GitHub Enterprise — CraftedSignal Threat Feed

GitHub Enterprise Audit Log Streaming Paused

hello@craftedsignal.io — Thu, 04 Jan 2024 12:00:00 +0000

This analytic detects when a user pauses audit log event streaming in GitHub Enterprise. Attackers may attempt to disable audit logging to prevent their malicious activities from being logged and detected. The detection monitors GitHub Enterprise audit logs for configuration changes that temporarily suspend the audit log streaming functionality. For a SOC, identifying the pausing of audit logging is critical as it may be a precursor to other attacks where adversaries want to operate undetected during the pause window. This can lead to significant security blind spots.

Attack Chain

An attacker gains unauthorized access to a GitHub Enterprise account, potentially through compromised credentials or exploiting a vulnerability.
The attacker authenticates to the GitHub Enterprise platform.
The attacker navigates to the audit log streaming configuration settings within the GitHub Enterprise administration panel.
The attacker initiates a pause of the audit log event stream, providing a reason for the pause (e.g., “User initiated pause”).
The GitHub Enterprise system records this action as an audit_log_streaming.update event in the audit logs, including details such as the actor, timestamp, and reason.
While the audit log stream is paused, the attacker performs malicious activities within the GitHub Enterprise environment without generating audit logs that would be sent to external security monitoring platforms.
The attacker resumes the audit log stream after completing their malicious activities.
The attacker attempts to cover their tracks by deleting any traces of their access or changes to audit settings.

Impact

Organizations may temporarily lose visibility into user actions, configuration changes, and security events within their GitHub Enterprise environment. Attackers can perform malicious activities without detection during the pause period, creating a temporary blind spot in security monitoring and incident response capabilities. This can lead to data breaches, intellectual property theft, or supply chain compromises.

Recommendation

Ingest GitHub Enterprise logs using Audit log streaming as described in the documentation to enable detection capabilities.
Deploy the Sigma rule GitHub Enterprise Pause Audit Log Event Stream to your SIEM to detect when a user pauses audit log event streaming and tune for your environment.
Investigate any detected instances of audit log streaming being paused to determine if malicious activity occurred during the pause window, focusing on the actor, actor_id, actor_ip, user_agent fields.

GitHub Enterprise IP Allow List Disabled

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses the disabling of IP allow lists within a GitHub Enterprise environment. GitHub Enterprise’s IP allow lists restrict access to resources from only trusted IP addresses, a critical security control to prevent unauthorized access. The disabling of this feature, as detected via GitHub Enterprise audit logs, could indicate malicious activity, such as an attacker attempting to circumvent existing access controls. The activity could stem from compromised administrator credentials or a malicious insider. Disabling the IP allow list exposes sensitive code repositories and GitHub Enterprise resources to access from any IP address, significantly increasing the attack surface.

Attack Chain

An attacker compromises credentials with administrative privileges within GitHub Enterprise.
The attacker authenticates to the GitHub Enterprise instance.
The attacker navigates to the organization or enterprise settings where IP allow lists are configured.
The attacker disables the IP allow list feature, removing restrictions on which IP addresses can access the GitHub Enterprise resources.
The attacker originates connections from previously unauthorized IP addresses.
The attacker accesses and potentially exfiltrates sensitive code repositories and data.
The attacker attempts to modify code, create backdoors, or perform other malicious activities.

Impact

Disabling IP allow lists in GitHub Enterprise can lead to a significant security breach. Sensitive code repositories become exposed, potentially leading to intellectual property theft or the introduction of malicious code into the software supply chain. If successful, the organization’s data and systems may be compromised, resulting in financial losses, reputational damage, and legal ramifications. The scope of the impact depends on the sensitivity of the data stored in the GitHub Enterprise instance and the extent to which the attacker can leverage the unauthorized access.

Recommendation

Enable and review the provided Sigma rule to detect instances of IP allow list disabling in GitHub Enterprise to quickly identify and respond to unauthorized changes.
Investigate any alerts generated by the Sigma rule, focusing on the actor, actor_id, and user_agent fields to determine the source and legitimacy of the action.
Implement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges, to prevent credential compromise.
Review GitHub Enterprise audit logs regularly for suspicious activity, including changes to security settings and access from unusual locations, using the configured log streaming to Splunk.
Enforce the principle of least privilege, granting users only the necessary permissions to perform their job functions, to limit the potential impact of a compromised account.

