<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>App-Installation - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/app-installation/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/app-installation/feed.xml" rel="self" type="application/rss+xml"/><item><title>New GitHub App Installation Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-github-app-installed/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-github-app-installed/</guid><description>The installation of a new GitHub application within an organization's account may indicate malicious activity by granting unauthorized access to repositories and organizational data.</description><content:encoded><![CDATA[<p>This alert detects when a new GitHub App is installed within an organization. GitHub Apps enhance functionality, but malicious actors can abuse them to gain unauthorized access to repositories and organizational data. Attackers can leverage these apps post-compromise to maintain persistence and execute commands. The rule focuses on identifying suspicious GitHub App installations, particularly those with excessive permissions or from untrusted developers. Defenders need to prioritize investigating newly installed apps to ensure their legitimacy and prevent potential data breaches or malicious activities within the GitHub environment. This includes verifying the app's permissions, developer identity, and intended purpose. The detection rule focuses on logs generated after August 29, 2023, when the rule was initially created.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access, possibly through compromised credentials or social engineering (T1199).</li>
<li>The attacker logs into a GitHub account with sufficient privileges to install applications.</li>
<li>The attacker creates or identifies a malicious GitHub App, potentially mimicking a legitimate service.</li>
<li>The attacker installs the malicious GitHub App within the target organization, granting it specific permissions.</li>
<li>The GitHub App is installed, triggering a log event <code>integration_installation.create</code> in the GitHub audit logs.</li>
<li>The application leverages granted permissions to read or modify repository data.</li>
<li>The attacker uses the GitHub App to execute commands or deploy malicious software within the connected repositories or systems (T1072).</li>
<li>The attacker maintains persistence through the installed application, enabling continued access and control over the environment (T1098).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to unauthorized access to sensitive code repositories, intellectual property theft, and potential supply chain attacks. A compromised GitHub App can be used to inject malicious code into software projects, affecting numerous downstream users. Organizations relying on GitHub for code management and collaboration are particularly vulnerable. A successful attack could result in reputational damage, financial losses, and legal liabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>GitHub App Installation Detected</code> Sigma rule to your SIEM and tune it for your environment to detect suspicious GitHub App installations.</li>
<li>Enable GitHub audit logging and ensure the logs are being ingested into your SIEM (Data Source: Github).</li>
<li>Investigate any alerts generated by the Sigma rule by reviewing the GitHub audit logs for the event.dataset &quot;github.audit&quot; and event.action &quot;integration_installation.create&quot; to identify the newly installed GitHub App.</li>
<li>Implement stricter access controls and approval processes for future GitHub App installations to prevent unauthorized installations.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>github</category><category>app-installation</category><category>execution</category></item></channel></rss>