Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects mass downloading of repository zip files using OAuth access tokens, which could indicate data exfiltration.

Strategy

This rule monitors GitHub audit logs for repo.download_zip events performed using OAuth access tokens. The detection focuses on tracking actors using OAuth tokens (including those created before April 2021) to download multiple distinct repositories within a short timeframe. The rule specifically filters for programmatic access using OAuth tokens while excluding bot accounts.

The strategy involves tracking the number of distinct repositories downloaded by each actor to identify potential exfiltration attempts. When an actor downloads multiple repositories in a condensed timeframe using OAuth tokens, it could represent suspicious mass data collection activity. The rule includes additional context by incorporating threat intelligence data to identify suspicious source IPs.

Triage & Response

• Verify if the repositories downloaded are sensitive or contain proprietary code.
• Examine the OAuth token’s creation date, permissions, and associated application.
• Review the user’s ({{@github.actor}}) access history and normal usage patterns to determine if this behavior is unusual.
• Revoke the OAuth token used in the suspicious activity.
• Rotate any exposed secrets that might have been in the downloaded repositories.
• Review existing OAuth applications and their permission scopes across your organization.
• Implement stricter OAuth token policies and consider using fine-grained tokens with limited repository access.