Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-github-security-log-detections
Overview
3Dashboards
14Benchmarks
20Queries
1Variables
GitHub

Detection: Login with Recovery Code

Overview

Detect when a GitHub account is accessed using a recovery code. Recovery codes are intended as a backup method for users who lose access to their MFA device. However, if obtained by an attacker, recovery codes can be used to bypass MFA protections and gain unauthorized access. Monitoring these events helps detect potential account compromises and ensures MFA integrity.

References:

Usage

Run the detection in your terminal:

powerpipe detection run github_security_log_detections.detection.login_with_recovery_code

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run github_security_log_detections.detection.login_with_recovery_code --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
action as operation,
concat('https://github.com/', user) as resource,
actor,
tp_source_ip as source_ip,
tp_id as source_id,
*
exclude (actor, timestamp)


from
  github_security_log
where
  action = 'user.two_factor_recover'
order by
  tp_timestamp desc;

Tags

category = Detections
folder = Authentication
mitre_attack_ids = TA0001:T1078.004
plugin = github
service = GitHub/Authentication