{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/branch_protection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["GitHub Enterprise","github.com","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["github","branch_protection","supply_chain"],"_cs_type":"advisory","_cs_vendors":["GitHub","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the detection of disabled classic branch protection rules within a GitHub Enterprise environment. The detection is based on monitoring GitHub Enterprise audit logs for events related to the removal of branch protections. Attackers may disable these rules to bypass code review processes and introduce malicious code or vulnerabilities directly into protected branches. This action can be part of a larger attack, where adversaries first weaken security controls before injecting malicious content. Identifying and responding to these events is crucial for maintaining the integrity and security of the software supply chain. This analytic is sourced from Splunk\u0026rsquo;s security content and is designed to run on GitHub Enterprise audit logs ingested into Splunk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub Enterprise account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the repository settings within the GitHub Enterprise instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the classic branch protection rules configured for a target branch.\u003c/li\u003e\n\u003cli\u003eThe attacker disables one or more of these branch protection rules, such as code review enforcement or restrictions on force pushes. This generates a \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e event in the audit logs.\u003c/li\u003e\n\u003cli\u003eThe attacker commits and pushes unauthorized or malicious code directly to the protected branch, bypassing established security controls.\u003c/li\u003e\n\u003cli\u003eThe malicious code is merged into the main branch, potentially affecting production systems or downstream consumers of the code.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to cover their tracks by deleting audit logs or manipulating other security controls.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of disabled branch protection rules can be significant. Successful exploitation can lead to the introduction of vulnerabilities, malicious code, or backdoors into the software supply chain. This can result in data breaches, system compromise, and reputational damage. The number of affected systems and the extent of the damage depend on the scope and nature of the malicious code injected. The targets are GitHub Enterprise organizations that rely on branch protection rules to maintain code quality and security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable GitHub Enterprise Audit log streaming to a SIEM or log management solution to capture \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e events as described in the GitHub Enterprise documentation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGitHub Enterprise Disable Classic Branch Protection Rule\u003c/code\u003e to detect instances where branch protection rules are disabled and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eactor\u003c/code\u003e, \u003ccode\u003erepo\u003c/code\u003e, and \u003ccode\u003euser_agent\u003c/code\u003e fields to understand the context of the event.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub Enterprise accounts, especially those with administrative privileges.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Enterprise configurations to ensure that branch protection rules are properly configured and enforced.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-github-branch-protection-disabled/","summary":"Detection of disabled classic branch protection rules in GitHub Enterprise, indicating potential bypass of code review and security controls, leading to unauthorized code changes and supply chain compromise.","title":"GitHub Enterprise Classic Branch Protection Rule Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-protection-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Branch_protection","version":"https://jsonfeed.org/version/1.1"}