Adversaries may disable GitHub OAuth App restrictions to bypass security controls and maintain persistent access within an organization’s infrastructure. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
KQL Query
GitHubAudit
| where Action == "org.disable_oauth_app_restrictions"
| project TimeGenerated, Action, Actor, Country
id: 667e6a70-adc9-49b7-9cf3-f21927c71959
name: GitHub OAuth App Restrictions Disabled
description: |
'This hunting query identifies GitHub OAuth Apps that have restrictions disabled that may be a sign of compromise. Attacker will want to disable such security tools in order to go undetected. '
requiredDataConnectors: []
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1505
- T1562
query: |
GitHubAudit
| where Action == "org.disable_oauth_app_restrictions"
| project TimeGenerated, Action, Actor, Country
Scenario: Scheduled Job to Disable OAuth App Restrictions
Description: A legitimate scheduled job runs to temporarily disable OAuth app restrictions for maintenance or testing purposes.
Filter/Exclusion: process.parent_process_name:"Scheduled Tasks" OR process.command_line:"Disable-NetFirewallRule" OR process.command_line:"Set-NetFirewallRule"
Scenario: Admin Task to Reconfigure GitHub OAuth App Settings
Description: An administrator is reconfiguring GitHub OAuth app settings as part of a routine security review or configuration update.
Filter/Exclusion: user_account:"admin" OR user_account:"security_admin" OR process.command_line:"Set-GitHubOAuthApp"
Scenario: Temporary Disable for Integration Testing
Description: A developer temporarily disables OAuth app restrictions to test an integration with a third-party service.
Filter/Exclusion: process.command_line:"Test-Integration" OR process.command_line:"Enable-TestMode" OR process.command_line:"Disable-AuthRestrictions -Temporary"
Scenario: System Maintenance or Patching Activity
Description: A system maintenance task or patching process inadvertently disables OAuth app restrictions during a configuration update.
Filter/Exclusion: process.parent_process_name:"Windows Update" OR process.parent_process_name:"SCCM" OR process.command_line:"Update-SystemConfig"
Scenario: DevOps Pipeline Configuration Change
Description: A DevOps pipeline is configured to disable OAuth app restrictions as part of a deployment or configuration change.
Filter/Exclusion: process.parent_process_name:"Azure DevOps" OR process.parent_process_name:"Jenkins" OR process.command_line:"Configure-DevOpsPipeline"