-
Notifications
You must be signed in to change notification settings - Fork 16
Red Team Opsec
Gato-X only uses GraphQL queries and REST API queries to perform enumeration. These do not generate any GitHub audit log events. The only exception is enterprises that have REST API streaming enabled via https://github.blog/changelog/2023-04-03-api-requests-are-available-via-audit-log-streaming-public-beta/.
It is very unlikely that enterprises are proactively alerting on API requests; however, it is still a technical possibility. As detective tooling increases it is more likely enterprises will have an automated solution to detect enumeration with Gato-X.
Gato-X's attack modules do generate log events. I would recommend against using Gato-X's attack modules, with the exception of secrets exfiltration, during a covert red team assessment. Instead, have Gato-X generate a runner-on-runner payload and manually deploy it using a workflow that blends in with the existing noise.