Detection rules › Panther
GitHub Advanced Security Change WITHOUT Repo Archived
Identifies when GitHub Advanced Security (GHAS) settings are modified without the repository being archived within 90 minutes. GHAS provides code scanning, secret scanning, and dependency review to detect vulnerabilities and exposed credentials. Disabling GHAS while keeping repositories active suggests attackers hiding malicious code, preventing security alert detection, or facilitating backdoors and supply chain attacks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Stealth | T1562.001 Impair Defenses: Disable or Modify Tools |
Rule body yaml
AnalysisType: correlation_rule
RuleID: "GitHub.Advanced.Security.Change.NOT.FOLLOWED.BY.Repo.Archived"
DisplayName: "GitHub Advanced Security Change WITHOUT Repo Archived"
Enabled: true
Severity: Critical
Tags:
- GitHub
- Code Security
- Defense Evasion
- Configuration Change
Reports:
MITRE ATT&CK:
- TA0005:T1562.001
Description: >
Identifies when GitHub Advanced Security (GHAS) settings are modified without the repository being archived within 90 minutes. GHAS provides code scanning, secret scanning, and dependency review to detect vulnerabilities and exposed credentials. Disabling GHAS while keeping repositories active suggests attackers hiding malicious code, preventing security alert detection, or facilitating backdoors and supply chain attacks.
Runbook: |
1. Query GitHub audit logs for the repository in p_alert_context.repo in the 6 hours around the GHAS change to identify all commits, secret scanning alerts, code scanning alerts, and CI/CD configuration changes made by the user who disabled GHAS
2. Review GitHub secret scanning history and code scanning alerts for the repository to check if new secrets or vulnerabilities were introduced around the time GHAS was disabled
3. Check the user account's recent activity across all repositories in the organization audit log to identify if they made similar GHAS changes on other repositories or exhibited other suspicious behavior
Reference: https://docs.github.com/en/code-security/getting-started/auditing-security-alerts
Detection:
- Group:
- ID: GHASChange
RuleID: GitHub.Advanced.Security.Change
- ID: RepoArchived
RuleID: Github.Repo.Archived
Absence: true
MatchCriteria:
field_name:
- GroupID: GHASChange
Match: p_alert_context.repo
- GroupID: RepoArchived
Match: p_alert_context.repo
EventEvaluationOrder: Chronological
LookbackWindowMinutes: 90
Schedule:
RateMinutes: 60
TimeoutMinutes: 10
Tests:
- Name: Security Change on Repo, Followed By Same Repo Archived
ExpectedResult: false
RuleOutputs:
- ID: RepoArchived
Matches:
p_alert_context.repo:
my-org/example-repo:
- "2024-06-01T10:00:05Z"
- ID: GHASChange
Matches:
p_alert_context.repo:
my-org/example-repo:
- "2024-06-01T10:00:01Z"
- Name: Repo Archived followed by GHAS change on same repo
ExpectedResult: false
RuleOutputs:
- ID: RepoArchived
Matches:
p_alert_context.repo:
my-org/example-repo:
- "2024-06-01T10:00:01Z"
- ID: GHASChange
Matches:
p_alert_context.repo:
my-org/example-repo:
- "2024-06-01T10:00:05Z"
- Name: Security Change on Repo, Followed By Different Repo Archived
ExpectedResult: true
RuleOutputs:
- ID: GHASChange
Matches:
p_alert_context.repo:
my-org/example-repo:
- "2024-06-01T10:00:00Z"
- ID: RepoArchived
Matches:
p_alert_context.repo:
my-org/other-repo:
- "2024-06-01T10:00:01Z"
- Name: Security Change on Repo, Not Followed By Repo Archived
ExpectedResult: true
RuleOutputs:
- ID: GHASChange
Matches:
p_alert_context.repo:
my-org/example-repo:
- "2024-06-01T10:00:00Z"
Detection logic
Stage 1: step GHASChange
References detection GitHub.Advanced.Security.Change.
Stage 2: step RepoArchived (negated)
References detection Github.Repo.Archived.