GitHub repository created with suspicious naming convention

github-telemetry

Classification:

attack

Tactic:

TA0009-collection

Technique:

T1213-data-from-information-repositories

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects newly created GitHub repositories with suspicious naming patterns that may indicate a ransom notice.

Strategy

This rule monitors GitHub audit logs for repository creation events where the event is repo.create.

Triage & Response

  • Examine the newly created repository {{@github.repository}} to determine whether it contains legitimate backup data or potential attacker content.
  • Review the repository contents and commit history to understand when the repository was generated and what content exists.
  • Check for any corresponding repository downloads, deletions, or modifications that occurred around the same time as the backup creation.
  • Determine if the repository naming pattern matches known ransomware indicators and assess for potential compromise.