From cc511af55efe44abba8d6e83c6011f98c3744f77 Mon Sep 17 00:00:00 2001 From: z00t Date: Fri, 20 Jan 2023 18:14:14 +0500 Subject: [PATCH 1/9] Create github_delete action_invoked.yaml --- .../github/github_delete action_invoked.yaml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/cloud/github/github_delete action_invoked.yaml diff --git a/rules/cloud/github/github_delete action_invoked.yaml b/rules/cloud/github/github_delete action_invoked.yaml new file mode 100644 index 000000000..2acb621a5 --- /dev/null +++ b/rules/cloud/github/github_delete action_invoked.yaml @@ -0,0 +1,30 @@ +title: Github Delete Action Invoked +id: 16a71777-0b2e-4db7-9888-9d59cb75200b +status: experimental +description: Detects delete action in the Github audit logs for codespaces, environment, project and repo. +author: Muhammad Faisal +date: 2023/01/19 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions +tags: + - attack.impact + - attack.t1213.003 +logsource: + product: github + service: audit_logs +detection: + selection: + action: + - 'codespaces.delete' + - 'environment.delete' + - 'project.delete' + - 'repo.destroy' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' +falsepositives: + - Validate the deletion activity is permitted. The "actor" field need to be validated. +level: medium From e27d79e21a72eb27ba9ce47be84920958a293cc1 Mon Sep 17 00:00:00 2001 From: z00t Date: Fri, 20 Jan 2023 21:29:31 +0500 Subject: [PATCH 2/9] New detection rule. --- .../github_outside_collaborator_detected.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/cloud/github/github_outside_collaborator_detected.yml diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml new file mode 100644 index 000000000..8bb5fc854 --- /dev/null +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -0,0 +1,31 @@ +title: Github Outside Collaborator Detected +id: eaa9ac35-1730-441f-9587-25767bde99d7 +status: experimental +description: Detects when an organization member or outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA. +author: Muhammad Faisal +date: 2023/01/20 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization +tags: + - attack.t1098.001 + - attack.t1213.003 + - attack.t1098.003 +logsource: + product: github + service: audit_logs +detection: + selection: + action: + - 'project.update_user_permission' + - 'org.remove_outside_collaborator' + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' +falsepositives: + - Validate the actor if permitted to access the repo. + - Validate the Multifactor Authentication changes. +level: medium \ No newline at end of file From 44a7b78950d22979b1dc4bd89dc1937abfe18c40 Mon Sep 17 00:00:00 2001 From: z00t Date: Fri, 20 Jan 2023 23:09:56 +0500 Subject: [PATCH 3/9] New Rule is created. --- .../github/github_new_secret_created.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/cloud/github/github_new_secret_created.yml diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml new file mode 100644 index 000000000..1fc9dfdc5 --- /dev/null +++ b/rules/cloud/github/github_new_secret_created.yml @@ -0,0 +1,30 @@ +title: Github New Secret Created +id: f9405037-bc97-4eb7-baba-167dad399b83 +status: experimental +description: Detects when a user creates action secret for the organization, environment, codespaces or repository. +author: Muhammad Faisal +date: 2023/01/20 +references: + - https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions +tags: + - attack.t1078 + - attack.t1078.004 +logsource: + product: github + service: audit_logs +detection: + selection: + action: + - org.create_actions_secret + - environment.create_actions_secret + - codespaces.create_an_org_secret + - repo.create_actions_secret + condition: selection +fields: + - 'action' + - 'actor' + - 'org' + - 'actor_location.country_code' +falsepositives: + - This detection cloud be noisy depending on the environment. It is recommended to keep a check on the new secrets when created and validate the "actor". +level: low From 9cc61a6e6091bab732b5e33665e61fe072e2ad0e Mon Sep 17 00:00:00 2001 From: z00t Date: Fri, 20 Jan 2023 23:28:23 +0500 Subject: [PATCH 4/9] Single quotes added to non-integer values. --- rules/cloud/github/github_new_secret_created.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 1fc9dfdc5..1e260187e 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -15,10 +15,10 @@ logsource: detection: selection: action: - - org.create_actions_secret - - environment.create_actions_secret - - codespaces.create_an_org_secret - - repo.create_actions_secret + - 'org.create_actions_secret' + - 'environment.create_actions_secret' + - 'codespaces.create_an_org_secret' + - 'repo.create_actions_secret' condition: selection fields: - 'action' From 5416935cec0a1e1065e8242bdedb87d7b56ad831 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 21 Jan 2023 11:33:48 +0100 Subject: [PATCH 5/9] feat: update logsource with new service --- tests/logsource.