Hunting in GitHub

GitHub is the de facto center of the universe for many organization's development processes... which also makes it a primary system to monitor for security threats and strange activity. Let's do some threat hunting (and detection engineering) to get a handle on GitHub usage.

Thoughts on GitHub

What's your username?

The culture of development in GitHub is a bit outside the norm for corporate SaaS products. While nearly every other B2B SaaS tool follows a very standard "Corporate identity" -> "Provision an account using that identity" path, GitHub allows corporations to let developers use whatever their existing GitHub ID is to access corp repositories. In fact, GitHub uses a username instead of an email as its primary identifier (what is this, 1998?).

Some companies force employees to use new, clean ID's tied to their corporate email, but some allow employees to use their personal ID's. How your company handles GitHub identities (and authentication) will drive how you hunt in GitHub. You can even find where people are loging in from ( user.login )and if someone has turned off MFA ( two_factor_authentication.disabled a big 🚨)

What's in GitHub

GitHub is a software repository system. But there's so so much more than code in GitHub

Workflows

Workflows, webhooks, and automations are the backbone of the modern CI/CD pipeline. You may have a relatively simple repository but fantastically complicated workflows that allow your developers to create, test, and deploy code at (terrifying) speed.

That's cool and all, but workflows are a window into your CI/CD pipeline. There are many examples (including this CISA Advisory and this MS writeup on Shai Hulud) where workflows have been subverted by attackers and bad things happened.

Pay attention to new workflows ( workflows.created ) and webhooks ( hook.create, hook.config_changed ) and dig into unknown/new ones.

Tokens

Even if you use SSO, GitHub can still contain sensitive authentication credentials. While ideally your code doesn't have hardcoded passwords, GitHub accounts may have the ability to create Personal Access Tokens (PAT). PAT's are like API keys... they grant access to everything a user has access to without need for MFA or forced rotation.

Finding when PATs are created an used can be a super useful hunt ( personal_access_token.create, personal_access_token.access )... and in fact, you should alert every time a PAT is created to make sure it's something allowed and intended.

OAuth connections in and out

OAuth enables the powerful feature of SaaS apps to connect seamlessly to each other. They're also super dangerous and hard to wrap your arms around. GitHub audit records provide some telemetry around OAuth connections and usage ( integration_installation.create, org_credential_authorization.grant ), and digging into them can help uncover malicious (or at least unwanted) activity.

Well, and of course, code

Don't underestimate the value of your software. From both an IP perspective and security perspective, your software is valuable. Looking at who has access ( repo.add_member ), who is downloading repos ( repo.download_zip, git.fetch, git.clone ), and what repositories are accessed can be a great place to start a hunt.

How and what to look for

GitHub's audit log interface is free to use if you're a GitHub Enterprise customer and available at https://github.com/enterprises/YOURCOMPANY/settings/audit-log or by going to your enterprise Settings page and clicking "Audit Log." Their interface is servicable but pretty linear.

They have their own syntax and if you really know what you're looking for, you can find it. Conversely...

USE TURNGATE

Seriously, we're way easier to you. Here's a query of all pull request activity in the last month, that I used to pivot to focus on the activity of one developer and validate all the work they did from an unknown IP address. The whole hunt took about 45 seconds.

We have a 45 day free trial. Go check us out. You won't be disappointed.

GitHub audit events

GitHub has documentation on their audit logs including how to access them and what they mean. Unfortunately, even GitHub's definitions can be a bit tough to wrap your head around. You're in luck because Turngate has summaries in the application to help you make sense of the data you're seeing.

Pretty cool, huh?

Audit events of interest

Here's a longer list of audit events to get your started on your hunting journey.

