github-new-rules

rules/cloud/github/github_pages_public.yml

@@ -0,0 +1,22 @@
+title: GitHub Repository Pages Made Public
+id: 0c46d4f4-a2bf-4104-9597-8d653fc2bb55
+status: experimental
+description: Detects when GitHub Pages of a repository are made public, which may indicate potential unauthorized exposure of sensitive information or code.
+references:
+    - https://docs.github.com/en/pages/getting-started-with-github-pages/creating-a-github-pages-site
+    - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
+author: Ivan Saakov
+date: 2024-09-20
+tags:
+    - attack.collection
+    - attack.t1529
+logsource:
+    product: github
+    service: audit
+detection:
+    selection:
+        action: repo.pages_public
+    condition: selection
+falsepositives:
+    - Legitimate publishing of repository pages by authorized users
+level: medium

rules/cloud/github/github_repository_actions.yml

@@ -0,0 +1,26 @@
+title: GitHub Repository Archived or Unarchived
+id: dca8991c-cb16-4128-abf8-6b11e5cd156f
+status: experimental
+description: Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
+references:
+    - https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories
+    - https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
+author: Ivan Saakov
+date: 2024-09-20
+tags:
+    - attack.persistence
+    - attack.defense-evasion
+    - attack.t1098.001
+    - attack.t1078.004
+logsource:
+    product: github
+    service: audit
+detection:
+    selection:
+        action:
+            - archived
+            - unarchived
+    condition: selection
+falsepositives:
+    - Legitimate archived or unarchived GitHub repositories by authorized users
+level: medium