Detects when GitHub owner permissions are granted to an existing account.

Query

Extracts owner permission change events from GitHub audit logs in real time.

| search action == "org.update_member" and permission == "admin"
| rename user as target_user, actor as user, actor_ip as src_ip

Message

• GitHub owner role granted: Actor $user, User $target_user

Field Order

• _log_time, src_ip, user, action, target_user, permission

Threat Analysis

• An attacker who compromises an administrator account may grant owner permissions to any user within the organization.
• Owner permissions allow modification of organization-wide settings, security policies, and repository access, and can be misused for privilege escalation or establishing persistence.
• When owner permissions are added unexpectedly, it introduces a high risk of widespread manipulation and potential data exposure across the organization.

False Positive

• This alert may also fire when owner permissions are legitimately granted to a new administrator.

  • Because owner role assignments occur infrequently, it is recommended to keep this detection rule enabled even if occasional false positives arise.

Response Actions

• Immediately verify whether the owner permission change was authorized.

  • Review the administrator account’s IP address, user agent, and MFA status.

• If the change was unauthorized, revoke the owner permission at once and deactivate the administrator account or revoke its tokens.

• Investigate any related events performed by the same administrator account around the same time, such as unusual repository creation, workflow changes, or permission modifications.

MITRE ATT&CK

• Tactics

  • Persistence, Privilege Escalation

• Technique

  • Name: Account Manipulation: Additional Cloud Roles
  • ID: T1098.003
  • Reference URL: https://attack.mitre.org/techniques/T1098/003/