{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/archival/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub"],"_cs_severities":["medium"],"_cs_tags":["github","cloud","repository","archival"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where a repository within a GitHub Organization is archived. Archiving a repository can be a legitimate action, however, unauthorized archival of active repositories may indicate malicious activity. The activity is identified via GitHub Organizations audit logs. Attackers may archive repositories to disrupt development operations, hide evidence of malicious commits, or prepare for complete deletion of the code. This poses a threat to organizations that rely on GitHub for code management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub organization account, potentially through compromised credentials or an insider threat.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub API using the compromised account.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target repository within the organization.\u003c/li\u003e\n\u003cli\u003eThe attacker issues a \u003ccode\u003erepo.archived\u003c/code\u003e action via the GitHub API to archive the target repository.\u003c/li\u003e\n\u003cli\u003eGitHub's audit logs record the archival event, including the actor, timestamp, and repository details.\u003c/li\u003e\n\u003cli\u003eLegitimate developers and CI/CD systems lose access to the archived repository.\u003c/li\u003e\n\u003cli\u003eDevelopment workflows are disrupted, potentially delaying project timelines.\u003c/li\u003e\n\u003cli\u003eThe attacker may subsequently delete the archived repository, leading to permanent data loss if backups are not maintained.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eUnauthorized repository archival can disrupt development workflows, leading to project delays and potential financial losses. If critical repositories are affected, the impact could be significant, especially in organizations heavily reliant on GitHub for their software development lifecycle. The loss of access to active development code will impact the productivity of software teams. If the archived repository is subsequently deleted, the company's intellectual property may be permanently lost.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub Organizations Audit Logs to capture repository archival events, as indicated in the \u0026quot;GitHub Organizations Audit Logs\u0026quot; data source.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect GitHub Repository Archival\u0026quot; to your SIEM and tune it to your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026quot;Detect GitHub Repository Archival\u0026quot; Sigma rule, focusing on unusual actor behavior or unexpected repository archival.\u003c/li\u003e\n\u003cli\u003eMonitor the \u003ccode\u003euser_agent\u003c/code\u003e field in the logs, as flagged by the \u0026quot;threat_objects\u0026quot; section, for any unexpected or malicious user agents.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub organization accounts to mitigate the risk of unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-github-repo-archived/","summary":"This analytic detects the archival of a repository within a GitHub Organization, potentially indicating malicious activity such as attempts to make code inaccessible, insider threats, or account compromise.","title":"GitHub Repository Archived in Organization","url":"https://feed.craftedsignal.io/briefs/2024-01-03-github-repo-archived/"}],"language":"en","title":"CraftedSignal Threat Feed - Archival","version":"https://jsonfeed.org/version/1.1"}