{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/splunk-add-on-for-github/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Splunk Add-on for Github"],"_cs_severities":["medium"],"_cs_tags":["github","supply-chain","branch-protection"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of branch ruleset deletions within GitHub Organizations. Threat actors might disable or delete branch rulesets to bypass code review requirements and directly introduce unauthorized code changes or backdoors into protected branches. The deletion of branch rulesets is a critical security concern because these rulesets enforce crucial security controls like code review, prevention of force pushes, and maintenance of code quality. This activity, if successful, could lead to code tampering, bypass of security reviews, the introduction of vulnerabilities or malicious code, and the compromise of software supply chain integrity. The provided Splunk analytic is designed to identify such events by monitoring GitHub Organizations audit logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GitHub Organization account with sufficient privileges to manage branch rulesets.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to GitHub using compromised credentials or by exploiting a session vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target repository within the GitHub Organization that has branch rulesets enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the repository settings and accesses the branch rulesets configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker selects one or more branch rulesets to disable or delete.\u003c/li\u003e\n\u003cli\u003eThe attacker confirms the deletion of the selected branch rulesets, removing the enforced code review and protection policies.\u003c/li\u003e\n\u003cli\u003eWith the branch rulesets disabled, the attacker directly pushes unauthorized code changes or backdoors to the protected branches.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious code is integrated into the codebase, potentially compromising the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of branch rulesets can have severe consequences, including allowing unauthorized code changes to be merged into production, potentially introducing vulnerabilities or backdoors. This could lead to the compromise of the software supply chain and a loss of trust in the organization\u0026rsquo;s software. The impact extends to the potential exposure of sensitive data, system compromise, and reputational damage, though the specific number of victims and sectors targeted is presently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Splunk search query (\u003ccode\u003egithub_organizations vendor_action=repository_ruleset.destroy\u003c/code\u003e) to monitor for branch ruleset deletion events in GitHub Organizations audit logs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Branch Ruleset Deletion\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the actor, repository, and time of the deletion to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eEnsure proper access controls are in place within GitHub Organizations to limit the ability to modify or delete branch rulesets.\u003c/li\u003e\n\u003cli\u003eRegularly review GitHub Organizations audit logs for suspicious activity, referencing the provided documentation link.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-github-branch-ruleset-deletion/","summary":"Detection of GitHub Organizations branch ruleset deletions, which could indicate attempts to bypass code review requirements and introduce unauthorized code changes.","title":"GitHub Organizations Branch Ruleset Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-ruleset-deletion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Splunk Add-on for Github"],"_cs_severities":["medium"],"_cs_tags":["github","branch-protection","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis detection identifies instances where classic branch protection rules are disabled within GitHub Organizations. These rules are critical security controls that enforce code review, prevent force pushes, and maintain code quality. The detection monitors GitHub Organizations audit logs for \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e events, tracking actor details, repository information, and associated metadata. An attacker disabling these protections could directly push unauthorized code changes or backdoors to protected branches. This activity is critical for defenders because it bypasses security reviews and can lead to code tampering, introduction of vulnerabilities, or compromise of the software supply chain. The described behavior was observed in 2026-05-04 (date from source).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GitHub Organization account with sufficient privileges to modify branch protection rules.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub API or web interface.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the repository settings to modify branch protection rules.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies and targets a specific branch with classic protection rules enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e action to disable the branch protection rules. This action generates an audit log.\u003c/li\u003e\n\u003cli\u003eGitHub Organizations audit logs record the event, including details about the actor, repository, and timestamp.\u003c/li\u003e\n\u003cli\u003eWith branch protection disabled, the attacker can directly push unauthorized code changes to the protected branch.\u003c/li\u003e\n\u003cli\u003eThe attacker introduces malicious code, backdoors, or vulnerabilities into the codebase, potentially compromising the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling branch protection rules can lead to significant security breaches. The lack of code review and security controls allows for the introduction of malicious code, potentially leading to compromised builds, supply chain attacks, and data breaches. Successful exploitation can result in reputational damage, financial losses, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Organization Branch Protection Disabled\u003c/code\u003e to your SIEM to detect unauthorized disabling of branch protection rules in GitHub Organizations.\u003c/li\u003e\n\u003cli\u003eEnable GitHub Organizations audit logs and ingest them using the Splunk Add-on for Github as mentioned in the reference link.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the actor, repository, and timestamp of the event to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor user activity for anomalous behavior, such as disabling branch protection rules outside of normal business hours or by unauthorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-github-disable-branch-protection/","summary":"This analytic detects when classic branch protection rules are disabled in GitHub Organizations, potentially allowing malicious actors to bypass code review and security controls.","title":"GitHub Classic Branch Protection Rule Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-disable-branch-protection/"}],"language":"en","title":"CraftedSignal Threat Feed — Splunk Add-on for Github","version":"https://jsonfeed.org/version/1.1"}