Skip to content
Threat Feed
low advisory

High Number of Cloned GitHub Repos From PAT

This rule detects a high number of unique private repository clone events originating from a single Github personal access token (PAT) within a short time period, potentially indicating unauthorized access and exfiltration of sensitive code.

This detection rule identifies potentially malicious activity related to the cloning of GitHub repositories. The rule focuses on detecting a high volume of unique private repository clones originating from a single Personal Access Token (PAT) within a short timeframe. This activity can be indicative of a compromised PAT being used to exfiltrate sensitive code from an organization's private repositories. The rule specifically looks for programmatic access using OAuth access tokens or fine-grained PATs. Defenders should be aware of this activity because it can lead to intellectual property theft, exposure of secrets, and potential supply chain attacks. The rule analyzes GitHub audit logs to identify these suspicious cloning events.

Attack Chain

  1. An attacker obtains a valid GitHub Personal Access Token (PAT), either through phishing, credential stuffing, or other means.
  2. The attacker uses the compromised PAT to authenticate to the GitHub API.
  3. The attacker enumerates accessible private repositories using the GitHub API.
  4. For each repository, the attacker initiates a git clone operation via the API.
  5. The GitHub audit logs record the git.clone events, including the github.hashed_token and github.repo fields.
  6. The detection rule aggregates these events, grouping by github.hashed_token and counting the number of unique github.repo values.
  7. If the number of unique cloned repositories from a single token exceeds a predefined threshold (e.g., 10), the rule triggers an alert.
  8. The attacker exfiltrates the cloned code for malicious purposes.

Impact

A successful attack can result in the unauthorized access and exfiltration of sensitive source code, proprietary algorithms, internal documentation, and other confidential information stored in private GitHub repositories. This can lead to intellectual property theft, competitive disadvantage, exposure of vulnerabilities in proprietary software, and potential supply chain compromise. The impact is dependent on the content of the repositories that were cloned.

Recommendation

  • Deploy the Sigma rule High Number of GitHub Private Repo Clones From PAT to your SIEM and tune the threshold for github.repo to suit your environment.
  • Investigate any alerts generated by the Sigma rule High Number of GitHub Private Repo Clones From PAT by reviewing the associated audit logs and user activity.
  • Review and enforce policies regarding the creation, usage, and management of PATs within the organization as described in the "Response and remediation" section of the rule documentation.
  • Monitor for any unusual activity or further unauthorized access attempts using other PATs or credentials as described in the "Response and remediation" section of the rule documentation.

Detection coverage 2

High Number of GitHub Private Repo Clones From PAT

low

Detects a high number of unique private repo clones from a single PAT, indicating potential unauthorized access.

sigma tactics: collection, execution techniques: T1213.003, T1648 sources: webserver, linux

GitHub Private Repo Clone without Programmatic Access

low

Detects cloning of private GitHub repositories without the use of a PAT or OAuth token, which may indicate suspicious activity.

sigma tactics: collection techniques: T1213.003 sources: webserver, linux

Detection queries are available on the platform. Get full rules →