GitHub repository created with suspicious naming convention

github-telemetry

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detects newly created GitHub repositories with suspicious naming patterns that may indicate a ransom notice.

Strategy

This rule monitors GitHub audit logs for repository creation events where the event is repo.create.

Triage & Response

  • Examine the newly created repository {{@github.repository}} to determine whether it contains legitimate backup data or potential attacker content.
  • Review the repository contents and commit history to understand when the repository was generated and what content exists.
  • Check for any corresponding repository downloads, deletions, or modifications that occurred around the same time as the backup creation.
  • Determine if the repository naming pattern matches known ransomware indicators and assess for potential compromise.