Skip to content
Threat Feed
medium advisory

GitHub Repository Archived in Organization

This analytic detects the archival of a repository within a GitHub Organization, potentially indicating malicious activity such as attempts to make code inaccessible, insider threats, or account compromise.

This detection focuses on identifying instances where a repository within a GitHub Organization is archived. Archiving a repository can be a legitimate action, however, unauthorized archival of active repositories may indicate malicious activity. The activity is identified via GitHub Organizations audit logs. Attackers may archive repositories to disrupt development operations, hide evidence of malicious commits, or prepare for complete deletion of the code. This poses a threat to organizations that rely on GitHub for code management and collaboration.

Attack Chain

  1. An attacker gains unauthorized access to a GitHub organization account, potentially through compromised credentials or an insider threat.
  2. The attacker authenticates to the GitHub API using the compromised account.
  3. The attacker identifies a target repository within the organization.
  4. The attacker issues a repo.archived action via the GitHub API to archive the target repository.
  5. GitHub's audit logs record the archival event, including the actor, timestamp, and repository details.
  6. Legitimate developers and CI/CD systems lose access to the archived repository.
  7. Development workflows are disrupted, potentially delaying project timelines.
  8. The attacker may subsequently delete the archived repository, leading to permanent data loss if backups are not maintained.

Impact

Unauthorized repository archival can disrupt development workflows, leading to project delays and potential financial losses. If critical repositories are affected, the impact could be significant, especially in organizations heavily reliant on GitHub for their software development lifecycle. The loss of access to active development code will impact the productivity of software teams. If the archived repository is subsequently deleted, the company's intellectual property may be permanently lost.

Recommendation

  • Enable GitHub Organizations Audit Logs to capture repository archival events, as indicated in the "GitHub Organizations Audit Logs" data source.
  • Deploy the Sigma rule "Detect GitHub Repository Archival" to your SIEM and tune it to your environment.
  • Investigate any alerts generated by the "Detect GitHub Repository Archival" Sigma rule, focusing on unusual actor behavior or unexpected repository archival.
  • Monitor the user_agent field in the logs, as flagged by the "threat_objects" section, for any unexpected or malicious user agents.
  • Implement multi-factor authentication (MFA) for all GitHub organization accounts to mitigate the risk of unauthorized access.

Detection coverage 2

Detect GitHub Repository Archival

medium

Detects when a repository is archived in a GitHub Organization. This can be an indicator of malicious activity if the archival is unauthorized.

sigma tactics: impact techniques: T1485 sources: webserver, linux

Detect GitHub Repository Archival by User Agent

high

Detects when a repository is archived in a GitHub Organization based on a specific user agent.

sigma tactics: impact techniques: T1485 sources: webserver, linux

Detection queries are available on the platform. Get full rules →