High Number of Cloned GitHub Repos From PAT
Detects a high number of unique private repo clone events originating from a single personal access token within a short time period.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/11"
3integration = ["github"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects a high number of unique private repo clone events originating from a single personal access token within a short
13time period.
14"""
15from = "now-6m"
16index = ["logs-github.audit-*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "High Number of Cloned GitHub Repos From PAT"
20risk_score = 21
21rule_id = "fb0afac5-bbd6-49b0-b4f8-44e5381e1587"
22severity = "low"
23tags = [
24 "Domain: Cloud",
25 "Use Case: Threat Detection",
26 "Use Case: UEBA",
27 "Tactic: Execution",
28 "Data Source: Github",
29 "Resources: Investigation Guide",
30]
31timestamp_override = "event.ingested"
32type = "threshold"
33
34query = '''
35event.dataset:"github.audit" and event.category:"configuration" and event.action:"git.clone" and
36github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") and
37github.repository_public:false
38'''
39note = """## Triage and analysis
40
41> **Disclaimer**:
42> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
43
44### Investigating High Number of Cloned GitHub Repos From PAT
45
46Personal Access Tokens (PATs) facilitate automated access to GitHub repositories, enabling seamless integration and management. However, adversaries can exploit compromised PATs to clone numerous private repositories rapidly, potentially exfiltrating sensitive code. The detection rule identifies unusual cloning activity by monitoring for a surge in unique private repo clones from a single PAT, signaling potential misuse.
47
48### Possible investigation steps
49
50- Review the specific personal access token (PAT) involved in the alert to determine its owner and associated user account.
51- Analyze the event logs for the PAT to identify the number and names of private repositories cloned, focusing on any unusual or unauthorized access patterns.
52- Check the access history of the PAT to see if there are any other suspicious activities or anomalies, such as access from unfamiliar IP addresses or locations.
53- Contact the owner of the PAT to verify if the cloning activity was authorized and to gather additional context about the usage of the token.
54- Investigate the security posture of the affected repositories, including reviewing access permissions and recent changes to repository settings.
55- Consider revoking the compromised PAT and issuing a new one if unauthorized access is confirmed, and ensure the user updates any systems or scripts using the old token.
56
57### False positive analysis
58
59- Legitimate automated processes or CI/CD pipelines may trigger multiple clone events. Review and whitelist known IP addresses or tokens associated with these processes to prevent false alerts.
60- Developers working on multiple projects might clone several private repositories in a short period. Identify and exclude these users or their tokens from triggering alerts by maintaining a list of frequent cloners.
61- Organizational scripts or tools that require cloning multiple repositories for updates or backups can cause false positives. Document these scripts and create exceptions for their associated tokens.
62- Scheduled maintenance or migration activities involving repository cloning can be mistaken for suspicious activity. Coordinate with relevant teams to anticipate such events and temporarily adjust detection thresholds or exclude specific tokens.
63
64### Response and remediation
65
66- Immediately revoke the compromised Personal Access Token (PAT) to prevent further unauthorized access to private repositories.
67- Notify the repository owners and relevant stakeholders about the potential breach to assess the impact and initiate internal incident response procedures.
68- Conduct a thorough review of the cloned repositories to identify any sensitive or proprietary information that may have been exposed.
69- Implement additional access controls, such as IP whitelisting or two-factor authentication, to enhance security for accessing private repositories.
70- Monitor for any unusual activity or further unauthorized access attempts using other PATs or credentials.
71- Escalate the incident to the security team for a comprehensive investigation and to determine if any other systems or data have been compromised.
72- Update and enforce policies regarding the creation, usage, and management of PATs to prevent similar incidents in the future."""
73
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1648"
79name = "Serverless Execution"
80reference = "https://attack.mitre.org/techniques/T1648/"
81
82
83[rule.threat.tactic]
84id = "TA0002"
85name = "Execution"
86reference = "https://attack.mitre.org/tactics/TA0002/"
87
88[rule.threshold]
89field = ["github.hashed_token"]
90value = 1
91[[rule.threshold.cardinality]]
92field = "github.repo"
93value = 10
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating High Number of Cloned GitHub Repos From PAT
Personal Access Tokens (PATs) facilitate automated access to GitHub repositories, enabling seamless integration and management. However, adversaries can exploit compromised PATs to clone numerous private repositories rapidly, potentially exfiltrating sensitive code. The detection rule identifies unusual cloning activity by monitoring for a surge in unique private repo clones from a single PAT, signaling potential misuse.
Possible investigation steps
- Review the specific personal access token (PAT) involved in the alert to determine its owner and associated user account.
- Analyze the event logs for the PAT to identify the number and names of private repositories cloned, focusing on any unusual or unauthorized access patterns.
- Check the access history of the PAT to see if there are any other suspicious activities or anomalies, such as access from unfamiliar IP addresses or locations.
- Contact the owner of the PAT to verify if the cloning activity was authorized and to gather additional context about the usage of the token.
- Investigate the security posture of the affected repositories, including reviewing access permissions and recent changes to repository settings.
- Consider revoking the compromised PAT and issuing a new one if unauthorized access is confirmed, and ensure the user updates any systems or scripts using the old token.
False positive analysis
- Legitimate automated processes or CI/CD pipelines may trigger multiple clone events. Review and whitelist known IP addresses or tokens associated with these processes to prevent false alerts.
- Developers working on multiple projects might clone several private repositories in a short period. Identify and exclude these users or their tokens from triggering alerts by maintaining a list of frequent cloners.
- Organizational scripts or tools that require cloning multiple repositories for updates or backups can cause false positives. Document these scripts and create exceptions for their associated tokens.
- Scheduled maintenance or migration activities involving repository cloning can be mistaken for suspicious activity. Coordinate with relevant teams to anticipate such events and temporarily adjust detection thresholds or exclude specific tokens.
Response and remediation
- Immediately revoke the compromised Personal Access Token (PAT) to prevent further unauthorized access to private repositories.
- Notify the repository owners and relevant stakeholders about the potential breach to assess the impact and initiate internal incident response procedures.
- Conduct a thorough review of the cloned repositories to identify any sensitive or proprietary information that may have been exposed.
- Implement additional access controls, such as IP whitelisting or two-factor authentication, to enhance security for accessing private repositories.
- Monitor for any unusual activity or further unauthorized access attempts using other PATs or credentials.
- Escalate the incident to the security team for a comprehensive investigation and to determine if any other systems or data have been compromised.
- Update and enforce policies regarding the creation, usage, and management of PATs to prevent similar incidents in the future.
Related rules
- GitHub UEBA - Multiple Alerts from a GitHub Account
- GitHub App Deleted
- GitHub Owner Role Granted To User
- GitHub Repository Deleted
- New GitHub App Installed