26 строки
1.0 KiB
YAML
26 строки
1.0 KiB
YAML
id: c3237d88-fdc4-4dee-8b90-118ded2c507c
|
|
name: GitHub First Time Invite Member and Add Member to Repo
|
|
description: |
|
|
'This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization.'
|
|
requiredDataConnectors: []
|
|
tactics:
|
|
- Persistence
|
|
relevantTechniques:
|
|
- T1136
|
|
query: |
|
|
|
|
let starttime = todatetime('{{StartTimeISO}}');
|
|
let endtime = todatetime('{{EndTimeISO}}');
|
|
let LearningPeriod = 7d;
|
|
let EndLearningTime = starttime - LearningPeriod;
|
|
let GitHubOrgMemberLogs = (GitHubAudit
|
|
| where Action == "org.invite_member" or Action == "org.update_member" or Action == "org.add_member" or Action == "repo.add_member" or Action == "team.add_member");
|
|
GitHubOrgMemberLogs
|
|
| where TimeGenerated between (EndLearningTime..starttime)
|
|
| distinct Actor
|
|
| join kind=rightanti (
|
|
GitHubOrgMemberLogs
|
|
| where TimeGenerated between (starttime..endtime)
|
|
| distinct Actor
|
|
) on Actor
|