GitHub setting changed to fork private repository

github-telemetry

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects policy changes to allow forking of private GitHub repositories.

Strategy

GitHub provides audit logs and webhook events that capture modifications to repository settings. Look for events where the fork setting for private repositories is enabled, which can pose a significant security risk by exposing sensitive code.

  • private_repository_forking.enable

Triage and Response

  1. Identify whether {{@github.actor}} is changing the forking policy for {{@github.repository}}.
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.