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tests/logsource.json b/tests/logsource.json index bd6ab2699..3a5c98268 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -264,6 +264,14 @@ "gcp.audit":[] } }, + "github":{ + "commun": [], + "empty": [], + "category":{}, + "service":{ + "audit_logs":[] + } + }, "google_workspace":{ "commun": [], "empty": [], From 9ef85655568421fd4f89d13401200e0208816463 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 21 Jan 2023 11:41:44 +0100 Subject: [PATCH 6/9] fix: filename --- ...lete action_invoked.yaml => github_delete_action_invoked.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/github/{github_delete action_invoked.yaml => github_delete_action_invoked.yaml} (100%) diff --git a/rules/cloud/github/github_delete action_invoked.yaml b/rules/cloud/github/github_delete_action_invoked.yaml similarity index 100% rename from rules/cloud/github/github_delete action_invoked.yaml rename to rules/cloud/github/github_delete_action_invoked.yaml From 7bce67f9406a3fd246a051ab4f448542a51b1019 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 21 Jan 2023 11:52:13 +0100 Subject: [PATCH 7/9] fix: file extension --- ...elete_action_invoked.yaml => github_delete_action_invoked.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/github/{github_delete_action_invoked.yaml => github_delete_action_invoked.yml} (100%) diff --git a/rules/cloud/github/github_delete_action_invoked.yaml b/rules/cloud/github/github_delete_action_invoked.yml similarity index 100% rename from rules/cloud/github/github_delete_action_invoked.yaml rename to rules/cloud/github/github_delete_action_invoked.yml From 2bd14e49536b5d1b579d69a2ccdaaac7db8c6a18 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 22 Jan 2023 08:55:24 +0100 Subject: [PATCH 8/9] Small update - Change service to audit - Add operation --- rules/cloud/github/github_delete_action_invoked.yml | 3 ++- rules/cloud/github/github_new_secret_created.yml | 3 ++- rules/cloud/github/github_outside_collaborator_detected.yml | 5 +++-- tests/logsource.json | 2 +- 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 2acb621a5..307ac4b29 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -11,9 +11,10 @@ tags: - attack.t1213.003 logsource: product: github - service: audit_logs + service: audit detection: selection: + operation: 'remove' action: - 'codespaces.delete' - 'environment.delete' diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 1e260187e..5530b9c49 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -11,9 +11,10 @@ tags: - attack.t1078.004 logsource: product: github - service: audit_logs + service: audit detection: selection: + operation: 'create' action: - 'org.create_actions_secret' - 'environment.create_actions_secret' diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index 8bb5fc854..5354e770d 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -13,9 +13,10 @@ tags: - attack.t1098.003 logsource: product: github - service: audit_logs + service: audit detection: selection: + operation: 'authentication' action: - 'project.update_user_permission' - 'org.remove_outside_collaborator' @@ -28,4 +29,4 @@ fields: falsepositives: - Validate the actor if permitted to access the repo. - Validate the Multifactor Authentication changes. -level: medium \ No newline at end of file +level: medium diff --git a/tests/logsource.json b/tests/logsource.json index 3a5c98268..7e05d1e34 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -269,7 +269,7 @@ "empty": [], "category":{}, "service":{ - "audit_logs":[] + "audit":[] } }, "google_workspace":{ From 6d535e032f530e23d750051824364ac7d1c5ca39 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 22 Jan 2023 18:42:54 +0100 Subject: [PATCH 9/9] Remove operation --- rules/cloud/github/github_delete_action_invoked.yml | 1 - rules/cloud/github/github_new_secret_created.yml | 1 - rules/cloud/github/github_outside_collaborator_detected.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/rules/cloud/github/github_delete_action_invoked.yml b/rules/cloud/github/github_delete_action_invoked.yml index 307ac4b29..67dac1f33 100644 --- a/rules/cloud/github/github_delete_action_invoked.yml +++ b/rules/cloud/github/github_delete_action_invoked.yml @@ -14,7 +14,6 @@ logsource: service: audit detection: selection: - operation: 'remove' action: - 'codespaces.delete' - 'environment.delete' diff --git a/rules/cloud/github/github_new_secret_created.yml b/rules/cloud/github/github_new_secret_created.yml index 5530b9c49..91592c8f3 100644 --- a/rules/cloud/github/github_new_secret_created.yml +++ b/rules/cloud/github/github_new_secret_created.yml @@ -14,7 +14,6 @@ logsource: service: audit detection: selection: - operation: 'create' action: - 'org.create_actions_secret' - 'environment.create_actions_secret' diff --git a/rules/cloud/github/github_outside_collaborator_detected.yml b/rules/cloud/github/github_outside_collaborator_detected.yml index 5354e770d..184e7799d 100644 --- a/rules/cloud/github/github_outside_collaborator_detected.yml +++ b/rules/cloud/github/github_outside_collaborator_detected.yml @@ -16,7 +16,6 @@ logsource: service: audit detection: selection: - operation: 'authentication' action: - 'project.update_user_permission' - 'org.remove_outside_collaborator'