GitHub repository created with suspicious naming convention

Goal

Detects newly created GitHub repositories with suspicious naming patterns that may indicate a ransom notice.

Strategy

This rule monitors GitHub audit logs for repository creation events where the event is repo.create.

Triage & Response

  • Examine the newly created repository {{@github.repository}} to determine whether it contains legitimate backup data or potential attacker content.
  • Review the repository contents and commit history to understand when the repository was generated and what content exists.
  • Check for any corresponding repository downloads, deletions, or modifications that occurred around the same time as the backup creation.
  • Determine if the repository naming pattern matches known ransomware indicators and assess for potential compromise.