GitHub large amount of classic personal access token use via suspicious VPN

github-telemetry

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects when a GitHub personal access token is used with a non-corporate VPN to access your GitHub instance. Identifies potential unauthorized access or token compromise through anomalous client behavior.

Strategy

This rule monitors GitHub audit logs for personal access token usage with a suspicious VPN. It tracks a high number of actions taken by a single user across unique repositories.

Triage & Response

  • Examine the ASN for {{@github.actor}} to determine if it represents legitimate automation or a suspicious client.
  • Verify if the token owner authorized the use of new tools or scripts that would generate different user agent strings.
  • Review recent GitHub activity for the user to identify any suspicious repository access or data collection attempts.