{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1685/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Github"],"_cs_severities":["low"],"_cs_tags":["defense-impairment","t1685","github"],"_cs_type":"advisory","_cs_vendors":["Github"],"content_html":"\u003cp\u003eThis alert detects when a GitHub user bypasses the push protection mechanism designed to prevent secrets from being committed to a repository. GitHub\u0026rsquo;s push protection, part of its secret scanning feature, is intended to block commits containing sensitive information like API keys or credentials.  A bypass indicates a deliberate attempt to circumvent this security measure. Successful bypass can lead to exposure of secrets, increasing the risk of unauthorized access and data breaches. The activity is logged within GitHub\u0026rsquo;s audit logs, provided that the audit log streaming feature is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eDeveloper attempts to commit code containing a secret to a GitHub repository.\u003c/li\u003e\n\u003cli\u003eGitHub\u0026rsquo;s push protection mechanism detects the secret and blocks the push.\u003c/li\u003e\n\u003cli\u003eThe developer intentionally bypasses the push protection, potentially using allowed administrative activities to circumvent the block.\u003c/li\u003e\n\u003cli\u003eThe code, including the secret, is successfully pushed to the repository.\u003c/li\u003e\n\u003cli\u003eThe secret becomes exposed within the repository\u0026rsquo;s history.\u003c/li\u003e\n\u003cli\u003eUnauthorized actors may discover the exposed secret by scanning the repository.\u003c/li\u003e\n\u003cli\u003eUnauthorized actors may use the exposed secret to gain unauthorized access to systems or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful bypass of GitHub push protection can lead to secrets being exposed in a repository. This exposure can lead to unauthorized access to sensitive systems or data. The severity of the impact depends on the scope of access granted by the exposed secret, and the visibility of the repository.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable audit log streaming in GitHub to ensure relevant events are captured.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Github Push Protection Bypass Detected\u0026rdquo; to your SIEM and tune for your environment using GitHub audit logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected bypass events to determine the context and impact of the bypassed secret.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-github-push-protection-bypass/","summary":"Detection of a GitHub user bypassing push protection, potentially leading to the exposure of secrets.","title":"GitHub Push Protection Bypass Detection","url":"https://feed.craftedsignal.io/briefs/2024-04-github-push-protection-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — T1685","version":"https://jsonfeed.org/version/1.1"}