GitHub Exfiltration via High Number of Repository Clones by User
Detects a high number of repository cloning actions by a single user within a short time frame. Adversaries may clone multiple repositories to exfiltrate sensitive data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/12/16"
3integration = ["github"]
4maturity = "production"
5updated_date = "2025/12/16"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects a high number of repository cloning actions by a single user within a short time frame. Adversaries may
11clone multiple repositories to exfiltrate sensitive data.
12"""
13from = "now-9m"
14interval = "8m"
15language = "esql"
16license = "Elastic License v2"
17name = "GitHub Exfiltration via High Number of Repository Clones by User"
18references = [
19 "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
20 "https://trigger.dev/blog/shai-hulud-postmortem",
21 "https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
22]
23risk_score = 47
24rule_id = "19f3674c-f4a1-43bb-a89c-e4c6212275e0"
25severity = "medium"
26tags = [
27 "Domain: Cloud",
28 "Use Case: Threat Detection",
29 "Tactic: Exfiltration",
30 "Data Source: Github",
31]
32timestamp_override = "event.ingested"
33type = "esql"
34query = '''
35from logs-github.audit-* metadata _id, _index, _version
36| where
37 data_stream.dataset == "github.audit" and event.type == "change" and event.action == "git.clone"
38| stats
39 Esql.event_count = COUNT(*),
40 Esql.github_org_values = values(github.org),
41 Esql.github_repo_values = values(github.repo),
42 Esql.github_repository_public_values = values(github.repository_public),
43 Esql.github_token_id_values = values(github.token_id),
44 Esql.github_user_agent_values = values(github.user_agent),
45 Esql.user_name_values = values(user.name),
46 Esql.agent_id_values = values(agent.id),
47 Esql.event_dataset_values = values(event.dataset),
48 Esql.data_stream_namespace_values = values(data_stream.namespace)
49
50 by user.name
51
52| keep Esql.*
53
54| where
55 Esql.event_count >= 25
56'''
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60
61[[rule.threat.technique]]
62id = "T1020"
63name = "Automated Exfiltration"
64reference = "https://attack.mitre.org/techniques/T1020/"
65
66[[rule.threat.technique]]
67id = "T1567"
68name = "Exfiltration Over Web Service"
69reference = "https://attack.mitre.org/techniques/T1567/"
70
71[[rule.threat.technique.subtechnique]]
72id = "T1567.001"
73name = "Exfiltration to Code Repository"
74reference = "https://attack.mitre.org/techniques/T1567/001/"
75
76[rule.threat.tactic]
77id = "TA0010"
78name = "Exfiltration"
79reference = "https://attack.mitre.org/tactics/TA0010/"
References
-
Shai-Hulud is back, spreading an npm malware worm through thousands of GitHub repos. Learn the impact, attacker methods, and how to defend your supply chain.
Read More -
On November 25th, one of our engineers was compromised by the Shai-Hulud npm supply chain worm. Here's what happened, how we responded, and what we've changed.
Read More -
At 4:11 AM UTC on November 24th, a number of our SDKs and other packages were compromised, with a malicious self-replicating worm - Shai-Hulud 2.…
Read More
Related rules
- GitHub Private Repository Turned Public
- High Number of Closed Pull Requests by User
- High Number of Protected Branch Force Pushes by User
- Several Failed Protected Branch Force Pushes by User
- GitHub Secret Scanning Disabled