T1213.003

Code Repositories

Adversaries may leverage code repositories to collect valuable information including proprietary source code and unsecured credentials embedded within software. Code repositories such as GitHub, GitLab, Bitbucket, and Azure DevOps store source code and automate software builds, and may be hosted internally or externally. Once adversaries gain access via compromised credentials, stolen OAuth tokens, or insider access, they may bulk-clone repositories, run automated secret-scanning tools (trufflehog, gitleaks) to harvest embedded API keys and passwords, or enumerate organizational repositories at scale via API calls. LAPSUS$ searched victim networks for GitLab and GitHub instances to discover high-privilege credentials; Scattered Spider enumerated internal GitHub repositories as part of broader data theft operations; APT41 cloned victim Git repositories during intrusions. Successful exploitation provides adversaries with source code for developing targeted exploits, service credentials for lateral movement, and intellectual property for competitive or financial gain.

Microsoft Sentinel / Defender

kusto

let SecretScanTools = dynamic(["trufflehog", "gitleaks", "git-secrets", "gitrob", "shhgit", "detect-secrets", "gitallsecrets", "git-hound"]);
let RepoAPIPatterns = dynamic([
    "api.github.com/orgs", "api.github.com/users/", "api.github.com/repos", "api.github.com/search/repositories",
    "gitlab.com/api/v4/projects", "gitlab.com/api/v4/groups",
    "api.bitbucket.org/2.0/repositories",
    "dev.azure.com" 
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (
    // Bulk git clone / archive / bundle operations
    (FileName in~ ("git.exe", "git") and ProcessCommandLine has_any ("clone", "archive", "bundle"))
    // Secret scanning tools targeting repositories
    or FileName has_any (SecretScanTools)
    or ProcessCommandLine has_any (SecretScanTools)
    // API-based repository enumeration via scripting tools
    or (
        FileName in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3.exe", "curl.exe", "curl", "wget.exe", "wget")
        and ProcessCommandLine has_any (RepoAPIPatterns)
    )
)
| extend IsBulkClone = iff(FileName in~ ("git.exe", "git") and ProcessCommandLine has "clone", true, false)
| extend IsSecretScan = iff(FileName has_any (SecretScanTools) or ProcessCommandLine has_any (SecretScanTools), true, false)
| extend IsAPIEnum = iff(ProcessCommandLine has_any (RepoAPIPatterns), true, false)
| extend IsBulkExtract = iff(FileName in~ ("git.exe", "git") and (ProcessCommandLine has "archive" or ProcessCommandLine has "bundle"), true, false)
| summarize
    EventCount = count(),
    CommandSamples = make_set(ProcessCommandLine, 15),
    IsBulkClone = max(toint(IsBulkClone)),
    IsSecretScan = max(toint(IsSecretScan)),
    IsAPIEnum = max(toint(IsAPIEnum)),
    IsBulkExtract = max(toint(IsBulkExtract)),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, FileName, bin(Timestamp, 1h)
| where IsSecretScan == 1
    or IsAPIEnum == 1
    or IsBulkExtract == 1
    or (IsBulkClone == 1 and EventCount >= 5)
| extend DetectionType = case(
    IsSecretScan == 1, "SecretScanningToolExecution",
    IsAPIEnum == 1, "RepositoryAPIEnumeration",
    IsBulkExtract == 1, "GitBulkExtraction",
    IsBulkClone == 1 and EventCount >= 5, "BulkRepositoryCloning",
    "MultipleSignals"
)
| project FirstSeen, LastSeen, DeviceName, AccountName, FileName, DetectionType, EventCount, CommandSamples
| sort by FirstSeen desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

CI/CD pipeline agents (Jenkins, GitHub Actions runners, Azure DevOps build agents) that perform bulk repository clones as part of legitimate build orchestration
Security engineering teams running authorized secret scanning (gitleaks, trufflehog) as part of AppSec pipeline or pre-commit hooks
Developer onboarding scripts that clone multiple repositories simultaneously to set up a local development environment
Backup and archival automation jobs that use git bundle or git archive to create scheduled snapshots of organizational repositories
Supply chain security tools (Dependabot, Renovate, Snyk) that enumerate repositories to check for vulnerable dependencies

