detection-rules
New GitHub Personal Access Token (PAT) Added
Detects when a new GitHub Personal Access Token (PAT) is created. Adversaries may create new PATs to maintain persistent access to a compromised account or to escalate privileges within an organization.
Rule type: eql
Rule indices:
- logs-github.audit-*
Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://trigger.dev/blog/shai-hulud-postmortem
- https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
Tags:
- Domain: Cloud
- Use Case: Threat Detection
- Tactic: Persistence
- Tactic: Credential Access
- Data Source: Github
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
configuration where event.dataset == "github.audit" and github.operation_type == "create" and
github.category == "personal_access_token" and event.action == "personal_access_token.access_granted"
Framework: MITRE ATT&CK
Tactic:
- Name: Persistence
- Id: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Create Account
- Id: T1136
- Reference URL: https://attack.mitre.org/techniques/T1136/
Sub Technique:
- Name: Cloud Account
- Id: T1136.003
- Reference URL: https://attack.mitre.org/techniques/T1136/003/
Framework: MITRE ATT&CK
Tactic:
- Name: Credential Access
- Id: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Steal Application Access Token
- Id: T1528
- Reference URL: https://attack.mitre.org/techniques/T1528/