The detection rule 'GitHub Repository Ruleset Modified' aims to identify unauthorized modifications to repository rulesets in GitHub repositories, which could signal malicious activity involving admin credentials. Such modifications may be intended to impair defenses or disable crucial controls that govern repository behavior, possibly to hide illicit activities. The rule monitors specific actions in GitHub logs, particularly focusing on the creation, deletion, and update of rulesets, with emphasis on the 'update' action, which indicates a change in the established governance of the repository. The rule includes a log analysis framework that assesses whether these actions meet predefined expected outcomes. It also cross-references these events with known ACT(K) mapping (specifically TA0005:T1562), linking to both prevention and detection strategies against potential defense evasion tactics. Authorized modifications are verified against intended operations to distinguish between legitimate changes and potentially harmful activities. In the event of an unauthorized change, the detection serves as a prompt for remediation, ensuring that repository security remains intact.