GitHub Update Permissions

Hunt Hypothesis

Adversaries may update GitHub permissions to gain unauthorized access or modify repository configurations, indicating potential compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify unauthorized changes and detect early signs of account compromise or lateral movement.

KQL Query

GitHubAudit
| where Action == "org.update_default_repository_permission"
| project TimeGenerated, Action, Actor, Country, Repository, PreviousPermission, CurrentPermission

Analytic Rule Definition

id: ec986fb7-34ed-4528-a5f3-a496e61d8860
name: GitHub Update Permissions
description: |
  'This hunting query identifies GitHub activites where permissions are updated that may be a sign of compromise.'
requiredDataConnectors: []
tactics:
  - Persistence
  - DefenseEvasion
relevantTechniques:
  - T1098
  - T1562
query: |

  GitHubAudit
  | where Action == "org.update_default_repository_permission"
  | project TimeGenerated, Action, Actor, Country, Repository, PreviousPermission, CurrentPermission

MITRE ATT&CK Context

• Tactic: Persistence
• Tactic: DefenseEvasion
• Technique: T1098 — T1098
• Technique: T1562 — T1562

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/GitHub/Org Repositories Default Permissions Change.yaml)

False Positive Guidance

• Scenario: Scheduled GitHub Actions Job Updating Permissions
  Description: A legitimate CI/CD pipeline (e.g., GitHub Actions) may update permissions as part of a scheduled job to manage access for deployment keys or service accounts.
  Filter/Exclusion: github_event_type:"workflow_run" or actor:"github-actions"

• Scenario: Admin Task to Revoke Access for Departing Employee
  Description: An administrator may manually update permissions to revoke access for an employee leaving the company.
  Filter/Exclusion: actor:"admin_user" or actor:"[admin_username]"

• Scenario: GitHub Release Pipeline Updating Permissions for Deployment Keys
  Description: A release process may update permissions for deployment keys used by CI/CD tools like Jenkins or GitLab CI.
  Filter/Exclusion: github_event_type:"release" or actor:"release-robot"

• Scenario: GitHub Organization Membership Change via API
  Description: A script or tool (e.g., OctoPrint, GitHub CLI, or custom automation) may update permissions for users via the GitHub API as part of user management.
  Filter/Exclusion: github_event_type:"membership" or actor:"github-cli"

• Scenario: GitHub App Installation with Permission Changes
  Description: A GitHub App (e.g., Dependabot, CodeQL, or custom app) may request and update permissions during installation or configuration.
  Filter/Exclusion: github_event_type:"installation" or actor:"[app_name]"