Github Activity on a Private Repository from an Unusual IP
Detects when there is activity on a private GitHub repository from an unusual IP address. Adversaries may access private repositories from unfamiliar IPs to exfiltrate sensitive code or data, potentially indicating a compromise or unauthorized access.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/12/16"
3integration = ["github"]
4maturity = "production"
5updated_date = "2025/12/16"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when there is activity on a private GitHub repository from an unusual IP address. Adversaries may
11access private repositories from unfamiliar IPs to exfiltrate sensitive code or data, potentially indicating
12a compromise or unauthorized access.
13"""
14from = "now-9m"
15index = ["logs-github.audit-*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "Github Activity on a Private Repository from an Unusual IP"
19references = [
20 "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
21 "https://trigger.dev/blog/shai-hulud-postmortem",
22 "https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
23]
24risk_score = 21
25rule_id = "daf2e0e0-0bab-4672-bfa1-62db0ee5ec22"
26severity = "low"
27tags = [
28 "Domain: Cloud",
29 "Use Case: Threat Detection",
30 "Tactic: Impact",
31 "Tactic: Initial Access",
32 "Tactic: Persistence",
33 "Data Source: Github",
34 "Resources: Investigation Guide",
35]
36timestamp_override = "event.ingested"
37type = "new_terms"
38query = '''
39event.dataset:"github.audit" and event.action:("git.push" or "git.clone") and github.repository_public:false
40'''
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44
45[rule.threat.tactic]
46id = "TA0040"
47name = "Impact"
48reference = "https://attack.mitre.org/tactics/TA0040/"
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52
53[[rule.threat.technique]]
54id = "T1195"
55name = "Supply Chain Compromise"
56reference = "https://attack.mitre.org/techniques/T1195/"
57
58[[rule.threat.technique.subtechnique]]
59id = "T1195.002"
60name = "Compromise Software Supply Chain"
61reference = "https://attack.mitre.org/techniques/T1195/002/"
62
63[rule.threat.tactic]
64id = "TA0001"
65name = "Initial Access"
66reference = "https://attack.mitre.org/tactics/TA0001/"
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70
71[[rule.threat.technique]]
72id = "T1059"
73name = "Command and Scripting Interpreter"
74reference = "https://attack.mitre.org/techniques/T1059/"
75
76[rule.threat.tactic]
77id = "TA0002"
78name = "Execution"
79reference = "https://attack.mitre.org/tactics/TA0002/"
80
81[rule.new_terms]
82field = "new_terms_fields"
83value = ["source.ip", "github.repo"]
84
85[[rule.new_terms.history_window_start]]
86field = "history_window_start"
87value = "now-7d"
References
-
Shai-Hulud is back, spreading an npm malware worm through thousands of GitHub repos. Learn the impact, attacker methods, and how to defend your supply chain.
Read More -
On November 25th, one of our engineers was compromised by the Shai-Hulud npm supply chain worm. Here's what happened, how we responded, and what we've changed.
Read More -
At 4:11 AM UTC on November 24th, a number of our SDKs and other packages were compromised, with a malicious self-replicating worm - Shai-Hulud 2.…
Read More
Related rules
- GitHub Actions Unusual Bot Push to Repository
- GitHub Actions Workflow Modification Blocked
- Entra ID OAuth PRT Issuance to Non-Managed Device Detected
- New GitHub Self Hosted Action Runner
- GitHub Owner Role Granted To User