GitHub repository created with suspicious naming convention

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects newly created GitHub repositories with suspicious naming patterns that may indicate a ransom notice.

Strategy

This rule monitors GitHub audit logs for repository creation events where the event is repo.create.

Triage & Response

  • Examine the newly created repository {{@github.repository}} to determine whether it contains legitimate backup data or potential attacker content.
  • Review the repository contents and commit history to understand when the repository was generated and what content exists.
  • Check for any corresponding repository downloads, deletions, or modifications that occurred around the same time as the backup creation.
  • Determine if the repository naming pattern matches known ransomware indicators and assess for potential compromise.