GitHub SSH certificate authority created
Description
AlphaSOC detected that a GitHub SSH certificate authority was created. This change affects how SSH certificates are validated for Git operations over SSH. Threat actors can manipulate SSH certificate authorities to establish persistent access and bypass authentication controls.
Impact
Creation of SSH certificate authorities could allow adversaries to authenticate as legitimate users without valid credentials, potentially leading to unauthorized repository access, code theft, or malicious code injection within the GitHub environment.
Severity
Severity | Condition |
---|---|
Informational | GitHub SSH certificate authority created |
Investigation and Remediation
Review the GitHub audit logs to identify who created the SSH certificate authority and verify whether this action was authorized. Examine for any unusual repository access patterns or Git operations following the event. If unauthorized, revert the certificate authority configuration, revoke all certificates issued by the compromised CA, rotate affected SSH keys, review repository access logs for suspicious activity during the exposure window, and update all Git clients to trust only the legitimate certificate authority.