Ivan S
8c79d0a77b
new: GitHub Repository Pages Site Changed to Public new: GitHub Repository Archive Status Changed --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
28 lines
1.0 KiB
YAML
28 lines
1.0 KiB
YAML
title: GitHub Repository Archive Status Changed
|
|
id: dca8991c-cb16-4128-abf8-6b11e5cd156f
|
|
status: experimental
|
|
description: |
|
|
Detects when a GitHub repository is archived or unarchived, which may indicate unauthorized changes to repository status.
|
|
references:
|
|
- https://docs.github.com/en/repositories/archiving-a-github-repository/archiving-repositories
|
|
- https://www.sentinelone.com/blog/exploiting-repos-6-ways-threat-actors-abuse-github-other-devops-platforms
|
|
- https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/security-log-events
|
|
author: Ivan Saakov
|
|
date: 2025-10-18
|
|
tags:
|
|
- attack.persistence
|
|
- attack.defense-evasion
|
|
- attack.impact
|
|
logsource:
|
|
product: github
|
|
service: audit
|
|
detection:
|
|
selection:
|
|
action:
|
|
- 'repo.archived'
|
|
- 'repo.unarchived'
|
|
condition: selection
|
|
falsepositives:
|
|
- Archiving or unarchiving a repository is often legitimate. Investigate this action to determine if it was authorized.
|
|
level: low
|