From 4248de3d0d6963d906f202df80ca7bfe174a4fe3 Mon Sep 17 00:00:00 2001 From: "Ivan.Saakov" Date: Fri, 20 Sep 2024 14:09:12 +0300 Subject: [PATCH 01/19] github-new-rules --- .../github_excessive_repository_clones.yml | 28 +++++++++++++++++++ rules/cloud/github/github_pages_public.yml | 22 +++++++++++++++ .../github/github_repository_actions.yml | 24 ++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 rules/cloud/github/github_excessive_repository_clones.yml create mode 100644 rules/cloud/github/github_pages_public.yml create mode 100644 rules/cloud/github/github_repository_actions.yml diff --git a/rules/cloud/github/github_excessive_repository_clones.yml b/rules/cloud/github/github_excessive_repository_clones.yml new file mode 100644 index 00000000000..7924982245a --- /dev/null +++ b/rules/cloud/github/github_excessive_repository_clones.yml @@ -0,0 +1,28 @@ +title: Excessive GitHub Repository Clones by a Single User +id: 9418984c-2e0e-4312-b1a6-7847a85e58e0 +status: test +description: Detects when a user clones more than 10 different repositories within an hour, which may indicate potential data exfiltration or unauthorized activities. +author: Ivan Saakov +date: 2024-09-20 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization +tags: + - attack.exfiltration + - attack.t1020 +logsource: + product: github + service: audit +detection: + selection: + action: 'git.clone' + timeframe: 1h + condition: selection + aggregation: + group-by: user + cardinality: + field: repo + op: '>=' + value: 10 +falsepositives: + - Legitimate activities where a user clones multiple repositories as part of their job responsibilities +level: high diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml new file mode 100644 index 00000000000..312a67dc3c6 --- /dev/null +++ b/rules/cloud/github/github_pages_public.yml @@ -0,0 +1,22 @@ +title: GitHub Repository Pages Made Public +id: 346357dd-788a-4539-b31a-d19886d23335 +status: test +description: Detects when GitHub Pages of a repository are made public, which may indicate potential unauthorized exposure of sensitive information or code. +author: Ivan Saakov +date: 2024-09-20 +references: + - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site +tags: + - attack.collection + - attack.t1529 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: 'repo.pages_public' + condition: selection +falsepositives: + - Legitimate publishing of repository pages by authorized users +level: medium diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml new file mode 100644 index 00000000000..09e4a2b2149 --- /dev/null +++ b/rules/cloud/github/github_repository_actions.yml @@ -0,0 +1,24 @@ +title: GitHub Repository Archived or Unarchived +id: 92cff55c-27ab-466e-b6d1-88b3f1bd9c94 +status: test +description: Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status. +author: Ivan Saakov +date: 2024-09-20 +references: + - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories +tags: + - attack.persistence + - attack.t1108 +logsource: + product: github + service: audit + definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' +detection: + selection: + action: + - 'archived' + - 'unarchived' + condition: selection +falsepositives: + - Legitimate unarchived of repositories by authorized users +level: medium \ No newline at end of file From 2ee8f32baf44355f1fb6912e9075753ea6a7d6c4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 22 Sep 2024 19:45:12 +0200 Subject: [PATCH 02/19] Delete rules/cloud/github/github_excessive_repository_clones.yml --- .../github_excessive_repository_clones.yml | 28 ------------------- 1 file changed, 28 deletions(-) delete mode 100644 rules/cloud/github/github_excessive_repository_clones.yml diff --git a/rules/cloud/github/github_excessive_repository_clones.yml b/rules/cloud/github/github_excessive_repository_clones.yml deleted file mode 100644 index 7924982245a..00000000000 --- a/rules/cloud/github/github_excessive_repository_clones.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Excessive GitHub Repository Clones by a Single User -id: 9418984c-2e0e-4312-b1a6-7847a85e58e0 -status: test -description: Detects when a user clones more than 10 different repositories within an hour, which may indicate potential data exfiltration or unauthorized activities. -author: Ivan Saakov -date: 2024-09-20 -references: - - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization -tags: - - attack.exfiltration - - attack.t1020 -logsource: - product: github - service: audit -detection: - selection: - action: 'git.clone' - timeframe: 1h - condition: selection - aggregation: - group-by: user - cardinality: - field: repo - op: '>=' - value: 10 -falsepositives: - - Legitimate activities where a user clones multiple repositories as part of their job responsibilities -level: high From 78176ee00284cb53468dc55c33b145ad1b13c4b4 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sun, 22 Sep 2024 21:14:46 +0300 Subject: [PATCH 03/19] Update github_pages_public.yml --- rules/cloud/github/github_pages_public.