GitHub mass exfiltration via cloning of repositories using a personal access token
Goal
Detects mass cloning of GitHub repositories using personal access tokens, indicating potential data exfiltration attempts. Alerts when users clone an unusually high number of distinct repositories within a short timeframe.
Strategy
This rule monitors GitHub audit logs for git.clone
actions performed using personal access tokens (both classic and fine-grained). The rule implements multiple severity thresholds based on the volume of repositories cloned and incorporates threat intelligence enrichment to identify cloning activity from suspicious IP addresses. Mass repository cloning using programmatic access tokens is a common technique used by malicious actors to exfiltrate large amounts of source code and sensitive data from organizations.
Triage & Response
- Examine the cloning activity timeline for
{{@github.actor}}
to determine if the volume and pattern of repository access aligns with legitimate business activities. - Review the specific repositories cloned to assess their sensitivity level and whether the user has legitimate access requirements for all targeted repositories.
- Check the source IP addresses associated with the cloning activity and correlate with known user locations and typical access patterns.
- Analyze the user’s recent GitHub activity history to identify any changes in behavior patterns or access requests.
- Determine if the cloned repositories contain sensitive data, proprietary code, or intellectual property that could pose significant risk if exfiltrated.