GitHub First Time Repo Delete

Hunt Hypothesis

An adversary may delete a GitHub repository for the first time as part of initial compromise to eliminate forensic evidence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage malware or exfiltration activities.

KQL Query

let starttime = todatetime('{{StartTimeISO}}');
let endtime = todatetime('{{EndTimeISO}}');
let LearningPeriod = 7d;
let EndLearningTime = starttime - LearningPeriod;
let GitHubRepositoryDestroyEvents = (GitHubAudit
| where Action == "repo.destroy");
GitHubRepositoryDestroyEvents
| where TimeGenerated between (EndLearningTime .. starttime)
| distinct Actor
| join kind=rightanti (
  GitHubRepositoryDestroyEvents
  | where TimeGenerated between (starttime .. endtime)
  | distinct Actor
) on Actor

Analytic Rule Definition

id: c3237d88-fdc4-4dee-8b90-118ded2c507c
name: GitHub First Time Repo Delete
description: |
  'This hunting query identifies GitHub activites its the first time a user deleted a repo that may be a sign of compromise.'
requiredDataConnectors: []
tactics:
  - Impact
relevantTechniques:
  - T1485
query: |

  let starttime = todatetime('{{StartTimeISO}}');
  let endtime = todatetime('{{EndTimeISO}}');
  let LearningPeriod = 7d;
  let EndLearningTime = starttime - LearningPeriod;
  let GitHubRepositoryDestroyEvents = (GitHubAudit
  | where Action == "repo.destroy");
  GitHubRepositoryDestroyEvents
  | where TimeGenerated between (EndLearningTime .. starttime)
  | distinct Actor
  | join kind=rightanti (
    GitHubRepositoryDestroyEvents
    | where TimeGenerated between (starttime .. endtime)
    | distinct Actor
  ) on Actor

MITRE ATT&CK Context

• Tactic: Impact
• Technique: T1485 — T1485

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/GitHub/User First Time Repository Delete Activity.yaml)

False Positive Guidance

• Scenario: Scheduled Job Cleanup
  Description: A legitimate scheduled job runs daily to clean up old or unused repositories.
  Filter/Exclusion: repo_delete_event_type = "scheduled_cleanup"

• Scenario: DevOps Pipeline Artifact Cleanup
  Description: A CI/CD pipeline deletes temporary repositories used for artifact storage after a build completes.
  Filter/Exclusion: user_agent = "GitHub Actions" AND repo_name CONTAINS "artifact"

• Scenario: Admin User Performing Maintenance
  Description: A system administrator deletes a test repository as part of routine maintenance or environment setup.
  Filter/Exclusion: user_login = "admin" AND repo_name CONTAINS "test"

• Scenario: GitHub API Script for Repo Management
  Description: A script using the GitHub API is used to delete repositories that are no longer needed, such as during a migration or reorganization.
  Filter/Exclusion: user_agent = "GitHub API" AND repo_name CONTAINS "migration"

• Scenario: User Accidentally Deletes a Repo
  Description: A user mistakenly deletes a repository while trying to manage their workspace or move files.
  Filter/Exclusion: user_login = "user" AND repo_name CONTAINS "temp" OR repo_name CONTAINS "draft"