Skip to main content

GitHub user blocked from accessing an organization’s repositories

ID:github_user_blocked
Data type:GitHub
Severity:
Informational
MITRE ATT&CK:TA0040:T1531

Description

AlphaSOC detected that a user was blocked from accessing an organization's repositories on GitHub. This action prevents a user from viewing, cloning, or contributing to any of the organization's repositories. While this is often a legitimate administrative action, unauthorized blocking could potentially be used by threat actors to disrupt business operations or maintain exclusive access to repositories after compromise.

Impact

Blocking users from organizational repositories can disrupt development workflows and collaboration. If performed without authorization, this activity may indicate credential compromise or an attempt to lock out legitimate users, potentially as part of a larger attack strategy.

Severity

SeverityCondition
Informational
GitHub user was blocked from accessing an organization's repositories

Investigation and Remediation

Review GitHub audit logs to verify whether this action was authorized and identify the user account responsible for the blocking. If unauthorized, restore access for the blocked user, rotate any potentially compromised credentials, and conduct a thorough audit of the environment for other signs of compromise.

Known False Positives

  • Legitimate administrative actions to block former employees or contractors
  • Blocking users as part of regular access control management
  • Temporary blocks during security incidents or investigations