New GitHub Personal Access Token (PAT) Added
Detects when a new GitHub Personal Access Token (PAT) is created. Adversaries may create new PATs to maintain persistent access to a compromised account or to escalate privileges within an organization.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/12/16"
3integration = ["github"]
4maturity = "production"
5updated_date = "2025/12/16"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects when a new GitHub Personal Access Token (PAT) is created. Adversaries may create new PATs to maintain
11persistent access to a compromised account or to escalate privileges within an organization.
12"""
13from = "now-9m"
14index = ["logs-github.audit-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "New GitHub Personal Access Token (PAT) Added"
18references = [
19 "https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack",
20 "https://trigger.dev/blog/shai-hulud-postmortem",
21 "https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem",
22]
23risk_score = 21
24rule_id = "214d4e03-90b0-4813-9ab6-672b47158590"
25severity = "low"
26tags = [
27 "Domain: Cloud",
28 "Use Case: Threat Detection",
29 "Tactic: Persistence",
30 "Tactic: Credential Access",
31 "Data Source: Github",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35query = '''
36configuration where event.dataset == "github.audit" and github.operation_type == "create" and
37github.category == "personal_access_token" and event.action == "personal_access_token.access_granted"
38'''
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42
43[[rule.threat.technique]]
44id = "T1136"
45name = "Create Account"
46reference = "https://attack.mitre.org/techniques/T1136/"
47
48[[rule.threat.technique.subtechnique]]
49id = "T1136.003"
50name = "Cloud Account"
51reference = "https://attack.mitre.org/techniques/T1136/003/"
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60
61[[rule.threat.technique]]
62id = "T1528"
63name = "Steal Application Access Token"
64reference = "https://attack.mitre.org/techniques/T1528/"
65
66[rule.threat.tactic]
67id = "TA0006"
68name = "Credential Access"
69reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Shai-Hulud is back, spreading an npm malware worm through thousands of GitHub repos. Learn the impact, attacker methods, and how to defend your supply chain.
Read More -
On November 25th, one of our engineers was compromised by the Shai-Hulud npm supply chain worm. Here's what happened, how we responded, and what we've changed.
Read More -
At 4:11 AM UTC on November 24th, a number of our SDKs and other packages were compromised, with a malicious self-replicating worm - Shai-Hulud 2.…
Read More
Related rules
- Github Activity on a Private Repository from an Unusual IP
- GitHub Actions Unusual Bot Push to Repository
- GitHub Actions Workflow Modification Blocked
- GitHub Owner Role Granted To User
- New GitHub Owner Added