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd_lower=lower(CommandLine)
| eval IsBulkClone=if(
    match(Image, "(?i)\\\\git\\.exe$|/git$")
    AND match(cmd_lower, "\\bclone\\b"),
    1, 0)
| eval IsSecretScan=if(
    match(cmd_lower, "trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets"),
    1, 0)
| eval IsAPIEnum=if(
    match(cmd_lower, "api\\.github\\.com/(orgs|users|repos|search)|gitlab\\.com/api/v4/(projects|groups)|api\\.bitbucket\\.org/2\\.0/repositories|dev\\.azure\\.com"),
    1, 0)
| eval IsBulkExtract=if(
    match(Image, "(?i)\\\\git\\.exe$|/git$")
    AND match(cmd_lower, "\\b(archive|bundle)\\b"),
    1, 0)
| where IsBulkClone=1 OR IsSecretScan=1 OR IsAPIEnum=1 OR IsBulkExtract=1
| stats
    count as EventCount,
    values(CommandLine) as CommandLines,
    max(IsBulkClone) as IsBulkClone,
    max(IsSecretScan) as IsSecretScan,
    max(IsAPIEnum) as IsAPIEnum,
    max(IsBulkExtract) as IsBulkExtract,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by host, User, Image
| where IsSecretScan=1
    OR IsAPIEnum=1
    OR IsBulkExtract=1
    OR (IsBulkClone=1 AND EventCount>=5)
| eval DetectionType=case(
    IsSecretScan=1, "SecretScanningToolExecution",
    IsAPIEnum=1, "RepositoryAPIEnumeration",
    IsBulkExtract=1, "GitBulkExtraction",
    IsBulkClone=1 AND EventCount>=5, "BulkRepositoryCloning",
    1=1, "MultipleSignals"
)
| table FirstSeen, LastSeen, host, User, Image, DetectionType, EventCount, CommandLines
| sort - FirstSeen

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

CI/CD pipeline agents (Jenkins, GitHub Actions runners, Azure DevOps build agents) that perform bulk repository clones as part of legitimate build orchestration
Security engineering teams running authorized secret scanning (gitleaks, trufflehog) as part of AppSec pipeline or pre-commit hooks
Developer onboarding scripts that clone multiple repositories simultaneously to set up a local development environment
Backup and archival automation jobs that use git bundle or git archive to create scheduled snapshots of organizational repositories
Supply chain security tools (Dependabot, Renovate, Snyk) that enumerate repositories to check for vulnerable dependencies

Elastic Security (EQL)

eql

process where event.type == "start" and (
  /* Secret scanning tools by process name or args */
  process.name in~ ("trufflehog", "gitleaks", "git-secrets", "gitrob", "shhgit", "detect-secrets", "git-hound", "gitallsecrets")
  or process.args in~ ("trufflehog", "gitleaks", "git-secrets", "gitrob", "shhgit", "detect-secrets", "git-hound", "gitallsecrets")
  /* Git bulk extraction via archive or bundle */
  or (
    process.name in~ ("git", "git.exe")
    and process.args : ("archive", "bundle")
  )
  /* Git clone — pair with threshold alert for 5+ per hour */
  or (
    process.name in~ ("git", "git.exe")
    and process.args : "clone"
  )
  /* Scripting tools hitting repo API endpoints */
  or (
    process.name in~ ("python", "python3", "python.exe", "python3.exe", "powershell.exe", "pwsh.exe", "curl", "curl.exe", "wget", "wget.exe")
    and (
      process.command_line : "*api.github.com/orgs*"
      or process.command_line : "*api.github.com/users/*"
      or process.command_line : "*api.github.com/repos*"
      or process.command_line : "*api.github.com/search/repositories*"
      or process.command_line : "*gitlab.com/api/v4/projects*"
      or process.command_line : "*gitlab.com/api/v4/groups*"
      or process.command_line : "*api.bitbucket.org/2.0/repositories*"
      or process.command_line : "*dev.azure.com*"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint (endpoint.events.process) Winlogbeat with Sysmon (winlogbeat-*) Auditbeat (auditbeat-*)

