GitHub activity observed from Tor client IP

github-telemetry

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1090-proxy

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect when GitHub activity is observed from a Tor exit node.

Strategy

This rule monitors GitHub telemetry logs to determine when activity originated from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real-time. An attacker may use a Tor client to anonymize their true origin when accessing GitHub programmatically.

Triage and response

  • Determine whether {{@github.actor}} from IP address {{@network.client.ip}} has a legitimate reason to access GitHub via Tor.
  • Review the specific actions performed during the session for indicators of reconnaissance, credential misuse, or data access.
  • Check whether this activity coincides with other suspicious signals from the same identity such as secret enumeration or branch protection changes.