{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/code_tampering/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GitHub"],"_cs_severities":["high"],"_cs_tags":["github","branch_protection","defense_evasion","code_tampering"],"_cs_type":"advisory","_cs_vendors":["GitHub"],"content_html":"\u003cp\u003eThis brief addresses the threat of disabled classic branch protection rules within GitHub Organizations. This activity is detected by monitoring GitHub Organizations audit logs for events related to the removal of branch protections. The disabling of these rules can be a critical indicator of malicious activity, suggesting attempts to bypass code review processes and security controls. An attacker might disable branch protection to facilitate the direct injection of unauthorized code changes or backdoors into protected branches. This can be a step in a larger attack chain where security controls are first disabled to allow for subsequent malicious actions. This analytic specifically focuses on classic branch protection rules within GitHub Organizations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a GitHub account with sufficient privileges to modify branch protection rules.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the GitHub organization and navigates to the repository settings.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target branch with classic branch protection rules enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker disables the classic branch protection rules for the target branch, generating a \u003ccode\u003eprotected_branch.destroy\u003c/code\u003e event in the audit logs.\u003c/li\u003e\n\u003cli\u003eThe attacker commits and pushes unauthorized code changes, bypassing code review and other protection mechanisms.\u003c/li\u003e\n\u003cli\u003eThe malicious code is merged into the protected branch, potentially introducing vulnerabilities or backdoors into the codebase.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to further obfuscate their actions by deleting audit logs or modifying other security settings (not covered in this specific detection).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe disabling of classic branch protection rules can have severe consequences, leading to potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and ultimately, a compromise of software supply chain integrity. The impact includes the potential for unauthorized code changes being introduced into production environments, leading to data breaches, service disruptions, or other security incidents. The number of victims depends on the scope of the affected repository and the criticality of the compromised code.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the following Sigma rule to your SIEM to detect instances of disabled classic branch protection rules and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of disabled branch protection rules, focusing on the actor, repository, and timeline of events.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges, to reduce the risk of unauthorized access.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub organization settings, including branch protection rules, to ensure they are properly configured and enforced.\u003c/li\u003e\n\u003cli\u003eUtilize the Splunk Add-on for Github to ingest GitHub Organizations audit logs as specified in the \u0026quot;how_to_implement\u0026quot; section to ensure proper data ingestion for the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-protection-disabled/","summary":"Detection of classic branch protection rules being disabled in GitHub Organizations, potentially indicating an attempt to bypass security controls and inject malicious code.","title":"GitHub Classic Branch Protection Rule Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-github-branch-protection-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed - Code_tampering","version":"https://jsonfeed.org/version/1.1"}