mitigate any risks of lateral movement or further exploitation.