UTMSTACK logoUTMSTACK logo
Microsoft GitHub

Detection rules for GitHub data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.

This category contains 13 detection rules.

RuleCategoryTechniqueImpact (C/I/A)
GitHub Action Secret Access ActivityCollectionT1552 - Unsecured CredentialsC:3 / I:3 / A:1
GitHub App Installation Token Suspicious AccessCredential AccessT1528 - Steal Application Access TokenC:2 / I:2 / A:1
GitHub CODEOWNERS File ModificationDefense EvasionT1562.001 - Impair Defenses: Disable or Modify ToolsC:2 / I:3 / A:1
GitHub Dependabot Configuration PoisoningSupply Chain CompromiseT1195.002 - Supply Chain Compromise: Compromise Software Supply ChainC:2 / I:3 / A:1
GitHub Environment Protection Rule BypassDefense EvasionT1562.001 - Impair Defenses: Disable or Modify ToolsC:2 / I:3 / A:1
GitHub Mass Repository Cloning DetectionCollectionT1213 - Data from Information RepositoriesC:3 / I:2 / A:1
GitHub Organization Member to Owner Role EscalationPrivilege EscalationT1098 - Account ManipulationC:3 / I:3 / A:2
GitHub Repository Visibility Changed to PublicData ExfiltrationT1537 - Transfer Data to Cloud AccountC:3 / I:2 / A:1
GitHub Secret Scanning Alert DetectedCredential AccessT1552: Unsecured CredentialsC:3 / I:2 / A:1
GitHub Self-Hosted Runner Compromise DetectionSupply Chain CompromiseT1195.002 - Supply Chain Compromise: Compromise Software Supply ChainC:3 / I:3 / A:2
GitHub Sensitive Data Commit DetectionCollectionT1074 - Data StagedC:3 / I:2 / A:1
GitHub Workflow Modifications DetectedInitial AccessT1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development ToolsC:3 / I:3 / A:2
GitHub Workflow pull_request_target InjectionSupply Chain CompromiseT1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development ToolsC:3 / I:3 / A:1

Rule Example

Below is an example of a rule definition for GitHub Action Secret Access Activity (view in repository):

# Rule version v1.0.0

dataTypes:
  - github
name: GitHub Action Secret Access Activity
impact:
  confidentiality: 3
  integrity: 3
  availability: 1
category: Collection
technique: "T1552 - Unsecured Credentials"
adversary: origin
references:
  - https://docs.github.com/en/actions/security-guides/encrypted-secrets
  - https://attack.mitre.org/techniques/T1552/
description: |
  Detects access, modification, or suspicious activities related to GitHub Action secrets. This could indicate attempts to steal credentials, API keys, or other sensitive information stored in repository or organization secrets.
  
  Next Steps:
  1. Review the GitHub audit logs to identify who accessed or modified the secrets
  2. Check if the user performing the action has legitimate business need for secret access
  3. Verify if any secrets were exposed in workflow logs or outputs
  4. Rotate any potentially compromised secrets immediately
  5. Review repository and organization permissions to ensure proper access controls
  6. Check for any unusual API calls or automated scripts accessing secrets
  7. Enable secret scanning alerts if not already configured
  8. Consider implementing additional controls like environment-specific secrets and approval workflows
where: |
  oneOf("log.action", ["secret.create", "secret.update", "secret.remove"]) ||
  oneOf("log.action", ["actions.secret.create", "actions.secret.update", "actions.secret.remove", "dependabot.secret.create", "dependabot.secret.update", "dependabot.secret.remove"])
afterEvents:
  - indexPattern: v11-log-github-*
    with:
      - field: log.repositoryName
        operator: filter_term
        value: '{{.log.repositoryName}}'
      - field: log.action
        operator: filter_match
        value: secret
    within: now-1h
    count: 3
groupBy:
  - lastEvent.log.action
  - lastEvent.log.repositoryName
  - lastEvent.log.senderLogin

Rule Details

GitHub Action Secret Access Activity

Detects access, modification, or suspicious activities related to GitHub Action secrets. This could indicate attempts to steal credentials, API keys, or other sensitive information stored in repository or organization secrets.

GitHub App Installation Token Suspicious Access

Detects suspicious GitHub App installation and token activity from unexpected sources. Attackers who steal GitHub App private keys can generate installation tokens for any organization that installed the app, gaining broad access to repositories.

GitHub CODEOWNERS File Modification

Detects modifications to CODEOWNERS files which define required reviewers for code changes. Attackers may modify CODEOWNERS to remove review requirements for sensitive paths, enabling them to merge malicious code without proper review.

GitHub Dependabot Configuration Poisoning

Detects modifications to dependabot.yml configuration files that could redirect dependency updates to malicious registries or introduce malicious packages. Attackers may modify the Dependabot configuration to substitute legitimate dependencies with malicious alternatives.

GitHub Environment Protection Rule Bypass

Detects changes to GitHub environment protection rules including removal of required reviewers, wait timers, or branch restrictions. Attackers may modify these protections to deploy malicious code to production environments without approval.

GitHub Mass Repository Cloning Detection

Detects when multiple repositories are cloned or accessed in a short time period, which could indicate data exfiltration or reconnaissance activities. This rule monitors for patterns of repository access that exceed normal user behavior, potentially indicating an insider threat or compromised account attempting to steal source code.

GitHub Organization Member to Owner Role Escalation

Detects escalation of GitHub organization member roles from member to owner. Organization owners have full administrative access including managing billing, teams, repositories, and security settings. Unauthorized role escalation can lead to complete organizational compromise.

GitHub Repository Visibility Changed to Public

Detects when a private repository's visibility is changed to public, potentially exposing proprietary source code, credentials, and sensitive configuration. This is a critical event that can lead to data exposure and intellectual property theft.

GitHub Secret Scanning Alert Detected

Detects when GitHub's secret scanning feature identifies potential secrets, API keys, or credentials committed to a repository. This could indicate inadvertent exposure of sensitive information that could be exploited by attackers.

GitHub Self-Hosted Runner Compromise Detection

Detects suspicious self-hosted runner operations including unexpected runner registration, deregistration, or workflows specifically targeting self-hosted runners. Compromised self-hosted runners can provide access to the internal network and secrets stored on the runner machine.

GitHub Sensitive Data Commit Detection

Detects commits that may contain sensitive data such as API keys, passwords, private keys, or other credentials based on commit message patterns or file names.

GitHub Workflow Modifications Detected

Detects modifications to GitHub Actions workflows which could be used to inject malicious code into the CI/CD pipeline or steal secrets. Attackers may modify workflows to execute arbitrary code, exfiltrate secrets, or compromise the software supply chain.

GitHub Workflow pull_request_target Injection

Detects modifications to GitHub Actions workflow files that may introduce pull_request_target trigger abuse. This trigger runs with repository write permissions and secrets access even on forked PRs, making it a high-value target for supply chain attacks.