GitHub activity observed from Tor client IP

github-telemetry

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1090-proxy

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when GitHub activity is observed from a Tor exit node.

Strategy

This rule monitors GitHub telemetry logs to determine when activity originated from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real-time. An attacker may use a Tor client to anonymize their true origin when accessing GitHub programmatically.

Triage and response

  • Determine whether {{@github.actor}} from IP address {{@network.client.ip}} has a legitimate reason to access GitHub via Tor.
  • Review the specific actions performed during the session for indicators of reconnaissance, credential misuse, or data access.
  • Check whether this activity coincides with other suspicious signals from the same identity such as secret enumeration or branch protection changes.