Knowledge Required: Minimal
Tools required: Defender for Endpoint
Seems once again that GitHub is under fire for it’s ability to distribute malware. This time a researcher had found that you could make it looks like legitimate files where being hosted by the repository owner, by uploading it to Github in this story story
You can see Defender inspect files downloaded from GitHub as a start. Generally, software directly downloaded from GitHub won’t be used in corporate environments and so this can be considered suspicious. Unfortunately, I still can’t find a way to track the actual download URL back to the original GitHub repository, as the download link is randomised.
Query
let SusExtension=dynamic(['zip']); // consider adding .exe's
DeviceEvents
| where FileOriginUrl contains "githubusercontent.com"
| extend FileExtension=tostring(split(FileName, ".")[-1])
| where FileExtension in (SusExtension)
There is also limited defence against downloads from GitHub this due to how GitHub structures the URL and that so much other infrastructure within GitHub uses the githubusercontent.com to serve content.
EOF
