{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/audit-logging/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["github.com"],"_cs_severities":["medium"],"_cs_tags":["github","audit-logging","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eAttackers may disable audit log event streaming in GitHub Enterprise to prevent their malicious activities from being logged and detected. This involves modifying GitHub Enterprise audit log configurations to stop the flow of audit events to security monitoring platforms like Splunk. This action allows adversaries to operate undetected within the GitHub environment, making it difficult for security teams to identify and respond to security incidents. This is especially concerning as it can precede other attacks where adversaries aim to operate without being noticed. The impact of successful disabling of audit logging can be significant, as it creates a blind spot for security monitoring and incident response capabilities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a GitHub Enterprise account with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the GitHub Enterprise settings related to audit log streaming.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the configuration responsible for streaming audit logs to external security monitoring platforms.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the audit log streaming configuration to disable the active stream. This corresponds to the \u003ccode\u003eaudit_log_streaming.destroy\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe system ceases to send audit events to the configured security monitoring platform, such as a Splunk HTTP Event Collector.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with malicious activities within the GitHub Enterprise environment, knowing that their actions are less likely to be detected.\u003c/li\u003e\n\u003cli\u003eSecurity monitoring platforms no longer receive real-time audit data, hindering the ability to detect suspicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, whether it is exfiltration of data, modification of code, or other malicious actions, without immediate detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling audit log event streaming in GitHub Enterprise results in a loss of visibility into user actions, configuration changes, and security events. This can allow attackers to perform malicious activities without detection, leading to potential data breaches, code compromises, and other security incidents. The severity is high because it directly impacts an organization\u0026rsquo;s ability to monitor and respond to threats within their GitHub Enterprise environment, creating a significant blind spot in security monitoring and incident response capabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Enterprise Disable Audit Log Event Stream\u003c/code\u003e to your SIEM and tune for your environment to detect disabling of audit log streaming.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of \u003ccode\u003eaudit_log_streaming.destroy\u003c/code\u003e actions in GitHub Enterprise audit logs for potentially malicious intent.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) to protect GitHub Enterprise accounts from unauthorized access, mitigating initial access vectors.\u003c/li\u003e\n\u003cli\u003eReview GitHub Enterprise audit logs regularly to ensure that audit log streaming is properly configured and functioning as expected, as described in the GitHub Enterprise documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-github-audit-log-disabled/","summary":"An attacker disables audit log event streaming in GitHub Enterprise to evade detection by preventing security monitoring platforms from receiving audit events.","title":"GitHub Enterprise Audit Log Streaming Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-audit-log-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Audit-Logging","version":"https://jsonfeed.org/version/1.1"}