{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/github-enterprise/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","audit-log","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis analytic detects when a user pauses audit log event streaming in GitHub Enterprise. Attackers may attempt to disable audit logging to prevent their malicious activities from being logged and detected. The detection monitors GitHub Enterprise audit logs for configuration changes that temporarily suspend the audit log streaming functionality. For a SOC, identifying the pausing of audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected during the pause window. This can lead to significant security blind spots.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub Enterprise account, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub Enterprise platform.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the audit log streaming configuration settings within the GitHub Enterprise administration panel.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a pause of the audit log event stream, providing a reason for the pause (e.g., \u0026ldquo;User initiated pause\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe GitHub Enterprise system records this action as an \u003ccode\u003eaudit_log_streaming.update\u003c/code\u003e event in the audit logs, including details such as the actor, timestamp, and reason.\u003c/li\u003e\n\u003cli\u003eWhile the audit log stream is paused, the attacker performs malicious activities within the GitHub Enterprise environment without generating audit logs that would be sent to external security monitoring platforms.\u003c/li\u003e\n\u003cli\u003eThe attacker resumes the audit log stream after completing their malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting any traces of their access or changes to audit settings.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOrganizations may temporarily lose visibility into user actions, configuration changes, and security events within their GitHub Enterprise environment. Attackers can perform malicious activities without detection during the pause period, creating a temporary blind spot in security monitoring and incident response capabilities. This can lead to data breaches, intellectual property theft, or supply chain compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest GitHub Enterprise logs using Audit log streaming as described in the documentation to enable detection capabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Enterprise Pause Audit Log Event Stream\u003c/code\u003e to your SIEM to detect when a user pauses audit log event streaming and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of audit log streaming being paused to determine if malicious activity occurred during the pause window, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003eactor_id\u003c/code\u003e, \u003ccode\u003eactor_ip\u003c/code\u003e, \u003ccode\u003euser_agent\u003c/code\u003e fields.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-04-github-pause-audit-log/","summary":"Detection of a user pausing audit log event streaming in GitHub Enterprise, potentially indicating an attempt to evade detection by disabling the audit trail.","title":"GitHub Enterprise Audit Log Streaming Paused","url":"https://feed.craftedsignal.io/briefs/2024-01-04-github-pause-audit-log/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","cloud","ip-allow-list","bypass","security-control","anomaly"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis threat brief addresses the disabling of IP allow lists within a GitHub Enterprise environment. GitHub Enterprise\u0026rsquo;s IP allow lists restrict access to resources from only trusted IP addresses, a critical security control to prevent unauthorized access. The disabling of this feature, as detected via GitHub Enterprise audit logs, could indicate malicious activity, such as an attacker attempting to circumvent existing access controls. The activity could stem from compromised administrator credentials or a malicious insider. Disabling the IP allow list exposes sensitive code repositories and GitHub Enterprise resources to access from any IP address, significantly increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises credentials with administrative privileges within GitHub Enterprise.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub Enterprise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization or enterprise settings where IP allow lists are configured.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the IP allow list feature, removing restrictions on which IP addresses can access the GitHub Enterprise resources.\u003c/li\u003e\n\u003cli\u003eThe attacker originates connections from previously unauthorized IP addresses.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses and potentially exfiltrates sensitive code repositories and data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to modify code, create backdoors, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling IP allow lists in GitHub Enterprise can lead to a significant security breach. Sensitive code repositories become exposed, potentially leading to intellectual property theft or the introduction of malicious code into the software supply chain. If successful, the organization\u0026rsquo;s data and systems may be compromised, resulting in financial losses, reputational damage, and legal ramifications. The scope of the impact depends on the sensitivity of the data stored in the GitHub Enterprise instance and the extent to which the attacker can leverage the unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review the provided Sigma rule to detect instances of IP allow list disabling in GitHub Enterprise to quickly identify and respond to unauthorized changes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003eactor_id\u003c/code\u003e, and \u003ccode\u003euser_agent\u003c/code\u003e fields to determine the source and legitimacy of the action.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges, to prevent credential compromise.\u003c/li\u003e\n\u003cli\u003eReview GitHub Enterprise audit logs regularly for suspicious activity, including changes to security settings and access from unusual locations, using the configured log streaming to Splunk.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege, granting users only the necessary permissions to perform their job functions, to limit the potential impact of a compromised account.