An adversary may use a first-time GitHub invite to covertly add a compromised account to an organization, establishing initial access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential lateral movement and unauthorized access attempts.
KQL Query
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let LearningPeriod = 7d;
let EndLearningTime = starttime - LearningPeriod;
let GitHubOrgMemberLogs = (GitHubAudit
| where Action == "org.invite_member" or Action == "org.update_member" or Action == "org.add_member" or Action == "repo.add_member" or Action == "team.add_member");
GitHubOrgMemberLogs
| where TimeGenerated between (EndLearningTime..starttime)
| distinct Actor
| join kind=rightanti (
GitHubOrgMemberLogs
| where TimeGenerated between (starttime..endtime)
| distinct Actor
) on Actor
id: c3237d88-fdc4-4dee-8b90-118ded2c507c
name: GitHub First Time Invite Member and Add Member to Repo
description: |
'This hunting query identifies a user that add/invite a member to the organization for the first time. This technique can be leveraged by attackers to add stealth account access to the organization.'
requiredDataConnectors: []
tactics:
- Persistence
relevantTechniques:
- T1136
query: |
let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let LearningPeriod = 7d;
let EndLearningTime = starttime - LearningPeriod;
let GitHubOrgMemberLogs = (GitHubAudit
| where Action == "org.invite_member" or Action == "org.update_member" or Action == "org.add_member" or Action == "repo.add_member" or Action == "team.add_member");
GitHubOrgMemberLogs
| where TimeGenerated between (EndLearningTime..starttime)
| distinct Actor
| join kind=rightanti (
GitHubOrgMemberLogs
| where TimeGenerated between (starttime..endtime)
| distinct Actor
) on Actor
Scenario: DevOps Pipeline Deployment
Description: A CI/CD pipeline (e.g., GitHub Actions, Jenkins, or GitLab CI) automatically invites a new contributor or bot account to an organization for the first time as part of a deployment process.
Filter/Exclusion: Check for actor or user associated with known CI/CD tools (e.g., github-actions, jenkins, gitlab-ci) or use a filter like actor NOT IN ('github-actions', 'jenkins', 'gitlab-ci').
Scenario: Scheduled Admin Task
Description: An admin runs a scheduled task (e.g., using GitHub CLI, gh command-line tool, or a custom script) to invite a new user to the organization for onboarding purposes.
Filter/Exclusion: Filter by actor being a known admin user or use a filter like actor IN ('admin_user', 'onboarding_team').
Scenario: User Onboarding via GitHub SSO
Description: A new user is invited to the organization via SSO (Single Sign-On) integration, which automatically adds them to the organization and possibly to a repository.
Filter/Exclusion: Check for invitation_source or event_type indicating SSO (e.g., sso_invitation, sso_user) or filter by actor being a known SSO admin.
Scenario: Automated User Provisioning Tool
Description: A third-party user provisioning tool (e.g., Okta, Azure AD, or Ping Identity) automatically invites a new user to the organization as part of identity management.
Filter/Exclusion: Filter by actor being a known identity provider or use a filter like actor IN ('okta', 'azure-ad', 'ping-identity').
**Scenario: Internal