Detects when an account is added to a GitHub repository.

Query

Extract GitHub repository member added events from GitHub audit logs in real-time.

| search action == "repo.add_member"
| rename user as target_user, actor as user, actor_ip as src_ip

Message

• GitHub repository member added: Actor $user, Repository $repo, Target User $target_user, Permission $permission

Field Order

• _log_time, src_ip, actor, action, repo, user, permission, public_repo, user_agent, visibility

Threat Analysis

• If an attacker compromises a GitHub administrator account, they may grant repository access to a malicious or attacker-controlled account while disguising it as a legitimate permission change. This is a common technique for establishing persistence and privilege escalation.
• Accounts with repository access—especially Write, Maintain, or Admin permissions—can read sensitive source code, modify files, manipulate workflows, or exfiltrate intellectual property, creating opportunities for supply chain attacks.
• Because repository permission grants can appear similar to normal administrative activity, detecting unauthorized privilege assignments can be challenging without monitoring.
• Insider threats may also misuse repository access assignments to bypass process controls, view sensitive code, or intentionally leak information.

False Positive

• Administrators may legitimately grant access to new team members joining a project.
• Partner organizations or external vendors may receive temporary repository access as part of authorized collaboration.
• Service accounts or automation accounts for CI/CD systems may be granted access during pipeline setup.
• In environments where repository permissions are frequently adjusted, normal operational actions may trigger this detection.

Response Actions

• Verify the Actor

  • Confirm whether the account ($user) that granted access is a legitimate administrator and whether the action was intentional.

• Review the Permission Level

  • Check whether $permission aligns with the principle of least privilege.
  • Investigate cases where unnecessary Write or Admin permissions were granted.

• Revoke Unauthorized Access

  • If the target account ($target_user) is unknown or suspicious, immediately remove the granted permissions.

• Analyze Account Activity

  • Review pull requests, commits, workflow runs, or other activities performed by the account before and after permission assignment.

• Check for Account Compromise

  • Analyze the administrator’s login history (IP address, User-Agent patterns) for signs of credential theft or session hijacking.

• Strengthen Security Controls

  • Introduce approval workflows for repository permission changes, minimize the number of administrators, and formalize external access policies.
  • Enable alerting or periodic auditing of repository permission changes.

MITRE ATT&CK

• Tactics

  • Persistence, Privilege Escalation

• Technique

  • Name: Account Manipulation
  • ID: T1098
  • URL: https://attack.mitre.org/techniques/T1098/