Classification:

attack

Tactic:

TA0010-exfiltration

Technique:

T1567-exfiltration-over-web-service

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects mass downloading of repository zip files using personal access tokens, which may represent repository data exfiltration.

Strategy

This rule monitors GitHub audit logs for repo.download_zip events performed using personal access tokens. The detection differentiates between classic PATs and fine-grained PATs, tracking each separately to identify potential exfiltration attempts.

The strategy involves tracking the number of distinct repositories downloaded by each actor to identify suspicious mass download patterns. When an actor downloads multiple repositories in a short timeframe using personal access tokens, this could indicate data theft. The rule incorporates threat intelligence data to provide additional context about suspicious source IPs, allowing for more accurate detection when downloads originate from suspicious networks.

Triage & Response

• Verify the identity of the actor ({{@github.actor}}) and determine if they have legitimate business reasons to download multiple repositories.
• Examine the specific personal access token used, including its creation date, permissions, and expiration.
• Review which repositories were accessed and determine their sensitivity level.
• Analyze the actor’s normal access patterns to identify deviations from typical behavior.
• Locate the personal access token in GitHub settings and investigate its recent usage history.
• Evaluate if the downloads occurred from unusual geographic locations or IP addresses.
• Revoke the personal access token immediately if activity is confirmed malicious.
• Search for any recently created or modified PATs belonging to the same user account.
• Rotate any secrets that might have been exposed in the downloaded repositories.
• Implement organization-wide PAT policies with shorter expiration times and limited scope.