<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Archival - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/archival/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/archival/feed.xml" rel="self" type="application/rss+xml"/><item><title>GitHub Repository Archived in Organization</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-github-repo-archived/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-github-repo-archived/</guid><description>This analytic detects the archival of a repository within a GitHub Organization, potentially indicating malicious activity such as attempts to make code inaccessible, insider threats, or account compromise.</description><content:encoded><![CDATA[<p>This detection focuses on identifying instances where a repository within a GitHub Organization is archived. Archiving a repository can be a legitimate action, however, unauthorized archival of active repositories may indicate malicious activity. The activity is identified via GitHub Organizations audit logs. Attackers may archive repositories to disrupt development operations, hide evidence of malicious commits, or prepare for complete deletion of the code. This poses a threat to organizations that rely on GitHub for code management and collaboration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains unauthorized access to a GitHub organization account, potentially through compromised credentials or an insider threat.</li>
<li>The attacker authenticates to the GitHub API using the compromised account.</li>
<li>The attacker identifies a target repository within the organization.</li>
<li>The attacker issues a <code>repo.archived</code> action via the GitHub API to archive the target repository.</li>
<li>GitHub's audit logs record the archival event, including the actor, timestamp, and repository details.</li>
<li>Legitimate developers and CI/CD systems lose access to the archived repository.</li>
<li>Development workflows are disrupted, potentially delaying project timelines.</li>
<li>The attacker may subsequently delete the archived repository, leading to permanent data loss if backups are not maintained.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Unauthorized repository archival can disrupt development workflows, leading to project delays and potential financial losses. If critical repositories are affected, the impact could be significant, especially in organizations heavily reliant on GitHub for their software development lifecycle. The loss of access to active development code will impact the productivity of software teams. If the archived repository is subsequently deleted, the company's intellectual property may be permanently lost.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable GitHub Organizations Audit Logs to capture repository archival events, as indicated in the &quot;GitHub Organizations Audit Logs&quot; data source.</li>
<li>Deploy the Sigma rule &quot;Detect GitHub Repository Archival&quot; to your SIEM and tune it to your environment.</li>
<li>Investigate any alerts generated by the &quot;Detect GitHub Repository Archival&quot; Sigma rule, focusing on unusual actor behavior or unexpected repository archival.</li>
<li>Monitor the <code>user_agent</code> field in the logs, as flagged by the &quot;threat_objects&quot; section, for any unexpected or malicious user agents.</li>
<li>Implement multi-factor authentication (MFA) for all GitHub organization accounts to mitigate the risk of unauthorized access.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>github</category><category>cloud</category><category>repository</category><category>archival</category></item></channel></rss>