2020-06-11 21:27:23 +03:00
|
|
|
id: 467e6a70-adc9-49b7-8cf3-f21927c71159
|
|
|
|
|
name: GitHub OAuth App Restrictions Disabled
|
|
|
|
|
description: |
|
2020-07-28 22:16:55 +03:00
|
|
|
'This hunting query identifies a fork activity against a repository done by a user who is not the owner of the repo nor a contributes.'
|
2021-02-05 02:31:02 +03:00
|
|
|
requiredDataConnectors: []
|
2020-06-11 21:27:23 +03:00
|
|
|
tactics:
|
|
|
|
|
- Exfiltration
|
|
|
|
|
relevantTechniques:
|
|
|
|
|
- T1537
|
|
|
|
|
query: |
|
2020-06-11 21:40:15 +03:00
|
|
|
|
|
|
|
|
let CollaboratorsUserToRepoMapping = (
|
|
|
|
|
GitHubRepo
|
|
|
|
|
| where Action == "Collaborators"
|
|
|
|
|
| distinct Repository , Actor, Organization);
|
|
|
|
|
let UserCommitsInRepoMapping = (
|
|
|
|
|
GitHubRepo
|
|
|
|
|
| where Action == "Commits"
|
|
|
|
|
| distinct Repository ,Actor, Organization);
|
|
|
|
|
union CollaboratorsUserToRepoMapping, UserCommitsInRepoMapping
|
|
|
|
|
| summarize ContributedToRepos = make_set(Repository) by Actor, Organization
|
|
|
|
|
| join kind=innerunique (
|
|
|
|
|
GitHubRepo
|
|
|
|
|
| where Action == "Forks"
|
|
|
|
|
| distinct Repository , Actor, Organization
|
|
|
|
|
) on Actor, Organization
|
|
|
|
|
| project-away Actor1, Organization1
|
|
|
|
|
| where ContributedToRepos !contains Repository
|
