GitHub Enterprise Audit Log Streaming Paused
A user pausing the audit log event stream in GitHub Enterprise, potentially indicating an attempt to evade detection by disabling audit trails.
This analytic identifies instances where a user pauses audit log event streaming within a GitHub Enterprise environment. Attackers might attempt to disable audit logging to conceal malicious activities. The pausing of audit logs temporarily suspends the stream of audit events to security monitoring platforms like Splunk, creating a blind spot in security visibility. This technique could be employed following a successful initial access, such as through a compromised account, and before conducting activities like code modification or data exfiltration. Detecting this activity is critical because it may precede other attacks where adversaries aim to operate undetected.
Attack Chain
- Initial Access: An attacker gains unauthorized access to a GitHub Enterprise account, possibly through compromised credentials (T1195).
- Privilege Escalation (if needed): The attacker elevates their privileges to a level where they can modify audit log settings.
- Discovery: The attacker explores the GitHub Enterprise settings to locate the audit log streaming configuration.
- Disable Audit Log Streaming: The attacker pauses the audit log event stream via the GitHub Enterprise interface, using the "User initiated pause" reason (T1562.008).
- Malicious Activity: The attacker performs malicious actions within the GitHub Enterprise environment, such as modifying code, creating rogue repositories, or exfiltrating data, knowing their actions are not being logged.
- Persistence (Optional): The attacker may establish persistence mechanisms to maintain access for future malicious activities.
- Evasion: The attacker ensures that audit logs remain paused during their malicious activity to avoid detection.
- Impact: Data breach, intellectual property theft, or disruption of services.
Impact
The successful pausing of audit logs leads to a temporary loss of visibility into user actions, configuration changes, and security events within the GitHub Enterprise environment. This creates a blind spot, allowing attackers to perform malicious activities undetected. The impact includes potential data breaches, intellectual property theft, or service disruptions. The severity depends on the duration of the pause and the extent of the attacker's activities during that period.
Recommendation
- Deploy the Sigma rule
GitHub Audit Log Streaming Pausedto detect instances of audit log streaming being paused (logsource:github_enterprise, category: audit). - Investigate any detected instances of audit log streaming being paused to determine the reason and potential impact.
- Implement multi-factor authentication (MFA) for all GitHub Enterprise accounts to reduce the risk of compromised credentials (T1195).
- Monitor GitHub Enterprise audit logs for unexpected configuration changes, particularly those related to security settings.
- Review the references provided for guidance on setting up and monitoring GitHub Enterprise audit logs.
Detection coverage 2
GitHub Audit Log Streaming Paused
highDetects when a user pauses audit log event streaming in GitHub Enterprise.
GitHub Audit Log Streaming Configuration Change
mediumDetects any changes to the audit log streaming configuration in GitHub Enterprise.
Detection queries are available on the platform. Get full rules →