Github — CraftedSignal Threat Feed

Detection of Github Delete Actions in Audit Logs

hello@craftedsignal.io — Tue, 28 Apr 2026 10:00:00 +0000

This detection strategy focuses on identifying potentially malicious or unauthorized deletion activities within a GitHub organization. The detections hinge on monitoring GitHub audit logs for specific actions related to the deletion of critical resources. This includes actions such as deleting codespaces (codespaces.destroy), deleting environments (environment.delete), deleting projects (project.delete), and destroying repositories (repo.destroy). This activity is important for defenders because these actions can lead to data loss, service disruption, or compromise of the software development lifecycle. The detections are triggered by events recorded within the GitHub audit log, requiring audit log streaming to be enabled.

Attack Chain

Initial Access: An attacker gains unauthorized access to a GitHub account with sufficient privileges. This could be achieved through compromised credentials or insider access.
Privilege Escalation (Optional): The attacker escalates privileges within the GitHub organization to gain the necessary permissions to delete resources if they don’t already have them.
Reconnaissance: The attacker identifies valuable codespaces, environments, projects, or repositories within the GitHub organization that they intend to delete.
Deletion of Codespaces: The attacker executes the codespaces.destroy action, deleting a specific codespace instance, potentially disrupting development workflows.
Deletion of Environments: The attacker executes the environment.delete action, removing a specific environment configuration, potentially affecting deployment processes.
Deletion of Projects: The attacker executes the project.delete action, deleting a project board and its associated tasks, impacting project management.
Deletion of Repositories: The attacker executes the repo.destroy action, permanently deleting a repository, leading to code loss and potential service disruption.
Impact: The deletion of critical resources disrupts development workflows, causes data loss, and potentially compromises the software development lifecycle.

Impact

Successful execution of these actions can lead to significant disruption of software development workflows, data loss, and potential compromise of the software supply chain. The number of affected resources and the severity of the impact depend on the scope of the attacker’s access and the criticality of the deleted resources.

Recommendation

Enable GitHub audit log streaming to capture the necessary events for detection (reference: logsource definition).
Deploy the provided Sigma rule to detect codespaces.destroy, environment.delete, project.delete, and repo.destroy actions in the GitHub audit logs, and tune for your environment (reference: rules).
Investigate any alerts triggered by the Sigma rule to determine the legitimacy of the deletion activity and the actor involved (reference: rules, falsepositives).
Validate the “actor” field in the audit logs to ensure the deletion activity is performed by an authorized user (reference: falsepositives).

GitHub SSH Certificate Configuration Changed

hello@craftedsignal.io — Sat, 02 Nov 2024 14:00:00 +0000

Attackers can abuse SSH certificate authorities in GitHub to gain unauthorized access to repositories. By creating or disabling SSH certificate requirements, attackers can bypass existing security controls and establish persistent access. This activity is logged in the GitHub audit logs, specifically when ssh_certificate_authority.create or ssh_certificate_requirement.disable actions are performed. Successful exploitation allows attackers to commit malicious code, steal sensitive data, or disrupt development workflows, impacting the integrity and confidentiality of the organization’s resources. The GitHub audit log streaming feature must be enabled to detect this activity.

Attack Chain

Initial Compromise: An attacker gains initial access to a GitHub organization, potentially through compromised credentials or social engineering.
Privilege Escalation: The attacker escalates their privileges to an organizational role capable of managing SSH certificate authorities.
SSH Certificate Authority Creation: The attacker creates a new SSH certificate authority within the GitHub organization (ssh_certificate_authority.create).
Disable SSH Certificate Requirement: Alternatively, the attacker disables the requirement for members to use SSH certificates to access organization resources (ssh_certificate_requirement.disable). This action allows attackers to bypass security controls that enforce SSH certificate usage.
Unauthorized Access: The attacker utilizes the newly created SSH certificate authority or the disabled requirement to access repositories without proper authorization.
Lateral Movement: The attacker moves laterally within the GitHub organization, accessing additional repositories and resources.
Data Exfiltration/Malicious Code Injection: The attacker exfiltrates sensitive data or injects malicious code into the organization’s repositories.
Persistence: The attacker maintains persistent access by using the created SSH certificate authority or the disabled requirement for future unauthorized activities.