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Developer CI pipelines legitimately run gitleaks or detect-secrets as pre-commit hooks or build steps on dedicated build agents.
Security teams running authorized red-team tooling (trufflehog, gitrob) against internal repos during sanctioned assessments.
DevOps automation scripts that mirror or archive repositories for backup purposes via git archive/bundle on scheduled intervals.
Internal developer onboarding scripts that bulk-clone a set of starter repositories for new engineers.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  sourceip,
  username,
  "Process Name",
  "Command",
  COUNT(*) AS EventCount,
  CASE
    WHEN LOWER("Command") MATCHES '.*trufflehog.*|.*gitleaks.*|.*git.secrets.*|.*gitrob.*|.*shhgit.*|.*detect.secrets.*|.*git.hound.*|.*gitallsecrets.*' THEN 'SecretScanningToolExecution'
    WHEN LOWER("Command") MATCHES '.*(api\.github\.com/(orgs|users|repos|search)|gitlab\.com/api/v4/(projects|groups)|api\.bitbucket\.org/2\.0/repositories|dev\.azure\.com).*' THEN 'RepositoryAPIEnumeration'
    WHEN LOWER("Process Name") MATCHES '.*\\bgit(\.exe)?$' AND LOWER("Command") MATCHES '.*(\barchive\b|\bbundle\b).*' THEN 'GitBulkExtraction'
    WHEN LOWER("Process Name") MATCHES '.*\\bgit(\.exe)?$' AND LOWER("Command") MATCHES '.*\bclone\b.*' THEN 'BulkRepositoryCloning'
    ELSE 'MultipleSignals'
  END AS DetectionType
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    -- Microsoft Windows Security Event Log (EventID 4688)
    12,
    -- Sysmon (EventID 1)
    396
  )
  AND starttime > NOW() - 86400 SECONDS
  AND (
    LOWER("Command") MATCHES '.*trufflehog.*'
    OR LOWER("Command") MATCHES '.*gitleaks.*'
    OR LOWER("Command") MATCHES '.*git.secrets.*'
    OR LOWER("Command") MATCHES '.*gitrob.*'
    OR LOWER("Command") MATCHES '.*shhgit.*'
    OR LOWER("Command") MATCHES '.*detect.secrets.*'
    OR LOWER("Command") MATCHES '.*git.hound.*'
    OR LOWER("Command") MATCHES '.*gitallsecrets.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/orgs.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/users/.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/repos.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/search/repositories.*'
    OR LOWER("Command") MATCHES '.*gitlab\.com/api/v4/projects.*'
    OR LOWER("Command") MATCHES '.*gitlab\.com/api/v4/groups.*'
    OR LOWER("Command") MATCHES '.*api\.bitbucket\.org/2\.0/repositories.*'
    OR LOWER("Command") MATCHES '.*dev\.azure\.com.*'
    OR (
      LOWER("Process Name") MATCHES '.*\\bgit(\.exe)?$'
      AND LOWER("Command") MATCHES '.*(\barchive\b|\bbundle\b|\bclone\b).*'
    )
  )
GROUP BY sourceip, username, "Process Name", "Command"
HAVING
  DetectionType != 'BulkRepositoryCloning'
  OR (DetectionType = 'BulkRepositoryCloning' AND EventCount >= 5)
ORDER BY FirstSeen DESC

high severity medium confidence

Data Sources

Windows Security Event Log (EventID 4688 - Process Creation) Sysmon EventID 1 via Windows log source Linux Audit (execve syscall) if parsed into QRadar events

Required Tables

events

False Positives

Automated build servers (Jenkins, GitLab CI runners) that legitimately call git clone, archive, or API endpoints as part of standard CI/CD pipelines.
Security engineering teams with authorized gitleaks or trufflehog scanning integrated into pre-commit or scheduled pipeline jobs.
DevOps engineers scripting repository management tasks (repo creation, mirroring, archiving) via GitHub or GitLab APIs during normal business hours.
Third-party code quality or SAST tools that invoke git commands internally when analyzing repositories.

