GitHub SSH certificate authority deleted
Description
AlphaSOC detected that a GitHub SSH certificate authority was deleted. SSH certificate authorities are used to manage and validate SSH keys for Git operations. Threat actors may delete these certificate authorities to remove evidence of their activity within the environment.
Impact
Deletion of an SSH certificate authority may indicate that an adversary is attempting to cover their tracks after possibly compromising an organization's GitHub infrastructure.
Severity
| Severity | Condition |
|---|---|
Low | GitHub SSH certificate authority deleted |
Investigation and Remediation
Review GitHub audit logs to identify who deleted the SSH certificate authority and examine any suspicious activities preceding this action. Verify whether the deletion was authorized. If unauthorized, rotate credentials of any potentially compromised accounts and conduct a thorough security review of the organization's GitHub environment.