Impact

Successful modification of SSH certificate configurations in GitHub can lead to unauthorized code commits, data breaches, and supply chain attacks. This could result in financial losses, reputational damage, and legal repercussions for the affected organization. The number of affected repositories and the severity of the impact depend on the scope of the attacker’s access and the sensitivity of the compromised data.

Recommendation

Enable the GitHub audit log streaming feature to capture SSH certificate configuration changes (logsource: github, service: audit, definition).
Deploy the provided Sigma rule to detect ssh_certificate_authority.create or ssh_certificate_requirement.disable events in the GitHub audit logs (rule: Github SSH Certificate Configuration Changed).
Regularly review GitHub audit logs for any unauthorized modifications to SSH certificate configurations.

GitHub Security Feature Disablement

hello@craftedsignal.io — Thu, 31 Oct 2024 18:22:00 +0000

This brief addresses the threat of unauthorized or malicious disabling of security features within GitHub organizations and repositories. Attackers or malicious insiders might disable features like Advanced Security, OAuth application restrictions, or two-factor authentication to weaken the security posture, gain unauthorized access, and establish persistence. The affected features span across advanced security, OAuth application management, and two-factor authentication enforcement. These actions can be performed by users with administrative or owner privileges within the GitHub organization. Defenders need to monitor for these configuration changes to ensure security best practices are maintained and to quickly identify potential malicious activity.

Attack Chain

An attacker gains unauthorized access to a GitHub account with organization owner or administrator privileges through compromised credentials or insider access.
The attacker authenticates to the GitHub organization or repository using the compromised account.
The attacker navigates to the organization settings or repository settings, depending on the scope of the targeted security feature.
The attacker disables advanced security features (e.g., business_advanced_security.disabled_for_new_repos, repo.advanced_security_disabled) through the GitHub web interface or API.
Alternatively, the attacker disables OAuth application restrictions (org.disable_oauth_app_restrictions) to allow potentially malicious applications to access organizational data.
Or, the attacker disables the two-factor authentication requirement (org.disable_two_factor_requirement) for the organization, weakening account security.
The attacker may then proceed to exploit the weakened security posture to access sensitive repositories, modify code, or exfiltrate data.
The attacker establishes persistent access by creating rogue OAuth applications or adding unauthorized users to the organization.

Impact

Disabling security features in GitHub can lead to severe consequences. A successful attack can result in unauthorized access to sensitive code repositories, intellectual property theft, and data breaches. Disabling two-factor authentication makes accounts more vulnerable to credential stuffing and phishing attacks. The scope can range from a single repository to an entire organization, impacting hundreds or thousands of users and projects. The financial and reputational damage to the organization can be significant.

Recommendation

Deploy the Sigma rule Github High Risk Configuration Disabled to detect the disabling of critical security features by monitoring GitHub audit logs.
Enable audit log streaming as documented in the rule definition to ensure that the necessary logs are captured for detection.
Investigate any detected instances of security feature disabling to determine if they are legitimate administrator actions or malicious activity.
Enforce multi-factor authentication (MFA) for all users, especially those with administrative privileges, and monitor for attempts to disable MFA.
Regularly review and validate GitHub organization and repository settings to ensure that security features are enabled and configured correctly.

GitHub Secret Scanning Feature Disabled

hello@craftedsignal.io — Fri, 19 Jul 2024 00:00:00 +0000

The disabling of GitHub’s secret scanning feature represents a significant security risk. Secret scanning is a critical control that prevents sensitive information, such as API keys, credentials, and tokens, from being committed to repositories. An attacker who gains administrative access to a GitHub organization or repository could disable this feature to facilitate the undetected introduction of secrets into the codebase. This action undermines the organization’s security posture, creating opportunities for unauthorized access and data breaches. The activity is logged via GitHub audit logs, providing an opportunity for detection. This brief focuses on detecting the actions that disable the secret scanning feature within GitHub.

Attack Chain

An attacker gains unauthorized access to a GitHub account with administrative privileges for either an organization or a specific repository.
The attacker navigates to the security settings within the organization or repository.
The attacker identifies the “Secret scanning” feature or related settings (e.g., “Secret scanning for new repositories”).
The attacker disables the secret scanning feature using the GitHub UI or API. This generates an audit log event.
The attacker commits code containing secrets to the repository.
Because secret scanning is disabled, the secrets are not detected or flagged by GitHub.
The attacker leverages the committed secrets to gain unauthorized access to other systems or data.
The attacker achieves their final objective, which could include data exfiltration, lateral movement, or service disruption.