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*linux*
| where (%"EventID" = "1" OR %"EventID" = "4688" OR _sourceCategory matches "*linux*")
| parse field=CommandLine "*" as cmd nodrop
| parse field=Image "*" as process_image nodrop
| eval cmd_lower = toLowerCase(cmd)
| eval image_lower = toLowerCase(process_image)
// Classify activity
| eval IsSecretScan = if(
    cmd_lower matches "*trufflehog*" OR
    cmd_lower matches "*gitleaks*" OR
    cmd_lower matches "*git-secrets*" OR
    cmd_lower matches "*gitrob*" OR
    cmd_lower matches "*shhgit*" OR
    cmd_lower matches "*detect-secrets*" OR
    cmd_lower matches "*git-hound*" OR
    cmd_lower matches "*gitallsecrets*",
    1, 0)
| eval IsAPIEnum = if(
    cmd_lower matches "*api.github.com/orgs*" OR
    cmd_lower matches "*api.github.com/users/*" OR
    cmd_lower matches "*api.github.com/repos*" OR
    cmd_lower matches "*api.github.com/search/repositories*" OR
    cmd_lower matches "*gitlab.com/api/v4/projects*" OR
    cmd_lower matches "*gitlab.com/api/v4/groups*" OR
    cmd_lower matches "*api.bitbucket.org/2.0/repositories*" OR
    cmd_lower matches "*dev.azure.com*",
    1, 0)
| eval IsBulkExtract = if(
    (image_lower matches "*\git.exe" OR image_lower matches "*/git")
    AND (cmd_lower matches "* archive *" OR cmd_lower matches "* bundle *"),
    1, 0)
| eval IsBulkClone = if(
    (image_lower matches "*\git.exe" OR image_lower matches "*/git")
    AND cmd_lower matches "* clone *",
    1, 0)
| where IsSecretScan = 1 OR IsAPIEnum = 1 OR IsBulkExtract = 1 OR IsBulkClone = 1
| stats
    count as EventCount,
    max(IsSecretScan) as IsSecretScan,
    max(IsAPIEnum) as IsAPIEnum,
    max(IsBulkExtract) as IsBulkExtract,
    max(IsBulkClone) as IsBulkClone,
    values(cmd) as CommandSamples,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
    by host, user, process_image
| where IsSecretScan = 1
    OR IsAPIEnum = 1
    OR IsBulkExtract = 1
    OR (IsBulkClone = 1 AND EventCount >= 5)
| eval DetectionType = if(IsSecretScan = 1, "SecretScanningToolExecution",
    if(IsAPIEnum = 1, "RepositoryAPIEnumeration",
    if(IsBulkExtract = 1, "GitBulkExtraction",
    if(IsBulkClone = 1 AND EventCount >= 5, "BulkRepositoryCloning",
    "MultipleSignals"))))
| fields FirstSeen, LastSeen, host, user, process_image, DetectionType, EventCount, CommandSamples
| sort by -FirstSeen

high severity high confidence

Data Sources

Windows Sysmon (EventID 1 - Process Create) via _sourceCategory=*windows*sysmon* Windows Security Event Log (EventID 4688) via _sourceCategory=*windows* Linux audit logs via _sourceCategory=*linux*

Required Tables

Sumo Logic indexes with Windows Sysmon or Security Event sources Linux audit/syslog sources with process execution fields

False Positives

Developer workstations with legitimate trufflehog or gitleaks installed as pre-commit hooks that run on every commit.
CI/CD runners (GitHub Actions, GitLab CI, Jenkins agents) that clone multiple repositories as part of automated build and test pipelines.
Security tooling VMs that run authorized secret-scanning workflows against internal codebases on a scheduled basis.
Data engineering teams archiving or bundling repositories via git archive as part of regular backup or compliance workflows.

Google Chronicle / SecOps

yaral

rule T1213_003_code_repository_collection {
  meta:
    author = "Detection Engineering"
    description = "Detects T1213.003 - Code Repository collection via secret scanning tools, repository API enumeration, and git bulk extraction operations."
    mitre_attack_tactic = "Collection"
    mitre_attack_technique = "T1213.003"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1213/003/"
    created = "2026-04-19"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    (
      // Secret scanning tools by process name
      re.regex($e.principal.process.file.full_path, `(?i)(trufflehog|gitleaks|git-secrets|gitrob|shhgit|detect-secrets|git-hound|gitallsecrets)$`)

      // Secret scanning tools in command line arguments
      or re.regex($e.principal.process.command_line, `(?i)(trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets)`)

