{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/branch-ruleset/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub Enterprise"],"_cs_severities":["high"],"_cs_tags":["github","branch-ruleset","defense-evasion","supply-chain"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis brief focuses on detecting the deletion of branch rulesets within GitHub Enterprise environments. The deletion of these rulesets is a critical security concern as it can lead to the bypass of essential code review processes, facilitate the introduction of unauthorized code changes, and ultimately compromise the integrity of the software supply chain. This activity is identified through analysis of GitHub Enterprise audit logs, specifically targeting events related to the destruction of repository rulesets. The impact of such deletions can be far-reaching, potentially enabling malicious actors to inject vulnerabilities or backdoors into protected branches. This detection is crucial for organizations relying on GitHub Enterprise for code management and collaboration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a GitHub Enterprise account, potentially through compromised credentials or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub Enterprise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing branch rulesets within the target repository to identify those that provide the most significant security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates the deletion of a specific branch ruleset via the GitHub API or web interface.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erepository_ruleset.destroy\u003c/code\u003e action is logged in the GitHub Enterprise audit logs.\u003c/li\u003e\n\u003cli\u003eThe attacker makes unauthorized changes to the code within the affected branch, bypassing code review and security checks.\u003c/li\u003e\n\u003cli\u003eThe malicious code is merged into the main branch, potentially leading to the compromise of production systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as injecting malicious code or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe deletion of branch rulesets can have a significant impact on the security posture of an organization. A successful attack could lead to the introduction of vulnerabilities or malicious code into production systems. This can result in data breaches, service disruptions, and reputational damage. The number of affected repositories and the severity of the impact will depend on the extent of the attacker's access and the criticality of the compromised code.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIngest GitHub Enterprise audit logs using Audit log streaming to a SIEM like Splunk using HTTP Event Collector as documented by GitHub [https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk].\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect the deletion of branch rulesets in GitHub Enterprise.\u003c/li\u003e\n\u003cli\u003eReview and tune the Sigma rule, specifically the \u003ccode\u003egithub_enterprise_delete_branch_ruleset_filter\u003c/code\u003e macro, to reduce false positives in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the actor, repository, and timestamp of the event.\u003c/li\u003e\n\u003cli\u003eConsider implementing multi-factor authentication (MFA) for all GitHub Enterprise accounts to reduce the risk of credential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-ruleset-deletion/","summary":"Detection of GitHub Enterprise branch ruleset deletion events in audit logs, potentially indicating attempts to bypass security controls and compromise code integrity.","title":"GitHub Enterprise Branch Ruleset Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-ruleset-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed - Branch-Ruleset","version":"https://jsonfeed.org/version/1.1"}