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml index 312a67dc3c6..b3fd20e5d67 100644 --- a/rules/cloud/github/github_pages_public.yml +++ b/rules/cloud/github/github_pages_public.yml @@ -1,6 +1,6 @@ title: GitHub Repository Pages Made Public id: 346357dd-788a-4539-b31a-d19886d23335 -status: test +status: experimental description: Detects when GitHub Pages of a repository are made public, which may indicate potential unauthorized exposure of sensitive information or code. author: Ivan Saakov date: 2024-09-20 From 11e3c9a050063194ade82331287bde177e659d85 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sun, 22 Sep 2024 21:15:01 +0300 Subject: [PATCH 04/19] Update github_repository_actions.yml --- rules/cloud/github/github_repository_actions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index 09e4a2b2149..0142cccc83b 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -1,6 +1,6 @@ title: GitHub Repository Archived or Unarchived id: 92cff55c-27ab-466e-b6d1-88b3f1bd9c94 -status: test +status: experimental description: Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status. author: Ivan Saakov date: 2024-09-20 @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Legitimate unarchived of repositories by authorized users -level: medium \ No newline at end of file +level: medium From a30f4ec3f42a351c2fed8ff1d5eb344ff8c5f619 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sun, 23 Feb 2025 18:29:20 +0200 Subject: [PATCH 05/19] Update github_repository_actions.yml --- rules/cloud/github/github_repository_actions.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index 0142cccc83b..2218204823e 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -6,6 +6,7 @@ author: Ivan Saakov date: 2024-09-20 references: - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories + - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms tags: - attack.persistence - attack.t1108 @@ -20,5 +21,5 @@ detection: - 'unarchived' condition: selection falsepositives: - - Legitimate unarchived of repositories by authorized users + - Legitimate archived/unarchived of repositories by authorized users level: medium From 612acdd18edd75f35b683c63d7b98b7522260cac Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sun, 23 Feb 2025 18:29:52 +0200 Subject: [PATCH 06/19] Update github_pages_public.yml --- rules/cloud/github/github_pages_public.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml index b3fd20e5d67..a3d1521654c 100644 --- a/rules/cloud/github/github_pages_public.yml +++ b/rules/cloud/github/github_pages_public.yml @@ -6,6 +6,7 @@ author: Ivan Saakov date: 2024-09-20 references: - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site + - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms tags: - attack.collection - attack.t1529 From 31e3fdcde4c8bddca45b219f2879c5022c012f71 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sun, 23 Feb 2025 18:36:28 +0200 Subject: [PATCH 07/19] Update github_repository_actions.yml --- rules/cloud/github/github_repository_actions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index 2218204823e..e162147a9ec 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -21,5 +21,5 @@ detection: - 'unarchived' condition: selection falsepositives: - - Legitimate archived/unarchived of repositories by authorized users + - Legitimate archived OR unarchived GitHub repositories by authorized users level: medium From f1774362e961de391a89169dbe2d10a70af291ae Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sun, 23 Feb 2025 18:46:16 +0200 Subject: [PATCH 08/19] Update github_pages_public.yml --- rules/cloud/github/github_pages_public.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml index a3d1521654c..73c9d1e3cfd 100644 --- a/rules/cloud/github/github_pages_public.yml +++ b/rules/cloud/github/github_pages_public.yml @@ -13,7 +13,9 @@ tags: logsource: product: github service: audit - definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' + definition: > + Requirements: The audit log streaming feature must be enabled to be able to receive such logs. + You can allow following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming detection: selection: action: 'repo.pages_public' From 254dbb8739c46aaadb07796f2765588afc6b1371 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Sun, 23 Feb 2025 18:46:54 +0200 Subject: [PATCH 09/19] Update github_repository_actions.yml --- .../github/github_repository_actions.yml | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index e162147a9ec..eff7269e99a 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -5,21 +5,23 @@ description: Detects when a GitHub repository is archived