OAuth & Access Token Events:

• oauth_application.create - New OAuth apps that could exfiltrate data

• oauth_application.transfer - OAuth app ownership changes

• oauth_authorization.create - Suspicious OAuth authorizations, especially from unfamiliar applications

• personal_access_token.create - New PAT creation, especially with broad scopes

• personal_access_token.access - PAT usage patterns (look for anomalous IPs/locations)

• user.login - Failed login attempts or logins from unusual locations

• two_factor_authentication.disabled - 2FA being turned off (major red flag)

SSH & Deploy Key Events:

• public_key.create - New SSH keys added to user accounts

• public_key.update - Modified SSH keys

• deploy_key.create - Deploy keys with write access to repositories

Data Exfiltration & Repository Tampering

Repository Visibility & Access:

• repo.access - Repository access events, especially bulk downloads

• repo.create - New repository creation (could be staging for exfiltration)

• repo.destroy - Repository deletion (potential evidence destruction)

• repo.archived - Archiving repositories

• repo.transferred - Repository ownership transfers

• repo.config.disable_anonymous_git_access - Changing anonymous access settings

• private_repository_forking.enable - Allowing private repo forks (exfiltration risk)

Branch Protection Bypasses:

• protected_branch.destroy - Removing branch protections

• protected_branch.update_admin_enforced - Disabling admin enforcement

• protected_branch.dismiss_stale_reviews - Weakening review requirements

• protected_branch.policy_override - Admin bypass of branch protection

• repo.remove_member - Removing collaborators who might notice malicious activity

Privilege Escalation & Permission Changes

Organization & Team Permissions:

• org.add_member - New members added, especially with admin roles

• org.update_member - Permission level changes (member → admin)

• org.remove_member - Removing security team members

• team.add_member - Adding users to privileged teams

• team.add_repository - Granting team access to sensitive repos

• team.create - New team creation with elevated permissions

• org_credential_authorization.grant - Granting SSO credential authorizations

Repository Collaborators:

• repo.add_member - New collaborators with write/admin access

• repo.update_member - Collaborator permission escalation

• integration_installation.create - Installing third-party integrations with broad permissions

• integration_installation_request.create - Requests to install potentially malicious apps

Code Injection & Supply Chain Attacks

Actions & Workflows:

• workflows.created - New GitHub Actions workflows (could contain malicious code)

• workflows.updated - Modified workflows (backdoor injection)

• workflow_run.requested - Workflow execution patterns

• repo_secret_scanning_push_protection_bypass.create - Bypassing secret push protection

• environment.create_actions_secret - Secrets added to environments

• environment.remove_actions_secret - Secrets removed (potential theft)

Dependency & Package Events:

• packages.published - Package publications to GitHub Packages

• packages.updated - Package updates that could introduce malicious dependencies

• repo.packages_permission_change - Changes to package permissions

Webhook & Integration Abuse

Webhook Events:

• hook.create - New webhooks (data exfiltration channel)

• hook.config_changed - Webhook URL/configuration changes

• hook.destroy - Webhook deletion (covering tracks)

• integration_installation.create - Third-party app installations

• marketplace_agreement_signature.create - GitHub Marketplace app agreements

Audit Trail Tampering

Audit & Compliance:

• audit_log_streaming.update - Changes to audit log streaming configuration

• audit_log_streaming.destroy - Disabling audit log streaming

• business.update_member_repository_creation_permission - Changes allowing repo creation

• ip_allow_list_entry.create/destroy - IP allowlist modifications

Suspicious Patterns to Detect

Velocity-based Anomalies:

• Bulk repo.access events in short timeframes (mass cloning)

• Multiple repo.create + repo.transfer sequences (lateral movement)

• Rapid org.add_member + org.update_member (privilege escalation chain)

• Sequential protected_branch.destroy across multiple repositories

Time-based Anomalies:

• Events occurring during off-hours or unusual timezones

• user.login from multiple geolocations in impossible timeframes

• Actions immediately after oauth_authorization.create (compromised OAuth)

Correlation Patterns:

• two_factor_authentication.disabled followed by user.login from new location

• protected_branch.destroy → code push → protected_branch.create (covering tracks)

• secret_scanning.disable → large commits → secret_scanning.enable

• repo.add_member with admin + repo.transfer + org.remove_member (repository theft)