GitHub Owner Role Granted To User

 1[metadata]
 2creation_date = "2023/09/11"
 3integration = ["github"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6min_stack_version = "8.13.0"
 7min_stack_comments = "Breaking change at 8.13.0 for the Github Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule detects when a member is granted the organization owner role of a GitHub organization. This role provides
13admin level privileges. Any new owner role should be investigated to determine its validity. Unauthorized owner roles
14could indicate compromise within your organization and provide unlimited access to data and settings.
15"""
16from = "now-9m"
17index = ["logs-github.audit-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "GitHub Owner Role Granted To User"
21risk_score = 47
22rule_id = "9b343b62-d173-4cfd-bd8b-e6379f964ca4"
23severity = "medium"
24tags = [
25    "Domain: Cloud",
26    "Use Case: Threat Detection",
27    "Use Case: UEBA",
28    "Tactic: Persistence",
29    "Data Source: Github",
30    "Resources: Investigation Guide",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36iam where event.dataset == "github.audit" and event.action == "org.update_member" and github.permission == "admin"
37'''
38note = """## Triage and analysis
39
40> **Disclaimer**:
41> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
42
43### Investigating GitHub Owner Role Granted To User
44
45In GitHub organizations, the owner role grants comprehensive administrative privileges, enabling full control over repositories, settings, and data. Adversaries may exploit this by elevating privileges to maintain persistence or exfiltrate data. The detection rule monitors audit logs for changes in member roles to 'admin', signaling potential unauthorized access or privilege escalation attempts, thus aiding in early threat identification.
46
47### Possible investigation steps
48
49- Review the audit logs for the specific event where the member's role was changed to 'admin' to identify the user who made the change and the user who received the new role.
50- Verify the legitimacy of the role change by contacting the user who was granted the owner role and the user who performed the action to confirm if the change was authorized.
51- Check the organization's recent activity logs for any unusual or suspicious actions performed by the user who was granted the owner role, such as changes to repository settings or data access.
52- Investigate any recent changes in the organization's membership or permissions that could indicate a broader compromise or unauthorized access.
53- Assess the potential impact of the role change by identifying sensitive repositories or data that the new owner role could access, and determine if any data exfiltration or unauthorized changes have occurred.
54
55### False positive analysis
56
57- Role changes due to organizational restructuring or legitimate promotions can trigger alerts. Regularly update the list of expected role changes to minimize unnecessary alerts.
58- Automated scripts or integrations that manage user roles might inadvertently trigger the rule. Identify and whitelist these scripts to prevent false positives.
59- Temporary role assignments for project-specific tasks can be mistaken for unauthorized access. Implement a process to document and pre-approve such temporary changes.
60- Changes made by trusted administrators during routine audits or maintenance may be flagged. Maintain a log of scheduled maintenance activities to cross-reference with alerts.
61- Onboarding processes that involve granting admin roles to new employees can generate alerts. Ensure that onboarding procedures are documented and known exceptions are configured in the detection system.
62
63### Response and remediation
64
65- Immediately revoke the owner role from the user account identified in the alert to prevent further unauthorized access or changes.
66- Conduct a thorough review of recent activities performed by the user with the elevated privileges to identify any unauthorized changes or data access.
67- Reset the credentials and enforce multi-factor authentication for the affected user account to secure it against further compromise.
68- Notify the security team and relevant stakeholders about the potential breach and involve them in the investigation and remediation process.
69- Review and update access control policies to ensure that owner roles are granted only through a formal approval process and are regularly audited.
70- Implement additional monitoring and alerting for changes to high-privilege roles within the organization to detect similar threats in the future."""
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1098"
77name = "Account Manipulation"
78reference = "https://attack.mitre.org/techniques/T1098/"
79[[rule.threat.technique.subtechnique]]
80id = "T1098.003"
81name = "Additional Cloud Roles"
82reference = "https://attack.mitre.org/techniques/T1098/003/"
83
84
85
86[rule.threat.tactic]
87id = "TA0003"
88name = "Persistence"
89reference = "https://attack.mitre.org/tactics/TA0003/"