{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/github-enterprise-cloud/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise Cloud"],"_cs_severities":["high"],"_cs_tags":["attack.defense-impairment","attack.t1685"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThe GitHub push protection feature is designed to prevent secrets and sensitive information from being committed to repositories. Disabling this feature, whether at the organization, enterprise, or repository level, significantly increases the risk of accidental or intentional exposure of credentials, API keys, and other sensitive data. This can lead to unauthorized access, data breaches, and other security incidents. The actions detected can originate from administrative accounts or potentially compromised accounts with administrative privileges. This brief focuses on detecting the disabling of push protection, allowing security teams to respond and remediate the configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub account with administrative privileges, or a legitimate administrator performs the action.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization, enterprise, or repository settings in GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the \u0026ldquo;Secret scanning\u0026rdquo; or \u0026ldquo;Push protection\u0026rdquo; configuration section.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the push protection feature for the organization, enterprise, or specific repositories. This can be done via the GitHub UI or API.\u003c/li\u003e\n\u003cli\u003eGitHub audit logs record the event with the actions \u003ccode\u003ebusiness_secret_scanning_custom_pattern_push_protection.disabled\u003c/code\u003e, \u003ccode\u003ebusiness_secret_scanning_push_protection.disable\u003c/code\u003e, \u003ccode\u003eorg.secret_scanning_custom_pattern_push_protection_disabled\u003c/code\u003e, etc..\u003c/li\u003e\n\u003cli\u003eDevelopers unknowingly or intentionally commit code containing secrets or sensitive data to the affected repositories.\u003c/li\u003e\n\u003cli\u003eThe secrets are pushed to the remote repository without being blocked by push protection.\u003c/li\u003e\n\u003cli\u003eThe exposed secrets can be discovered by malicious actors, leading to account compromise, data breaches, or other security incidents.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling push protection can lead to the exposure of sensitive information such as API keys, passwords, and other credentials within GitHub repositories. This exposure can lead to account compromise, unauthorized access to systems and data, and potentially significant financial and reputational damage. The number of affected repositories and the severity of the impact depends on the scope of the push protection disabling and the types of secrets committed to the repositories.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Push Protection Disabled\u0026rdquo; to your SIEM and tune for your environment to detect when push protection is disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of push protection being disabled in the GitHub audit logs (logsource: github, service: audit) to verify the legitimacy of the action.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges, to prevent unauthorized access.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub organization and repository settings to ensure that push protection is enabled and properly configured.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T12:00:00Z","date_published":"2024-05-03T12:00:00Z","id":"/briefs/2024-05-github-push-protection-disabled/","summary":"An administrator has disabled the GitHub push protection feature, potentially allowing secrets and other sensitive information to be pushed to repositories.","title":"GitHub Push Protection Disabled","url":"https://feed.craftedsignal.io/briefs/2024-05-github-push-protection-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — GitHub Enterprise Cloud","version":"https://jsonfeed.org/version/1.1"}