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-github-ip-allow-list-disabled/","summary":"An IP allow list was disabled in GitHub Enterprise, potentially allowing unauthorized access from untrusted networks and exposing sensitive code repositories.","title":"GitHub Enterprise IP Allow List Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-ip-allow-list-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["github","2fa","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis analytic detects the disabling of two-factor authentication (2FA) requirements within GitHub Enterprise environments. The detection focuses on monitoring GitHub Enterprise audit logs, specifically searching for events related to changes in 2FA requirements. The activity is identified by tracking actor details, organization information, and associated metadata within the logs. Successfully disabling 2FA increases the risk of account takeover, unauthorized access to sensitive code, and potential compromise of the software supply chain. This activity can be a precursor to broader malicious activities, such as data exfiltration or code injection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GitHub Enterprise account with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the organization or business settings within GitHub Enterprise.\u003c/li\u003e\n\u003cli\u003eThe attacker locates the two-factor authentication (2FA) settings.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the 2FA requirement for the organization or specific user groups. This action is logged in the GitHub Enterprise audit logs.\u003c/li\u003e\n\u003cli\u003eWith 2FA disabled, the attacker attempts to compromise user accounts through password-based attacks such as credential stuffing or brute-forcing.\u003c/li\u003e\n\u003cli\u003eUpon successfully compromising an account, the attacker gains unauthorized access to repositories and other resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may then exfiltrate sensitive code, inject malicious code, or modify repository settings.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could be intellectual property theft, supply chain compromise, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling 2FA requirements significantly increases the risk of unauthorized access to GitHub Enterprise organizations and repositories. This can lead to account takeovers, data breaches, intellectual property theft, and supply chain attacks. The compromise of sensitive code can result in significant financial losses, reputational damage, and legal liabilities. This affects organizations using GitHub Enterprise for software development and code management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and deploy the provided Sigma rule \u003ccode\u003eGitHub Enterprise 2FA Disabled by User\u003c/code\u003e to detect instances where 2FA requirements are disabled via the GitHub Enterprise audit logs.\u003c/li\u003e\n\u003cli\u003eEnable and deploy the provided Sigma rule \u003ccode\u003eGitHub Enterprise 2FA Disable via API\u003c/code\u003e to detect instances where 2FA requirements are disabled via the GitHub Enterprise API audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of disabled 2FA to determine the actor involved and the scope of the impact.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication across all GitHub Enterprise accounts and user groups to mitigate the risk of account compromise.\u003c/li\u003e\n\u003cli\u003eRegularly review GitHub Enterprise audit logs for suspicious activity, including changes to security settings and access controls, as outlined in the references.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-github-2fa-disable/","summary":"The disabling of two-factor authentication (2FA) in GitHub Enterprise, detected via audit logs, weakens account security and increases the risk of account takeover and supply chain compromise.","title":"GitHub Enterprise 2FA Requirement Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-03-github-2fa-disable/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise","github.com","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","branch_protection","supply_chain"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of disabled classic branch protection rules within a GitHub Enterprise environment. The detection is based on monitoring GitHub Enterprise audit logs for events related to the removal of branch protections. Attackers may disable these rules to bypass code review processes and introduce malicious code or vulnerabilities directly into protected branches. This action can be part of a larger attack, where adversaries first weaken security controls before injecting malicious content. Identifying and responding to these events is crucial for maintaining the integrity and security of the software supply chain. This analytic is sourced from Splunk\u0026rsquo;s security content and is designed to run on GitHub Enterprise audit logs ingested into Splunk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub Enterprise account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the repository settings within the GitHub Enterprise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the classic branch protection rules configured for a target branch.\u003c/li\u003e\n\u003cli\u003eThe attacker disables one or more of these branch protection rules, such as code review enforcement or restrictions on force pushes. This generates a \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e event in the audit logs.\u003c/li\u003e\n\u003cli\u003eThe attacker commits and pushes unauthorized or malicious code directly to the protected branch, bypassing established security controls.\u003c/li\u003e\n\u003cli\u003eThe malicious code is merged into the main branch, potentially affecting production systems or downstream consumers of the code.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to cover their tracks by deleting audit logs or manipulating other security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of disabled branch protection rules can be significant. Successful exploitation can lead to the introduction of vulnerabilities, malicious code, or backdoors into the software supply chain. This can result in data breaches, system compromise, and reputational damage. The number of affected systems and the extent of the damage depend on the scope and nature of the malicious code injected. The targets are GitHub Enterprise organizations that rely on branch protection rules to maintain code quality and security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub Enterprise Audit log streaming to a SIEM or log management solution to capture \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e events as described in the GitHub Enterprise documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Enterprise Disable Classic Branch Protection Rule\u003c/code\u003e to detect instances where branch protection rules are disabled and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003erepo\u003c/code\u003e, and \u003ccode\u003euser_agent\u003c/code\u003e fields to understand the context of the event.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Enterprise configurations to ensure that branch protection rules are properly configured and enforced.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-github-branch-protection-disabled/","summary":"Detection of disabled classic branch protection rules in GitHub Enterprise, indicating potential bypass of code review and security controls, leading to unauthorized code changes and supply chain compromise.","title":"GitHub Enterprise Classic Branch Protection Rule Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-protection-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — GitHub Enterprise","version":"https://jsonfeed.org/version/1.1"}