GitHub repository created with suspicious naming convention

github-telemetry

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detects newly created GitHub repositories with suspicious naming patterns that may indicate a ransom notice.

Strategy

This rule monitors GitHub audit logs for repository creation events where the event is repo.create.

Triage & Response

  • Examine the newly created repository {{@github.repository}} to determine whether it contains legitimate backup data or potential attacker content.
  • Review the repository contents and commit history to understand when the repository was generated and what content exists.
  • Check for any corresponding repository downloads, deletions, or modifications that occurred around the same time as the backup creation.
  • Determine if the repository naming pattern matches known ransomware indicators and assess for potential compromise.