GitHub Personal Access Token created by suspicious IP

github-telemetry

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Personal Access Token (PAT) has been created from a suspicious IP.

Strategy

This rule monitors GitHub audit logs for when a PAT has been created from a suspicious IP. A phishing campaign reported by Github’s security team indicated that attackers may try to create a PAT once they have gained unauthorized access to an account to maintain access. Using Datadog threat intelligence the signals raised will have originated from IP addresses deemed to be suspicious.

Note: By default GitHub does not display the source IP address for events in your organization’s audit log. See this post for further information.

Triage and response

  1. Determine if the behavior is unusual for the user:
    • Is the @actor_location.country_code or @http.useragent different?
    • If IP addresses are available, is the @network.client.ip or @network.client.geoip.as.domain different than usual?
    • Speak with the user to verify if they added the PAT.
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.
PREVIEWING: brett.blue/embedded-collector-release