GitHub Repository Archived in Organization
This analytic detects the archival of a repository within a GitHub Organization, potentially indicating malicious activity such as attempts to make code inaccessible, insider threats, or account compromise.
This detection focuses on identifying instances where a repository within a GitHub Organization is archived. Archiving a repository can be a legitimate action, however, unauthorized archival of active repositories may indicate malicious activity. The activity is identified via GitHub Organizations audit logs. Attackers may archive repositories to disrupt development operations, hide evidence of malicious commits, or prepare for complete deletion of the code. This poses a threat to organizations that rely on GitHub for code management and collaboration.
Attack Chain
- An attacker gains unauthorized access to a GitHub organization account, potentially through compromised credentials or an insider threat.
- The attacker authenticates to the GitHub API using the compromised account.
- The attacker identifies a target repository within the organization.
- The attacker issues a
repo.archivedaction via the GitHub API to archive the target repository. - GitHub's audit logs record the archival event, including the actor, timestamp, and repository details.
- Legitimate developers and CI/CD systems lose access to the archived repository.
- Development workflows are disrupted, potentially delaying project timelines.
- The attacker may subsequently delete the archived repository, leading to permanent data loss if backups are not maintained.
Impact
Unauthorized repository archival can disrupt development workflows, leading to project delays and potential financial losses. If critical repositories are affected, the impact could be significant, especially in organizations heavily reliant on GitHub for their software development lifecycle. The loss of access to active development code will impact the productivity of software teams. If the archived repository is subsequently deleted, the company's intellectual property may be permanently lost.
Recommendation
- Enable GitHub Organizations Audit Logs to capture repository archival events, as indicated in the "GitHub Organizations Audit Logs" data source.
- Deploy the Sigma rule "Detect GitHub Repository Archival" to your SIEM and tune it to your environment.
- Investigate any alerts generated by the "Detect GitHub Repository Archival" Sigma rule, focusing on unusual actor behavior or unexpected repository archival.
- Monitor the
user_agentfield in the logs, as flagged by the "threat_objects" section, for any unexpected or malicious user agents. - Implement multi-factor authentication (MFA) for all GitHub organization accounts to mitigate the risk of unauthorized access.
Detection coverage 2
Detect GitHub Repository Archival
mediumDetects when a repository is archived in a GitHub Organization. This can be an indicator of malicious activity if the archival is unauthorized.
Detect GitHub Repository Archival by User Agent
highDetects when a repository is archived in a GitHub Organization based on a specific user agent.
Detection queries are available on the platform. Get full rules →