<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Code_tampering - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/code_tampering/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/code_tampering/feed.xml" rel="self" type="application/rss+xml"/><item><title>GitHub Classic Branch Protection Rule Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-github-branch-protection-disabled/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-github-branch-protection-disabled/</guid><description>Detection of classic branch protection rules being disabled in GitHub Organizations, potentially indicating an attempt to bypass security controls and inject malicious code.</description><content:encoded><![CDATA[<p>This brief addresses the threat of disabled classic branch protection rules within GitHub Organizations. This activity is detected by monitoring GitHub Organizations audit logs for events related to the removal of branch protections. The disabling of these rules can be a critical indicator of malicious activity, suggesting attempts to bypass code review processes and security controls. An attacker might disable branch protection to facilitate the direct injection of unauthorized code changes or backdoors into protected branches. This can be a step in a larger attack chain where security controls are first disabled to allow for subsequent malicious actions. This analytic specifically focuses on classic branch protection rules within GitHub Organizations.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a GitHub account with sufficient privileges to modify branch protection rules.</li>
<li>The attacker authenticates to the GitHub organization and navigates to the repository settings.</li>
<li>The attacker identifies a target branch with classic branch protection rules enabled.</li>
<li>The attacker disables the classic branch protection rules for the target branch, generating a <code>protected_branch.destroy</code> event in the audit logs.</li>
<li>The attacker commits and pushes unauthorized code changes, bypassing code review and other protection mechanisms.</li>
<li>The malicious code is merged into the protected branch, potentially introducing vulnerabilities or backdoors into the codebase.</li>
<li>The attacker may attempt to further obfuscate their actions by deleting audit logs or modifying other security settings (not covered in this specific detection).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The disabling of classic branch protection rules can have severe consequences, leading to potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and ultimately, a compromise of software supply chain integrity. The impact includes the potential for unauthorized code changes being introduced into production environments, leading to data breaches, service disruptions, or other security incidents. The number of victims depends on the scope of the affected repository and the criticality of the compromised code.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the following Sigma rule to your SIEM to detect instances of disabled classic branch protection rules and tune for your environment.</li>
<li>Investigate any detected instances of disabled branch protection rules, focusing on the actor, repository, and timeline of events.</li>
<li>Implement multi-factor authentication (MFA) for all GitHub accounts, especially those with administrative privileges, to reduce the risk of unauthorized access.</li>
<li>Regularly review and audit GitHub organization settings, including branch protection rules, to ensure they are properly configured and enforced.</li>
<li>Utilize the Splunk Add-on for Github to ingest GitHub Organizations audit logs as specified in the &quot;how_to_implement&quot; section to ensure proper data ingestion for the detection rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>github</category><category>branch_protection</category><category>defense_evasion</category><category>code_tampering</category></item></channel></rss>