---
title: GitHub branch protection disabled with force push and admin enforcement bypass
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GitHub branch protection disabled with
  force push and admin enforcement bypass
---

# GitHub branch protection disabled with force push and admin enforcement bypass
Classification:attackTactic:[TA0005-defense-evasion](https://attack.mitre.org/tactics/TA0005)Technique:[T1562-impair-defenses](https://attack.mitre.org/techniques/T1562) 
## Goal{% #goal %}

Detects branch protection being weakened by enabling force pushes and disabling admin enforcement simultaneously, a combination used by [Nord Stream](https://github.com/synacktiv/nord-stream/tree/main) to allow pushing a malicious workflow to a protected branch.

## Strategy{% #strategy %}

This rule monitors GitHub audit events for the concurrent modification of two branch protection settings: enabling force pushes and removing admin enforcement. Together these changes create the permissive conditions Nord Stream requires to push a workflow file without triggering protection rules. The combination of both changes in a short window is anomalous.

## Triage and response{% #triage-and-response %}

- Determine whether `{{@github.actor}}` had a legitimate reason to modify branch protection settings on the affected repository.
- Identify which branch was modified and check whether any commits or workflow files were pushed to it shortly after the protection change.
- Review whether branch protection settings were subsequently restored, which may indicate an automated cleanup phase following secret extraction.
- Check for related secret enumeration activity from `{{@github.actor}}` around the same time.