-
Notifications
You must be signed in to change notification settings - Fork 54
OpSec
If you are a Red-Teamer seeking to assess a token's privileges without alerting the organization of your activities, then certain Gato features should be avoided or used with care.
GitHub recently released a new feature that allows all API requests made against an organization's private repository to be included in the audit log. This feature is currently in private beta, it is unlikely that most organizations are enrolled in this private beta and have detection engineering surrounding GET API requests. However, it can no longer be assumed that using gato without any git clone operations is 100% stealthy.
Organizations on the GitHub Enterprise plan can query log events for git clone operations via the REST API. This means that if you use a compromised PAT to clone hundreds of repositories, and that organization is ingesting these logs into a SIEM, this could trigger an alert.
The --skip-clones flag should be used to perform enumeration using API GET requests only, which should not generate any audit log events. The primary method of detecting self-hosted runners will be downloading and parsing workflow run logs (or querying them from the organization/repository if the user is an administrator)
In the future, we will switch the YAML download feature to use the Repository Contents API, which should reduce allow silent enumeration of YAML files.
Enumeration using API requests only is currently in the dev branch. This feature also has the added benefit of bypassing restrictions on cloning (such as when organizations require SSH authentication to be used for all git operations).
Attacking a repository is an overt action. In a true Red Team, you will be best served using a custom payload that blends within the noise present in the organization you are targeting. Gato offers some options to tweak the IOCs generated as part of the workflow push attack. Examples of this are the branch name and the author of the commit.
It is helpful to review the GitHub Audit Log Events documentation to understand which events will be logged.