GitHub review settings altered to skip review after PR push

github-telemetry

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

This detection alerts when one of the following GitHub branch protection settings were disabled on a repository:

  • Dismiss stale pull request approvals when new commits are pushed.
  • Require approval of the most recent reviewable push.

Strategy

These protections ensure that a second GitHub review is needed on a pull request if a commit gets added after the first approval. By disabling one of these settings, an actor is now able to merge code without any peer-review on a PR that was previously approved - the new code wouldn’t get reviewed, allowing an attacker to introduce a backdoor or malicious code.

Triage and response

  1. Reach out to the user {{@github.actor}} ({{@external_identity_nameid}} ) and confirm the activity is recognized.
  2. If the activity is suspicious:
    • Block the user in GitHub to prevent further access.
    • Begin your organization’s incident response process and investigate.