GitHub Organizations Branch Ruleset Deletion

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on the detection of branch ruleset deletions within GitHub Organizations. Threat actors might disable or delete branch rulesets to bypass code review requirements and directly introduce unauthorized code changes or backdoors into protected branches. The deletion of branch rulesets is a critical security concern because these rulesets enforce crucial security controls like code review, prevention of force pushes, and maintenance of code quality. This activity, if successful, could lead to code tampering, bypass of security reviews, the introduction of vulnerabilities or malicious code, and the compromise of software supply chain integrity. The provided Splunk analytic is designed to identify such events by monitoring GitHub Organizations audit logs.

Attack Chain

An attacker gains initial access to a GitHub Organization account with sufficient privileges to manage branch rulesets.
The attacker authenticates to GitHub using compromised credentials or by exploiting a session vulnerability.
The attacker identifies a target repository within the GitHub Organization that has branch rulesets enabled.
The attacker navigates to the repository settings and accesses the branch rulesets configuration.
The attacker selects one or more branch rulesets to disable or delete.
The attacker confirms the deletion of the selected branch rulesets, removing the enforced code review and protection policies.
With the branch rulesets disabled, the attacker directly pushes unauthorized code changes or backdoors to the protected branches.
The attacker’s malicious code is integrated into the codebase, potentially compromising the software supply chain.

Impact

The deletion of branch rulesets can have severe consequences, including allowing unauthorized code changes to be merged into production, potentially introducing vulnerabilities or backdoors. This could lead to the compromise of the software supply chain and a loss of trust in the organization’s software. The impact extends to the potential exposure of sensitive data, system compromise, and reputational damage, though the specific number of victims and sectors targeted is presently unknown.

Recommendation

Implement the provided Splunk search query (github_organizations vendor_action=repository_ruleset.destroy) to monitor for branch ruleset deletion events in GitHub Organizations audit logs.
Deploy the Sigma rule GitHub Branch Ruleset Deletion to your SIEM and tune for your environment.
Investigate any alerts generated by the Sigma rule, focusing on the actor, repository, and time of the deletion to determine if the activity is legitimate or malicious.
Ensure proper access controls are in place within GitHub Organizations to limit the ability to modify or delete branch rulesets.
Regularly review GitHub Organizations audit logs for suspicious activity, referencing the provided documentation link.
Implement multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges.

GitHub Classic Branch Protection Rule Disabled

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies instances where classic branch protection rules are disabled within GitHub Organizations. These rules are critical security controls that enforce code review, prevent force pushes, and maintain code quality. The detection monitors GitHub Organizations audit logs for protected_branch.destroy events, tracking actor details, repository information, and associated metadata. An attacker disabling these protections could directly push unauthorized code changes or backdoors to protected branches. This activity is critical for defenders because it bypasses security reviews and can lead to code tampering, introduction of vulnerabilities, or compromise of the software supply chain. The described behavior was observed in 2026-05-04 (date from source).

Attack Chain

An attacker gains initial access to a GitHub Organization account with sufficient privileges to modify branch protection rules.
The attacker authenticates to the GitHub API or web interface.
The attacker navigates to the repository settings to modify branch protection rules.
The attacker identifies and targets a specific branch with classic protection rules enabled.
The attacker initiates a protected_branch.destroy action to disable the branch protection rules. This action generates an audit log.
GitHub Organizations audit logs record the event, including details about the actor, repository, and timestamp.
With branch protection disabled, the attacker can directly push unauthorized code changes to the protected branch.
The attacker introduces malicious code, backdoors, or vulnerabilities into the codebase, potentially compromising the software supply chain.

Impact

Disabling branch protection rules can lead to significant security breaches. The lack of code review and security controls allows for the introduction of malicious code, potentially leading to compromised builds, supply chain attacks, and data breaches. Successful exploitation can result in reputational damage, financial losses, and legal liabilities.

Recommendation

Deploy the Sigma rule GitHub Organization Branch Protection Disabled to your SIEM to detect unauthorized disabling of branch protection rules in GitHub Organizations.
Enable GitHub Organizations audit logs and ingest them using the Splunk Add-on for Github as mentioned in the reference link.
Investigate any alerts generated by the Sigma rule, focusing on the actor, repository, and timestamp of the event to identify potential malicious activity.
Monitor user activity for anomalous behavior, such as disabling branch protection rules outside of normal business hours or by unauthorized personnel.

Splunk Add-on for Github — CraftedSignal Threat Feed

GitHub Organizations Branch Ruleset Deletion

Attack Chain

Impact

Recommendation

GitHub Classic Branch Protection Rule Disabled

Attack Chain

Impact

Recommendation