<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Ueba - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/ueba/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/ueba/feed.xml" rel="self" type="application/rss+xml"/><item><title>High Number of Cloned GitHub Repos From PAT</title><link>https://feed.craftedsignal.io/briefs/2024-01-github-repo-clone/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-github-repo-clone/</guid><description>This rule detects a high number of unique private repository clone events originating from a single Github personal access token (PAT) within a short time period, potentially indicating unauthorized access and exfiltration of sensitive code.</description><content:encoded><![CDATA[<p>This detection rule identifies potentially malicious activity related to the cloning of GitHub repositories. The rule focuses on detecting a high volume of unique private repository clones originating from a single Personal Access Token (PAT) within a short timeframe. This activity can be indicative of a compromised PAT being used to exfiltrate sensitive code from an organization's private repositories. The rule specifically looks for programmatic access using OAuth access tokens or fine-grained PATs. Defenders should be aware of this activity because it can lead to intellectual property theft, exposure of secrets, and potential supply chain attacks. The rule analyzes GitHub audit logs to identify these suspicious cloning events.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains a valid GitHub Personal Access Token (PAT), either through phishing, credential stuffing, or other means.</li>
<li>The attacker uses the compromised PAT to authenticate to the GitHub API.</li>
<li>The attacker enumerates accessible private repositories using the GitHub API.</li>
<li>For each repository, the attacker initiates a <code>git clone</code> operation via the API.</li>
<li>The GitHub audit logs record the <code>git.clone</code> events, including the <code>github.hashed_token</code> and <code>github.repo</code> fields.</li>
<li>The detection rule aggregates these events, grouping by <code>github.hashed_token</code> and counting the number of unique <code>github.repo</code> values.</li>
<li>If the number of unique cloned repositories from a single token exceeds a predefined threshold (e.g., 10), the rule triggers an alert.</li>
<li>The attacker exfiltrates the cloned code for malicious purposes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack can result in the unauthorized access and exfiltration of sensitive source code, proprietary algorithms, internal documentation, and other confidential information stored in private GitHub repositories. This can lead to intellectual property theft, competitive disadvantage, exposure of vulnerabilities in proprietary software, and potential supply chain compromise. The impact is dependent on the content of the repositories that were cloned.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>High Number of GitHub Private Repo Clones From PAT</code> to your SIEM and tune the threshold for <code>github.repo</code> to suit your environment.</li>
<li>Investigate any alerts generated by the Sigma rule <code>High Number of GitHub Private Repo Clones From PAT</code> by reviewing the associated audit logs and user activity.</li>
<li>Review and enforce policies regarding the creation, usage, and management of PATs within the organization as described in the &quot;Response and remediation&quot; section of the rule documentation.</li>
<li>Monitor for any unusual activity or further unauthorized access attempts using other PATs or credentials as described in the &quot;Response and remediation&quot; section of the rule documentation.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>cloud</category><category>threat-detection</category><category>ueba</category><category>execution</category></item></channel></rss>