Skip to content
Threat Feed
high advisory

GitHub Enterprise Organization Removal

Detection of a user removing an organization from GitHub Enterprise, potentially indicating account compromise, insider threats, or malicious attempts to disrupt business operations by deleting critical business resources.

This threat brief focuses on the unauthorized removal of an organization within GitHub Enterprise. This action, monitored through GitHub Enterprise audit logs, can be indicative of several malicious scenarios. These include account compromise, where an attacker gains control and attempts to dismantle the organization's infrastructure; insider threats, where a malicious employee deliberately removes the organization; or a targeted attack aimed at disrupting business operations. The consequences of such an event can be severe, leading to the loss of critical source code, repositories, team structures, and access controls. The detection relies on ingesting GitHub Enterprise Audit Logs.

Attack Chain

  1. Initial Access: An attacker gains unauthorized access to a GitHub Enterprise user account through compromised credentials or other means (T1195).
  2. Privilege Escalation: The attacker escalates privileges within the compromised account, if necessary, to gain sufficient permissions to manage organizations.
  3. Reconnaissance: The attacker identifies the target organization within the GitHub Enterprise instance.
  4. Organization Removal: The attacker initiates the process to remove the identified organization using the GitHub Enterprise interface or API.
  5. Audit Log Trigger: The action triggers an audit log entry within GitHub Enterprise, specifically the business.remove_organization event.
  6. Data Loss/Disruption: The removal of the organization leads to the loss of source code, repositories, team structures, and access controls associated with the organization (T1485).
  7. Operational Impact: Development workflows are halted, and significant effort is required to restore the organization from backups if available.

Impact

The successful removal of a GitHub Enterprise organization can lead to severe consequences. The observed damage includes the potential loss of entire codebases, project repositories, and crucial access controls. This disruption can halt software development, lead to data breaches, and require substantial recovery efforts. The impact can range from temporary inconvenience to catastrophic data loss, depending on the size and importance of the removed organization.

Recommendation

Detection coverage 2

GitHub Enterprise Organization Removal Detection

high

Detects when a user removes an organization from GitHub Enterprise by monitoring GitHub Enterprise audit logs for organization deletion events.

sigma tactics: impact techniques: T1485 sources: webserver, linux

GitHub Enterprise Remove Organization via User Agent

medium

Detects when a user removes an organization from GitHub Enterprise using a suspicious user agent.

sigma tactics: impact techniques: T1485 sources: webserver, linux

Detection queries are available on the platform. Get full rules →