Detects registration of new SSH public keys in GitHub.

Query

Extract SSH public key registration events from GitHub audit logs in real-time.

| search action == "public_key.create"
| rename actor_ip as src_ip, actor as user

Message

• GitHub SSH key added: account $user, repository $repo, key $title

Field Order

• _log_time, src_ip, user, action, repo, title, key, user_agent

Threat Analysis

• An attacker who has compromised an account or session may add a malicious SSH public key to a GitHub account. Once registered, this key enables long-term access without additional authentication, making it a common method for persistence.
• With an SSH key added, the attacker can perform Git clone, push, and other privileged operations without requiring a password or MFA, increasing the risk of privilege escalation, source code modification, and data theft.
• Because SSH key registration often appears similar to legitimate user activity, it can be difficult to detect early in account takeover scenarios. Attackers may also register keys and remain dormant for extended periods.
• Unauthorized key registration is also a significant risk in insider threat scenarios, potentially enabling source code exfiltration or supply chain attacks.

False Positive Scenarios

• Developers may legitimately register new SSH keys when onboarding new devices or rebuilding their development environments.
• CI/CD pipelines or automation environments may automatically generate and register SSH keys during setup or key rotation.
• External partners with limited development access may add SSH keys as part of authorized workflows.
• In organizations that allow multiple SSH keys per user, normal operations may frequently trigger this detection.

Response Actions

• User Verification and Activity Validation

  • Immediately confirm with the user whether the SSH key registration was intentional.
  • Validate that the device and environment associated with the key are legitimate.

• Immediate Removal of Unauthorized Keys

  • If the activity is unintentional or suspicious, remove the SSH key from the account without delay.

• Account Security Review

  • Check for unusual login patterns, suspicious IP addresses, or abnormal User-Agent values to assess whether the account has been compromised.

• Credential Reset

  • If unauthorized SSH key registration is confirmed, revoke all authentication artifacts—PATs, SSH keys, OAuth tokens—and reissue new credentials.

• Investigation of Additional Malicious Activity

  • Review repository activity before and after the key registration to identify unauthorized pushes, repository access, or workflow creation.

• Security Hardening

  • Implement pre-approval workflows for new SSH key registrations, enforce key-strength policies, and require periodic cleanup of unused keys.
  • Consider enabling alerts or approval gates for SSH key additions.

MITRE ATT&CK

• Tactics

  • Persistence, Privilege Escalation

• Technique

  • Name: Account Manipulation: SSH Authorized Keys
  • ID: T1098.004
  • URL: https://attack.mitre.org/techniques/T1098/004/