-
Notifications
You must be signed in to change notification settings - Fork 20
Indicators of Compromise
Gato-X offers numerous attack capabilities. How can you determine if an unauthorized actor is using Gato-X against your organization?
In general, writing robust detections for GitHub events is hard because every organization has a different noise profile, and DevOps noise is a beast. Legitimate automation flows are very likely to trigger false positives. Regardless, below are some thoughts for blue teamers who want to try and tackle writing detections for tools like Gato-X.
Public repository enumeration with Gato-X (provided someone is using their own token) is expected activity, as it is only consuming publicly available GitHub APIs.
On the other hand, if someone has compromised a GitHub PAT belonging to an employee and is using it to enumerate access, how can you detect it?
GitHub does not produce audit log events for GET requests, so Gato-X's enumeration feature will not generate any audit log events. The only exception is organizations that have the REST API streaming enabled. This optional feature includes ALL API requests against an organization (including GET) to the audit log. If a user has write access to a repository, Gato-X will send a list secrets API call to each. It may be possible to cluster a large number of list secrets API calls from a single user that normally does not perform those API requests.
Gato-X will typically generate a create workflow run event that uses a large number of secrets (I believe this information is present in the audit log entry) quickly followed by a delete workflow run event.