GitHub review settings altered to skip review after PR push

github-telemetry

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

This detection alerts when one of the following GitHub branch protection settings were disabled on a repository:

  • Dismiss stale pull request approvals when new commits are pushed.
  • Require approval of the most recent reviewable push.

Strategy

These protections ensure that a second GitHub review is needed on a pull request if a commit gets added after the first approval. By disabling one of these settings, an actor is now able to merge code without any peer-review on a PR that was previously approved - the new code wouldn’t get reviewed, allowing an attacker to introduce a backdoor or malicious code.

Triage and response

  1. Reach out to the user {{@github.actor}} ({{@external_identity_nameid}} ) and confirm the activity is recognized.
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.