Attack technique
Technique name: A Member Was Added to a GitHub Organization as an Owner
MITRE ATT&CK
- Tactic: Persistence
- Technique: Account Manipulation
Technique description
In today's software development, CI/CD (Continuous Integration/Continuous Deployment) systems are vital, coordinating the flow of code from creation to deployment in production. Attackers of various skill levels are increasingly targeting CI/CD environments due to their potential to enable unauthorized access to critical assets. As the reliance on CI/CD systems grows across industries, ensuring the security of these systems has become crucial.
An attacker may gain initial access to GitHub through various methods, including the use of leaked SSH keys. Once inside a GitHub organization, they may seek to achieve a lasting foothold. One effective method to establish persistence in such environments is by creating a backdoor user. This method allows attackers to maintain access and control over the organization's source code, secrets, and GitHub applications over an extended period, leading to potential damage to the company's reputation, intellectual property theft, regulatory non-compliance, and financial losses due to disrupted operations.
Threat hunting theses breakdown
A member was added to the GitHub organization as an owner
Relevant data sources: Github Audit Logs
Thesis explanation
An external member or collaborator is invited to the GitHub organization, and upon accepting the invitation, they are granted admin privileges within the organization. An attacker with an initial foothold in the GitHub organization may abuse this functionality to obtain persistence through the creation of a backdoor user under their control, to maintain long-term unauthorized access, manipulate data, and exfiltrate sensitive information. The thesis focuses on user invitations that are accepted within 5 hours of being sent.
Blind spots
The thesis primarily focuses on scenarios where member or collaborator invitations are accepted within 5 hours of being sent. Instances where invitations were accepted beyond this timeframe are considered out of scope.
Recommended investigation flow
Investigate the initiating IP:
- Is it an organizational IP?
- Is it regularly used by the initiating GitHub user?
- Which ASN does it belong to?
- Is it a proxy IP?
Investigate the initiating user:
- Did it perform any abnormal activities in Github?
- Was it authenticated via an IdP? If so, did the IdP user conduct abnormal activities in other attack surfaces such as cloud environments? Did brute force take place on the user’s credentials?
- Does it have MFA configured?
- Did it operate from an IP, country, and user agent that it regularly operates from?
- Does this user have an SSH key for programmatic access?
Investigate the invited user:
- Is it a part of an organizational or trusted domain?
- What activities did it perform after its addition to the GitHub organization? Did they take place from a known IP range?