Skip to content
Threat Feed
low advisory

GitHub Activity on Private Repository from Unusual IP

Detection of activity on a private GitHub repository from an unusual IP address, potentially indicating unauthorized access or exfiltration attempts.

This detection rule identifies activity on private GitHub repositories originating from unusual IP addresses. This can signal a potential compromise, supply chain attack, or unauthorized access attempt. An adversary might leverage compromised credentials or other access vectors to interact with private repositories. The goal is often to exfiltrate sensitive code, data, or intellectual property. The rule focuses on git.push and git.clone events against private repositories. This activity is attributed to adversaries attempting to gain initial access, establish persistence, and ultimately impact the confidentiality of the data within the repository. The rule is based on unusual IP addresses, requiring a period of observation to establish a baseline of known good IPs.

Attack Chain

  1. Initial Access: The attacker gains access to a valid user account through credential compromise (e.g., phishing, password reuse).
  2. Authentication: The attacker authenticates to GitHub using the compromised credentials.
  3. Reconnaissance: The attacker enumerates available repositories and identifies private repositories containing valuable data (source code, secrets, etc.) using T1213.003.
  4. Data Collection: The attacker initiates a git clone operation to download the contents of the private repository.
  5. Command and Scripting Interpreter: The attacker might use scripting interpreters (e.g., Python, Bash) to automate the cloning process across multiple repositories.
  6. Data Exfiltration: The attacker copies the repository data to an external location under their control.
  7. Persistence: The attacker may attempt to establish persistence by creating rogue SSH keys or OAuth applications within the compromised account.
  8. Impact: The attacker uses the exfiltrated data for malicious purposes, such as selling intellectual property, incorporating code into a supply chain attack, or gaining further access to internal systems.

Impact

A successful attack of this nature can lead to the exposure of sensitive source code, proprietary algorithms, confidential data, and internal credentials. This can result in significant financial losses, reputational damage, and legal liabilities. The impact extends beyond the directly affected organization if the compromised code is integrated into a supply chain, as highlighted by the Shai Hulud attacks. Even a single compromised repository can expose critical vulnerabilities or intellectual property.

Recommendation

  • Deploy the Sigma rule Github Activity on a Private Repository from an Unusual IP to your SIEM and tune the new_terms_fields values (source.ip, github.repo) to fit your environment.
  • Investigate any alerts generated by the Sigma rule by reviewing the related GitHub audit logs and network connection logs.
  • Implement multi-factor authentication (MFA) for all GitHub accounts to mitigate credential compromise (TA0001).
  • Monitor GitHub audit logs for suspicious activity, such as unusual login locations or API usage patterns.
  • Review and harden your software supply chain security practices, as referenced in the threat intelligence report links.

Detection coverage 2

Github Activity on Private Repository from New IP

low

Detects git clone or push events on private GitHub repositories originating from a previously unseen IP address.

sigma tactics: impact, initial_access, persistence techniques: T1078.004, T1195.002 sources: webserver, linux

Github Activity on Private Repository from New Repo

low

Detects git clone or push events on private GitHub repositories that have not been seen before.

sigma tactics: impact, initial_access, persistence techniques: T1078.004, T1195.002 sources: webserver, linux

Detection queries are available on the platform. Get full rules →