Skip to main content

GitHub SSH certificate authority created

ID:github_ssh_certificate_authority_created
Data type:GitHub
Severity:
Informational
MITRE ATT&CK:TA0003:T1556

Description

AlphaSOC detected that a GitHub SSH certificate authority was created. This change affects how SSH certificates are validated for Git operations over SSH. Threat actors can manipulate SSH certificate authorities to establish persistent access and bypass authentication controls.

Impact

Creation of SSH certificate authorities could allow adversaries to authenticate as legitimate users without valid credentials, potentially leading to unauthorized repository access, code theft, or malicious code injection within the GitHub environment.

Severity

SeverityCondition
Informational
GitHub SSH certificate authority created

Investigation and Remediation

Review the GitHub audit logs to identify who created the SSH certificate authority and verify whether this action was authorized. Examine for any unusual repository access patterns or Git operations following the event. If unauthorized, revert the certificate authority configuration, revoke all certificates issued by the compromised CA, rotate affected SSH keys, review repository access logs for suspicious activity during the exposure window, and update all Git clients to trust only the legitimate certificate authority.