GitHub mass zip file exfiltration of repositories using an OAuth access token
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects mass downloading of repository zip files using OAuth access tokens, which could indicate data exfiltration.
Strategy
This rule monitors GitHub audit logs for repo.download_zip events performed using OAuth access tokens. The detection focuses on tracking actors using OAuth tokens (including those created before April 2021) to download multiple distinct repositories within a short timeframe. The rule specifically filters for programmatic access using OAuth tokens while excluding bot accounts.
The strategy involves tracking the number of distinct repositories downloaded by each actor to identify potential exfiltration attempts. When an actor downloads multiple repositories in a condensed timeframe using OAuth tokens, it could represent suspicious mass data collection activity. The rule includes additional context by incorporating threat intelligence data to identify suspicious source IPs.
Triage & Response
- Verify if the repositories downloaded are sensitive or contain proprietary code.
- Examine the OAuth token’s creation date, permissions, and associated application.
- Review the user’s (
{{@github.actor}}) access history and normal usage patterns to determine if this behavior is unusual. - Revoke the OAuth token used in the suspicious activity.
- Rotate any exposed secrets that might have been in the downloaded repositories.
- Review existing OAuth applications and their permission scopes across your organization.
- Implement stricter OAuth token policies and consider using fine-grained tokens with limited repository access.
