Skip to main content

GitHub repository deploy key modified or created

ID:github_repository_deploy_key_changed
Data type:GitHub
Severity:
Low
MITRE ATT&CK:TA0003:T1098.001

Description

AlphaSOC detected the creation or modification of a GitHub repository deploy key. Deploy keys provide SSH-based access to individual repositories and can perform repository-level operations with elevated privileges.

Impact

Modification or creation of deploy keys can enable threat actors to maintain persistent access to repositories, deploy malicious code, and exfiltrate sensitive data. As deploy keys lack expiration dates and passphrase protection, compromised servers expose repositories to unauthorized access.

Severity

SeverityCondition
Low
GitHub repository deploy key modified or created

Investigation and Remediation

Review GitHub audit logs to identify deploy key changes and verify the legitimacy of key creation or modification events. Determine the associated repository and server involved in the detected activity. Remove any unauthorized deploy keys and rotate those that show signs of compromise. Conduct an audit of repository access and recent changes to identify potential unauthorized modifications. Enable passphrase protection for deploy keys and implement regular key rotation policies to prevent unauthorized access.