or unarchived, which m author: Ivan Saakov date: 2024-09-20 references: - - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories - - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms + - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories + - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms tags: - - attack.persistence - - attack.t1108 + - attack.persistence + - attack.t1108 logsource: - product: github - service: audit - definition: 'Requirements: The audit log streaming feature must be enabled to be able to receive such logs. You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming' + product: github + service: audit + definition: > + Requirements: The audit log streaming feature must be enabled to be able to receive such logs. + You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming detection: - selection: - action: - - 'archived' - - 'unarchived' - condition: selection + selection: + action: + - 'archived' + - 'unarchived' + condition: selection falsepositives: - - Legitimate archived OR unarchived GitHub repositories by authorized users + - Legitimate archived OR unarchived GitHub repositories by authorized users level: medium From 519904d548796f13ddf89548aea64a80c2f7809c Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:10:48 +0200 Subject: [PATCH 10/19] Update github_pages_public.yml From 94414de4c3ee1d5ca2ed40a0b5c989eec984e92e Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:11:27 +0200 Subject: [PATCH 11/19] Update github_repository_actions.yml From dd770bc0a3a0a75eac9570cba1b72be13523a1fc Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:15:53 +0200 Subject: [PATCH 12/19] Update github_repository_actions.yml --- rules/cloud/github/github_repository_actions.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index eff7269e99a..fad072aa9f6 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -19,9 +19,9 @@ logsource: detection: selection: action: - - 'archived' - - 'unarchived' + - archived + - unarchived condition: selection falsepositives: - - Legitimate archived OR unarchived GitHub repositories by authorized users + - Legitimate archived or unarchived GitHub repositories by authorized users level: medium From 91e025270e1ce5d8eb879e4cb74e564c9f68f1d0 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:24:10 +0200 Subject: [PATCH 13/19] Update github_repository_actions.yml --- rules/cloud/github/github_repository_actions.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index fad072aa9f6..9d910bb526d 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -15,7 +15,8 @@ logsource: service: audit definition: > Requirements: The audit log streaming feature must be enabled to be able to receive such logs. - You can enable following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming + You can enable following the documentation here: + https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming detection: selection: action: From ebc7e29f08ef3c70ab479ecc669dd14b0462dd27 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:25:54 +0200 Subject: [PATCH 14/19] Update github_pages_public.yml --- rules/cloud/github/github_pages_public.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml index 73c9d1e3cfd..bf3c302f424 100644 --- a/rules/cloud/github/github_pages_public.yml +++ b/rules/cloud/github/github_pages_public.yml @@ -15,7 +15,8 @@ logsource: service: audit definition: > Requirements: The audit log streaming feature must be enabled to be able to receive such logs. - You can allow following the documentation here: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming + You can allow following the documentation here: + https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming detection: selection: action: 'repo.pages_public' From 3a6d387122695a75ce9201b94124674faed192bc Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:36:09 +0200 Subject: [PATCH 15/19] Update github_pages_public.yml --- rules/cloud/github/github_pages_public.yml | 28 ++++++++++------------ 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml index bf3c302f424..751e3fdeac5 100644 --- a/rules/cloud/github/github_pages_public.yml +++ b/rules/cloud/github/github_pages_public.yml @@ -1,26 +1,22 @@ title: GitHub Repository Pages Made Public -id: 346357dd-788a-4539-b31a-d19886d23335 +id: 46357dd-788a-4539-b31a-d19886d23335 status: experimental description: Detects when GitHub Pages of a repository are made public, which may indicate potential unauthorized exposure of sensitive information or code. +references: + - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site + - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms author: Ivan Saakov date: 2024-09-20 -references: - - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site - - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms tags: - - attack.collection - - attack.t1529 + - attack.collection + - attack.t1529 logsource: - product: github - service: audit - definition: > - Requirements: The audit log streaming feature must be enabled to be able to receive such logs. - You can allow following the documentation here: - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming + product: github + service: audit detection: - selection: - action: 'repo.pages_public' - condition: selection + selection: + action: repo.pages_public + condition: selection falsepositives: - - Legitimate publishing of repository pages by authorized users + - Legitimate publishing of repository pages by authorized users level: medium From 4a4f9d3f68a845ba5d61e62ac1042d18de4eeffa Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:41:12 +0200 Subject: [PATCH 16/19] Update github_pages_public.yml --- rules/cloud/github/github_pages_public.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml index 751e3fdeac5..38439fd0c15 100644 --- a/rules/cloud/github/github_pages_public.yml +++ b/rules/cloud/github/github_pages_public.yml @@ -1,5 +1,5 @@ title: GitHub Repository Pages Made Public -id: 46357dd-788a-4539-b31a-d19886d23335 +id: 0c46d4f4-a2bf-4104-9597-8d653fc2bb55 status: experimental description: Detects when GitHub Pages of a repository are made public, which may indicate potential unauthorized exposure of sensitive information or code. references: From 5980334e73f1f85e2b3c909430c8fe118be9ffc1 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:49:55 +0200 Subject: [PATCH 17/19] Update github_pages_public.yml --- rules/cloud/github/github_pages_public.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/cloud/github/github_pages_public.yml b/rules/cloud/github/github_pages_public.yml index 38439fd0c15..8751526cf18 100644 --- a/rules/cloud/github/github_pages_public.yml +++ b/rules/cloud/github/github_pages_public.yml @@ -3,8 +3,8 @@ id: 0c46d4f4-a2bf-4104-9597-8d653fc2bb55 status: experimental description: Detects when GitHub Pages of a repository are made public, which may indicate potential unauthorized exposure of sensitive information or code. references: - - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site - - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms + - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site + - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms author: Ivan Saakov date: 2024-09-20 tags: From 493487ae67a524ed378ae994ab6f87922b2c717d Mon Sep 17 00:00:00 2001 From: Ivan S Date: Tue, 18 Mar 2025 23:57:35 +0200 Subject: [PATCH 18/19] Update github_repository_actions.yml --- .../github/github_repository_actions.yml | 32 ++++++++----------- 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index 9d910bb526d..137be47e252 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -1,28 +1,24 @@ title: GitHub Repository Archived or Unarchived -id: 92cff55c-27ab-466e-b6d1-88b3f1bd9c94 +id: dca8991c-cb16-4128-abf8-6b11e5cd156f status: experimental description: Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status. +references: + - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories + - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms author: Ivan Saakov date: 2024-09-20 -references: - - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories - - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms tags: - - attack.persistence - - attack.t1108 + - attack.persistence + - attack.t1108 logsource: - product: github - service: audit - definition: > - Requirements: The audit log streaming feature must be enabled to be able to receive such logs. - You can enable following the documentation here: - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-audit-log-streaming + product: github + service: audit detection: - selection: - action: - - archived - - unarchived - condition: selection + selection: + action: + - archived + - unarchived + condition: selection falsepositives: - - Legitimate archived or unarchived GitHub repositories by authorized users + - Legitimate archived or unarchived GitHub repositories by authorized users level: medium From 40202f66141fa7ca7d9ab1f8addc6c3fe1edf0d4 Mon Sep 17 00:00:00 2001 From: Ivan S Date: Wed, 19 Mar 2025 00:06:33 +0200 Subject: [PATCH 19/19] Update github_repository_actions.yml --- rules/cloud/github/github_repository_actions.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/cloud/github/github_repository_actions.yml b/rules/cloud/github/github_repository_actions.yml index 137be47e252..74aa48b513f 100644 --- a/rules/cloud/github/github_repository_actions.yml +++ b/rules/cloud/github/github_repository_actions.yml @@ -9,7 +9,9 @@ author: Ivan Saakov date: 2024-09-20 tags: - attack.persistence - - attack.t1108 + - attack.defense-evasion + - attack.t1098.001 + - attack.t1078.004 logsource: product: github service: audit