For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-4ca.md. A documentation index is available at /llms.txt.

GitHub branch protection disabled with force push and admin enforcement bypass

github-telemetry

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

Goal

Detects branch protection being weakened by enabling force pushes and disabling admin enforcement simultaneously, a combination used by Nord Stream to allow pushing a malicious workflow to a protected branch.

Strategy

This rule monitors GitHub audit events for the concurrent modification of two branch protection settings: enabling force pushes and removing admin enforcement. Together these changes create the permissive conditions Nord Stream requires to push a workflow file without triggering protection rules. The combination of both changes in a short window is anomalous.

Triage and response

  • Determine whether {{@github.actor}} had a legitimate reason to modify branch protection settings on the affected repository.
  • Identify which branch was modified and check whether any commits or workflow files were pushed to it shortly after the protection change.
  • Review whether branch protection settings were subsequently restored, which may indicate an automated cleanup phase following secret extraction.
  • Check for related secret enumeration activity from {{@github.actor}} around the same time.