Impact

Disabling secret scanning can lead to the exposure of sensitive credentials within a codebase. If successful, attackers can leverage these exposed secrets to compromise systems, access sensitive data, and potentially cause significant financial and reputational damage. The number of affected repositories and the extent of the damage depend on the scope of the access the attacker gains and the criticality of the exposed secrets. This can affect any organization that uses Github for source code management.

Recommendation

Deploy the “Github Secret Scanning Feature Disabled” Sigma rule to your SIEM to detect unauthorized disabling of the feature (logsource: github, service: audit).
Investigate any detected instances of secret scanning being disabled to determine if they were authorized administrative actions.
Enable audit log streaming to ensure the required logs are available (see logsource definition).
Review GitHub access controls to ensure that only authorized personnel have the ability to modify secret scanning settings.

GitHub Push Protection Bypass Detection

hello@craftedsignal.io — Mon, 29 Apr 2024 12:00:00 +0000

This alert detects when a GitHub user bypasses the push protection mechanism designed to prevent secrets from being committed to a repository. GitHub’s push protection, part of its secret scanning feature, is intended to block commits containing sensitive information like API keys or credentials. A bypass indicates a deliberate attempt to circumvent this security measure. Successful bypass can lead to exposure of secrets, increasing the risk of unauthorized access and data breaches. The activity is logged within GitHub’s audit logs, provided that the audit log streaming feature is enabled.

Attack Chain

Developer attempts to commit code containing a secret to a GitHub repository.
GitHub’s push protection mechanism detects the secret and blocks the push.
The developer intentionally bypasses the push protection, potentially using allowed administrative activities to circumvent the block.
The code, including the secret, is successfully pushed to the repository.
The secret becomes exposed within the repository’s history.
Unauthorized actors may discover the exposed secret by scanning the repository.
Unauthorized actors may use the exposed secret to gain unauthorized access to systems or data.

Impact

A successful bypass of GitHub push protection can lead to secrets being exposed in a repository. This exposure can lead to unauthorized access to sensitive systems or data. The severity of the impact depends on the scope of access granted by the exposed secret, and the visibility of the repository.

Recommendation

Enable audit log streaming in GitHub to ensure relevant events are captured.
Deploy the Sigma rule “Github Push Protection Bypass Detected” to your SIEM and tune for your environment using GitHub audit logs.
Investigate any detected bypass events to determine the context and impact of the bypassed secret.

GitHub Repository Archive Status Changed

hello@craftedsignal.io — Thu, 04 Jan 2024 15:00:00 +0000

This threat brief focuses on the detection of unauthorized changes to GitHub repository archive status. Attackers may archive or unarchive repositories as a means of persistence, to impact the availability of resources, or to impair defenses by hiding malicious code. The activity is logged within GitHub’s audit logs and can be monitored to identify potentially malicious actions. Monitoring these events can help organizations identify and respond to unauthorized modifications of their GitHub repositories. This is especially relevant for organizations relying heavily on GitHub for code management and collaboration.

Attack Chain

An attacker gains unauthorized access to a GitHub account with repository administration privileges.
The attacker authenticates to the GitHub platform using the compromised credentials or a stolen session token.
The attacker navigates to the settings page of a target repository.
The attacker modifies the repository’s archive status, either archiving or unarchiving it depending on their objective.
GitHub logs the ‘repo.archived’ or ‘repo.unarchived’ action in the organization’s audit logs.
(If archiving) Legitimate users may lose access to the repository and its code, causing disruption.
(If unarchiving) The attacker might reintroduce vulnerable code or malicious content into an active repository.
The attacker may then attempt to exploit the unarchived repository for further malicious activities.

Impact

The impact of unauthorized repository archiving or unarchiving can range from temporary disruption of services to the reintroduction of vulnerable code. A successful attack could lead to data breaches, code compromise, or supply chain attacks. The number of affected repositories depends on the scope of the attacker’s access and objectives.

Recommendation

Deploy the Sigma rule “GitHub Repository Archive Status Changed” to your SIEM and tune for your environment. This rule detects the repo.archived and repo.unarchived actions in GitHub audit logs (logsource: github, service: audit).
Review GitHub audit logs regularly for unexpected repository archiving or unarchiving events.
Investigate any detected events to determine if the actions were authorized.