{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/app-installation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub"],"_cs_severities":["medium"],"_cs_tags":["github","app-installation","execution"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis alert detects when a new GitHub App is installed within an organization. GitHub Apps enhance functionality, but malicious actors can abuse them to gain unauthorized access to repositories and organizational data. Attackers can leverage these apps post-compromise to maintain persistence and execute commands. The rule focuses on identifying suspicious GitHub App installations, particularly those with excessive permissions or from untrusted developers. Defenders need to prioritize investigating newly installed apps to ensure their legitimacy and prevent potential data breaches or malicious activities within the GitHub environment. This includes verifying the app's permissions, developer identity, and intended purpose. The detection rule focuses on logs generated after August 29, 2023, when the rule was initially created.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, possibly through compromised credentials or social engineering (T1199).\u003c/li\u003e\n\u003cli\u003eThe attacker logs into a GitHub account with sufficient privileges to install applications.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or identifies a malicious GitHub App, potentially mimicking a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker installs the malicious GitHub App within the target organization, granting it specific permissions.\u003c/li\u003e\n\u003cli\u003eThe GitHub App is installed, triggering a log event \u003ccode\u003eintegration_installation.create\u003c/code\u003e in the GitHub audit logs.\u003c/li\u003e\n\u003cli\u003eThe application leverages granted permissions to read or modify repository data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the GitHub App to execute commands or deploy malicious software within the connected repositories or systems (T1072).\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence through the installed application, enabling continued access and control over the environment (T1098).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive code repositories, intellectual property theft, and potential supply chain attacks. A compromised GitHub App can be used to inject malicious code into software projects, affecting numerous downstream users. Organizations relying on GitHub for code management and collaboration are particularly vulnerable. A successful attack could result in reputational damage, financial losses, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eGitHub App Installation Detected\u003c/code\u003e Sigma rule to your SIEM and tune it for your environment to detect suspicious GitHub App installations.\u003c/li\u003e\n\u003cli\u003eEnable GitHub audit logging and ensure the logs are being ingested into your SIEM (Data Source: Github).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the GitHub audit logs for the event.dataset \u0026quot;github.audit\u0026quot; and event.action \u0026quot;integration_installation.create\u0026quot; to identify the newly installed GitHub App.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and approval processes for future GitHub App installations to prevent unauthorized installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-github-app-installed/","summary":"The installation of a new GitHub application within an organization's account may indicate malicious activity by granting unauthorized access to repositories and organizational data.","title":"New GitHub App Installation Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-github-app-installed/"}],"language":"en","title":"CraftedSignal Threat Feed - App-Installation","version":"https://jsonfeed.org/version/1.1"}