Skip to content
Threat Feed
low advisory

GitHub App Deletion Detection

Detection of GitHub App deletion events, potentially indicating defense evasion or disruption of automated workflows by malicious actors.

This detection focuses on identifying the deletion of GitHub Apps, which are integrations used to extend GitHub's functionality and automate workflows. While legitimate deletions occur during maintenance, updates, or policy changes, malicious actors may delete GitHub Apps to disrupt operations or remove security controls, such as those used in serverless execution environments. This action can be used to impair defenses by disabling or modifying tools. This detection leverages GitHub audit logs to identify such events, focusing on the integration_installation category and deletion event type. Timestamps in the Github logs can be overriden by the ingestion pipeline, so it's important to analyze the event.ingested field.

Attack Chain

  1. Initial Access: The attacker gains unauthorized access to a GitHub account or organization with sufficient privileges to manage GitHub Apps. This could be achieved through compromised credentials, phishing, or other social engineering techniques.
  2. Privilege Escalation (If Necessary): If the attacker's initial access lacks the necessary privileges, they may attempt to escalate privileges within the GitHub organization to gain the ability to manage and delete GitHub Apps.
  3. Discovery: The attacker enumerates installed GitHub Apps within the target organization or repository to identify potential targets for deletion.
  4. Defense Evasion: The attacker identifies a GitHub App that provides security functions, such as automated security scanning or incident response workflows.
  5. Impair Defenses: The attacker initiates the deletion of the targeted GitHub App.
  6. Execution: The GitHub App deletion is executed via the GitHub API or web interface by an attacker with delete privileges.
  7. Disruption: Automated workflows or security controls relying on the deleted GitHub App are disrupted, potentially leading to security vulnerabilities or operational failures.
  8. Post-Exploitation: The attacker may leverage the disrupted environment to further their objectives, such as deploying malicious code or exfiltrating sensitive data.

Impact

Successful deletion of a GitHub App can lead to disruption of automated workflows, removal of security controls, and potential security breaches. The impact can range from minor inconvenience to significant operational and financial losses, depending on the criticality of the deleted app and the organization's reliance on it. This activity could affect all sectors using GitHub for development and operations.

Recommendation

  • Deploy the Sigma rule Github App Deleted to your SIEM to detect unauthorized GitHub App deletions.
  • Review GitHub audit logs for integration_installation events with deletion type, as indicated by the rule query (logs-github.audit-*).
  • Implement stricter access controls and multi-factor authentication for GitHub accounts with administrative privileges.
  • Monitor GitHub audit logs for suspicious activity originating from service accounts, as potential false positives can occur due to automated scripts (logs-github.audit-*).
  • Investigate any alerts generated by the Github App Deleted Sigma rule by reviewing the user responsible for the deletion and the timing of the event.

Detection coverage 2

Github App Deleted

low

Detects the deletion of a GitHub app either from a repo or an organization.

sigma tactics: defense_evasion, execution techniques: T1562, T1648 sources: audit, github

GitHub App Deleted by Service Account

medium

Detects GitHub App deletion events performed by service accounts, which may indicate misconfiguration or malicious activity.

sigma tactics: defense_evasion, execution techniques: T1562, T1648 sources: audit, github

Detection queries are available on the platform. Get full rules →