{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ueba/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub"],"_cs_severities":["low"],"_cs_tags":["cloud","threat-detection","ueba","execution"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis detection rule identifies potentially malicious activity related to the cloning of GitHub repositories. The rule focuses on detecting a high volume of unique private repository clones originating from a single Personal Access Token (PAT) within a short timeframe. This activity can be indicative of a compromised PAT being used to exfiltrate sensitive code from an organization's private repositories. The rule specifically looks for programmatic access using OAuth access tokens or fine-grained PATs. Defenders should be aware of this activity because it can lead to intellectual property theft, exposure of secrets, and potential supply chain attacks. The rule analyzes GitHub audit logs to identify these suspicious cloning events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid GitHub Personal Access Token (PAT), either through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised PAT to authenticate to the GitHub API.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates accessible private repositories using the GitHub API.\u003c/li\u003e\n\u003cli\u003eFor each repository, the attacker initiates a \u003ccode\u003egit clone\u003c/code\u003e operation via the API.\u003c/li\u003e\n\u003cli\u003eThe GitHub audit logs record the \u003ccode\u003egit.clone\u003c/code\u003e events, including the \u003ccode\u003egithub.hashed_token\u003c/code\u003e and \u003ccode\u003egithub.repo\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe detection rule aggregates these events, grouping by \u003ccode\u003egithub.hashed_token\u003c/code\u003e and counting the number of unique \u003ccode\u003egithub.repo\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eIf the number of unique cloned repositories from a single token exceeds a predefined threshold (e.g., 10), the rule triggers an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the cloned code for malicious purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can result in the unauthorized access and exfiltration of sensitive source code, proprietary algorithms, internal documentation, and other confidential information stored in private GitHub repositories. This can lead to intellectual property theft, competitive disadvantage, exposure of vulnerabilities in proprietary software, and potential supply chain compromise. The impact is dependent on the content of the repositories that were cloned.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eHigh Number of GitHub Private Repo Clones From PAT\u003c/code\u003e to your SIEM and tune the threshold for \u003ccode\u003egithub.repo\u003c/code\u003e to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eHigh Number of GitHub Private Repo Clones From PAT\u003c/code\u003e by reviewing the associated audit logs and user activity.\u003c/li\u003e\n\u003cli\u003eReview and enforce policies regarding the creation, usage, and management of PATs within the organization as described in the \u0026quot;Response and remediation\u0026quot; section of the rule documentation.\u003c/li\u003e\n\u003cli\u003eMonitor for any unusual activity or further unauthorized access attempts using other PATs or credentials as described in the \u0026quot;Response and remediation\u0026quot; section of the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-clone/","summary":"This rule detects a high number of unique private repository clone events originating from a single Github personal access token (PAT) within a short time period, potentially indicating unauthorized access and exfiltration of sensitive code.","title":"High Number of Cloned GitHub Repos From PAT","url":"https://feed.craftedsignal.io/briefs/2024-01-github-repo-clone/"}],"language":"en","title":"CraftedSignal Threat Feed - Ueba","version":"https://jsonfeed.org/version/1.1"}