<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Branch-Ruleset - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/branch-ruleset/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/branch-ruleset/feed.xml" rel="self" type="application/rss+xml"/><item><title>GitHub Enterprise Branch Ruleset Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-github-branch-ruleset-deletion/</link><pubDate>Tue, 09 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-github-branch-ruleset-deletion/</guid><description>Detection of GitHub Enterprise branch ruleset deletion events in audit logs, potentially indicating attempts to bypass security controls and compromise code integrity.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the deletion of branch rulesets within GitHub Enterprise environments. The deletion of these rulesets is a critical security concern as it can lead to the bypass of essential code review processes, facilitate the introduction of unauthorized code changes, and ultimately compromise the integrity of the software supply chain. This activity is identified through analysis of GitHub Enterprise audit logs, specifically targeting events related to the destruction of repository rulesets. The impact of such deletions can be far-reaching, potentially enabling malicious actors to inject vulnerabilities or backdoors into protected branches. This detection is crucial for organizations relying on GitHub Enterprise for code management and collaboration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a GitHub Enterprise account, potentially through compromised credentials or social engineering.</li>
<li>The attacker authenticates to the GitHub Enterprise instance.</li>
<li>The attacker enumerates existing branch rulesets within the target repository to identify those that provide the most significant security controls.</li>
<li>The attacker initiates the deletion of a specific branch ruleset via the GitHub API or web interface.</li>
<li>The <code>repository_ruleset.destroy</code> action is logged in the GitHub Enterprise audit logs.</li>
<li>The attacker makes unauthorized changes to the code within the affected branch, bypassing code review and security checks.</li>
<li>The malicious code is merged into the main branch, potentially leading to the compromise of production systems.</li>
<li>The attacker achieves their objective, such as injecting malicious code or exfiltrating sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The deletion of branch rulesets can have a significant impact on the security posture of an organization. A successful attack could lead to the introduction of vulnerabilities or malicious code into production systems. This can result in data breaches, service disruptions, and reputational damage. The number of affected repositories and the severity of the impact will depend on the extent of the attacker's access and the criticality of the compromised code.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Ingest GitHub Enterprise audit logs using Audit log streaming to a SIEM like Splunk using HTTP Event Collector as documented by GitHub [https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk].</li>
<li>Deploy the provided Sigma rule to your SIEM to detect the deletion of branch rulesets in GitHub Enterprise.</li>
<li>Review and tune the Sigma rule, specifically the <code>github_enterprise_delete_branch_ruleset_filter</code> macro, to reduce false positives in your environment.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the actor, repository, and timestamp of the event.</li>
<li>Consider implementing multi-factor authentication (MFA) for all GitHub Enterprise accounts to reduce the risk of credential compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>github</category><category>branch-ruleset</category><category>defense-evasion</category><category>supply-chain</category></item></channel></rss>