GitHub Organizations Branch Ruleset Deletion

This threat brief focuses on the detection of branch ruleset deletions within GitHub Organizations. Threat actors might disable or delete branch rulesets to bypass code review requirements and directly introduce unauthorized code changes or backdoors into protected branches. The deletion of branch rulesets is a critical security concern because these rulesets enforce crucial security controls like code review, prevention of force pushes, and maintenance of code quality. This activity, if successful, could lead to code tampering, bypass of security reviews, the introduction of vulnerabilities or malicious code, and the compromise of software supply chain integrity. The provided Splunk analytic is designed to identify such events by monitoring GitHub Organizations audit logs.

Attack Chain

1. An attacker gains initial access to a GitHub Organization account with sufficient privileges to manage branch rulesets.
2. The attacker authenticates to GitHub using compromised credentials or by exploiting a session vulnerability.
3. The attacker identifies a target repository within the GitHub Organization that has branch rulesets enabled.
4. The attacker navigates to the repository settings and accesses the branch rulesets configuration.
5. The attacker selects one or more branch rulesets to disable or delete.
6. The attacker confirms the deletion of the selected branch rulesets, removing the enforced code review and protection policies.
7. With the branch rulesets disabled, the attacker directly pushes unauthorized code changes or backdoors to the protected branches.
8. The attacker’s malicious code is integrated into the codebase, potentially compromising the software supply chain.

Impact

The deletion of branch rulesets can have severe consequences, including allowing unauthorized code changes to be merged into production, potentially introducing vulnerabilities or backdoors. This could lead to the compromise of the software supply chain and a loss of trust in the organization’s software. The impact extends to the potential exposure of sensitive data, system compromise, and reputational damage, though the specific number of victims and sectors targeted is presently unknown.

Recommendation

• Implement the provided Splunk search query (github_organizations vendor_action=repository_ruleset.destroy) to monitor for branch ruleset deletion events in GitHub Organizations audit logs.
• Deploy the Sigma rule GitHub Branch Ruleset Deletion to your SIEM and tune for your environment.
• Investigate any alerts generated by the Sigma rule, focusing on the actor, repository, and time of the deletion to determine if the activity is legitimate or malicious.
• Ensure proper access controls are in place within GitHub Organizations to limit the ability to modify or delete branch rulesets.
• Regularly review GitHub Organizations audit logs for suspicious activity, referencing the provided documentation link.
• Implement multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges.