Accounts in GitHub that grant access to other accounts, which in turn grant access to additional accounts, may indicate lateral movement or unauthorized access by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and unauthorized privilege escalation in their GitHub environments.
KQL Query
GitHubAudit
| where ImpactedUser != ""
| where Action == "org.invite_member" or Action == "org.add_member" or Action == "team.add_member" or Action == "repo.add_member"
| distinct ImpactedUser, TimeGenerated, Actor
| project-rename firstUserAdded = ImpactedUser, firstEventTime = TimeGenerated, firstAdderUser = Actor
| join kind= innerunique (
GitHubAudit
| where ImpactedUser != ""
| where Action == "org.invite_member" or Action == "org.add_member" or Action == "team.add_member" or Action == "repo.add_member"
| distinct ImpactedUser, TimeGenerated, Actor
| project-rename secondUserAdded = ImpactedUser, secondEventTime = TimeGenerated, secondAdderUser = Actor
) on $left.secondUserAdded == $right.firstUserAdded
| where secondEventTime between (firstEventTime .. (firstEventTime + 1h))
id: f18c4dfb-4fa6-4a9d-9bd3-f7569d1d685a
name: GitHub User Grants Access and Other User Grants Access
description: |
'This hunting query identifies Accounts in GitHub that have granted access to another account which then grants access to yet another account that may be a sign of compromise.'
requiredDataConnectors: []
tactics:
- Persistence
- PrivilegeEscalation
relevantTechniques:
- T1098
- T1078
query: |
GitHubAudit
| where ImpactedUser != ""
| where Action == "org.invite_member" or Action == "org.add_member" or Action == "team.add_member" or Action == "repo.add_member"
| distinct ImpactedUser, TimeGenerated, Actor
| project-rename firstUserAdded = ImpactedUser, firstEventTime = TimeGenerated, firstAdderUser = Actor
| join kind= innerunique (
GitHubAudit
| where ImpactedUser != ""
| where Action == "org.invite_member" or Action == "org.add_member" or Action == "team.add_member" or Action == "repo.add_member"
| distinct ImpactedUser, TimeGenerated, Actor
| project-rename secondUserAdded = ImpactedUser, secondEventTime = TimeGenerated, secondAdderUser = Actor
) on $left.secondUserAdded == $right.firstUserAdded
| where secondEventTime between (firstEventTime .. (firstEventTime + 1h))
Scenario: Scheduled CI/CD Pipeline Job Grants Access
Description: A legitimate CI/CD pipeline (e.g., GitHub Actions) may grant access to a service account or another repository as part of an automated deployment process.
Filter/Exclusion: Exclude events where the granting account is a GitHub Actions bot or a known CI/CD service account (e.g., github-actions[bot]).
Scenario: Admin User Grants Access to a Team Member for Collaboration
Description: An admin user may grant access to a team member for collaborative work on a project, which is a normal part of team management.
Filter/Exclusion: Exclude access grants where the grantor is an admin and the recipient is a team member with a valid access request.
Scenario: Internal Tool Integration Grants Access to a Third-Party Service
Description: An internal tool (e.g., a monitoring or logging service) may be configured to access GitHub repositories as part of its integration, which is a common practice.
Filter/Exclusion: Exclude access grants where the granting account is a service account used by an internal tool (e.g., internal-monitoring-tool).
Scenario: User Grants Access to a Forked Repository for Code Review
Description: A user may grant access to a forked repository to another user for code review or collaboration, which is a standard development practice.
Filter/Exclusion: Exclude access grants where the grantor and grantee are part of the same team or have a known collaboration history.
Scenario: Access Grant via GitHub API for Automation
Description: A script or automation tool (e.g., using GitHub API) may grant access to another account as part of an automated process, such as setting up a new project or user.
Filter/Exclusion: Exclude access grants where the granting account is