Skip to main content

GitHub user unblocked from accessing an organization’s repositories

ID:github_user_unblocked
Data type:GitHub
Severity:
Informational
MITRE ATT&CK:TA0003:T1098

Description

AlphaSOC detected that a GitHub user was unblocked from accessing an organization's repositories. This action restores a previously blocked user's ability to view, clone, and potentially contribute to the organization's code repositories. Threat actors who have gained administrative access may unblock previously blocked users to establish persistence within the organization's development infrastructure.

Impact

Unblocking a user could indicate potential compromise of an account with administrative privileges, such as an organization administrator or owner. This activity may represent an attempt to maintain access to the organization's development environment and could potentially lead to further compromise if the unblocking was unauthorized.

Severity

SeverityCondition
Informational
GitHub user was unblocked from accessing an organization's repositories

Investigation and Remediation

Review GitHub audit logs to identify the user who performed the unblock action and verify whether it was authorized. If unauthorized, block the user again, rotate any potentially compromised credentials, and investigate the environment for other indicators of compromise.