GitHub Enterprise 2FA Requirement Disabled

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This analytic detects the disabling of two-factor authentication (2FA) requirements within GitHub Enterprise environments. The detection focuses on monitoring GitHub Enterprise audit logs, specifically searching for events related to changes in 2FA requirements. The activity is identified by tracking actor details, organization information, and associated metadata within the logs. Successfully disabling 2FA increases the risk of account takeover, unauthorized access to sensitive code, and potential compromise of the software supply chain. This activity can be a precursor to broader malicious activities, such as data exfiltration or code injection.

Attack Chain

An attacker gains initial access to a GitHub Enterprise account with administrative privileges.
The attacker navigates to the organization or business settings within GitHub Enterprise.
The attacker locates the two-factor authentication (2FA) settings.
The attacker disables the 2FA requirement for the organization or specific user groups. This action is logged in the GitHub Enterprise audit logs.
With 2FA disabled, the attacker attempts to compromise user accounts through password-based attacks such as credential stuffing or brute-forcing.
Upon successfully compromising an account, the attacker gains unauthorized access to repositories and other resources.
The attacker may then exfiltrate sensitive code, inject malicious code, or modify repository settings.
The attacker achieves their objective, which could be intellectual property theft, supply chain compromise, or disruption of services.

Impact

Disabling 2FA requirements significantly increases the risk of unauthorized access to GitHub Enterprise organizations and repositories. This can lead to account takeovers, data breaches, intellectual property theft, and supply chain attacks. The compromise of sensitive code can result in significant financial losses, reputational damage, and legal liabilities. This affects organizations using GitHub Enterprise for software development and code management.

Recommendation

Enable and deploy the provided Sigma rule GitHub Enterprise 2FA Disabled by User to detect instances where 2FA requirements are disabled via the GitHub Enterprise audit logs.
Enable and deploy the provided Sigma rule GitHub Enterprise 2FA Disable via API to detect instances where 2FA requirements are disabled via the GitHub Enterprise API audit logs.
Investigate any detected instances of disabled 2FA to determine the actor involved and the scope of the impact.
Enforce multi-factor authentication across all GitHub Enterprise accounts and user groups to mitigate the risk of account compromise.
Regularly review GitHub Enterprise audit logs for suspicious activity, including changes to security settings and access controls, as outlined in the references.

GitHub Enterprise Classic Branch Protection Rule Disabled

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This brief focuses on the detection of disabled classic branch protection rules within a GitHub Enterprise environment. The detection is based on monitoring GitHub Enterprise audit logs for events related to the removal of branch protections. Attackers may disable these rules to bypass code review processes and introduce malicious code or vulnerabilities directly into protected branches. This action can be part of a larger attack, where adversaries first weaken security controls before injecting malicious content. Identifying and responding to these events is crucial for maintaining the integrity and security of the software supply chain. This analytic is sourced from Splunk’s security content and is designed to run on GitHub Enterprise audit logs ingested into Splunk.

Attack Chain

An attacker gains unauthorized access to a GitHub Enterprise account with sufficient privileges.
The attacker navigates to the repository settings within the GitHub Enterprise instance.
The attacker identifies the classic branch protection rules configured for a target branch.
The attacker disables one or more of these branch protection rules, such as code review enforcement or restrictions on force pushes. This generates a protected_branch.destroy event in the audit logs.
The attacker commits and pushes unauthorized or malicious code directly to the protected branch, bypassing established security controls.
The malicious code is merged into the main branch, potentially affecting production systems or downstream consumers of the code.
The attacker may attempt to cover their tracks by deleting audit logs or manipulating other security controls.

Impact

The impact of disabled branch protection rules can be significant. Successful exploitation can lead to the introduction of vulnerabilities, malicious code, or backdoors into the software supply chain. This can result in data breaches, system compromise, and reputational damage. The number of affected systems and the extent of the damage depend on the scope and nature of the malicious code injected. The targets are GitHub Enterprise organizations that rely on branch protection rules to maintain code quality and security.

Recommendation

Enable GitHub Enterprise Audit log streaming to a SIEM or log management solution to capture protected_branch.destroy events as described in the GitHub Enterprise documentation.
Deploy the Sigma rule GitHub Enterprise Disable Classic Branch Protection Rule to detect instances where branch protection rules are disabled and tune it for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the actor, repo, and user_agent fields to understand the context of the event.
Implement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges.
Regularly review and audit GitHub Enterprise configurations to ensure that branch protection rules are properly configured and enforced.