      // Git bulk archive or bundle operations
      or (
        re.regex($e.principal.process.file.full_path, `(?i)(^|[/\\])git(\.exe)?$`)
        and re.regex($e.principal.process.command_line, `(?i)\b(archive|bundle)\b`)
      )

      // Repository API enumeration via scripting tools
      or (
        re.regex($e.principal.process.file.full_path, `(?i)(python3?(\.exe)?|powershell(\.exe)?|pwsh(\.exe)?|curl(\.exe)?|wget(\.exe)?)$`)
        and re.regex($e.principal.process.command_line, `api\.github\.com/(orgs|users|repos|search)|gitlab\.com/api/v4/(projects|groups)|api\.bitbucket\.org/2\.0/repositories|dev\.azure\.com`)
      )

      // Git clone operations (threshold for bulk detected at SIEM level via noisy_keyword or aggregation rule)
      or (
        re.regex($e.principal.process.file.full_path, `(?i)(^|[/\\])git(\.exe)?$`)
        and re.regex($e.principal.process.command_line, `(?i)\bclone\b`)
      )
    )

  match:
    $e.principal.hostname over 1h

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.principal.process.file.full_path
    $command_line = $e.principal.process.command_line
    $risk_score = max(
      if(re.regex($e.principal.process.command_line, `(?i)(trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets)`), 90, 0),
      if(re.regex($e.principal.process.command_line, `api\.github\.com|gitlab\.com/api|api\.bitbucket\.org|dev\.azure\.com`), 75, 0),
      if(re.regex($e.principal.process.command_line, `(?i)\b(archive|bundle)\b`) and re.regex($e.principal.process.file.full_path, `(?i)(^|[/\\])git(\.exe)?$`), 80, 0),
      if(re.regex($e.principal.process.command_line, `(?i)\bclone\b`) and re.regex($e.principal.process.file.full_path, `(?i)(^|[/\\])git(\.exe)?$`), 50, 0)
    )
    $detection_type = if(
      re.regex($e.principal.process.command_line, `(?i)(trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets)`), "SecretScanningToolExecution",
      if(re.regex($e.principal.process.command_line, `api\.github\.com|gitlab\.com/api|api\.bitbucket\.org|dev\.azure\.com`), "RepositoryAPIEnumeration",
      if(re.regex($e.principal.process.command_line, `(?i)\b(archive|bundle)\b`), "GitBulkExtraction", "BulkRepositoryCloning"))
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM - PROCESS_LAUNCH events Endpoint telemetry forwarded to Chronicle (CrowdStrike, Carbon Black, SentinelOne, Windows Event logs via Chronicle forwarder)

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Authorized security assessments where red team or security engineering runs gitleaks/trufflehog against internal repositories as part of approved engagements.
Developer machines with pre-commit hooks that invoke secret-scanning tools automatically on every git commit action.
CI/CD build agents (GitHub Actions self-hosted runners, Jenkins workers) that legitimately clone multiple repositories and interact with repository APIs.
DevOps engineers using scripted tools to manage repository settings, create repositories, or configure webhooks via GitHub/GitLab REST APIs.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
// Classify secret scanning tool usage
| IsSecretScan := FileName = /trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets/i
    OR CommandLine = /trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets/i
// Classify repository API enumeration by scripting engines
| IsAPIEnum := CommandLine = /api\.github\.com\/(orgs|users|repos|search)|gitlab\.com\/api\/v4\/(projects|groups)|api\.bitbucket\.org\/2\.0\/repositories|dev\.azure\.com/i
    AND FileName = /python3?(\.exe)?$|powershell(\.exe)?$|pwsh(\.exe)?$|curl(\.exe)?$|wget(\.exe)?$/i
// Classify git bulk extraction
| IsBulkExtract := FileName = /\bgit(\.exe)?$/i
    AND CommandLine = /\b(archive|bundle)\b/i
// Classify git clone
| IsBulkClone := FileName = /\bgit(\.exe)?$/i
    AND CommandLine = /\bclone\b/i
// Keep only relevant events
| IsSecretScan = true OR IsAPIEnum = true OR IsBulkExtract = true OR IsBulkClone = true
// Aggregate per host, user, and process within 1-hour buckets
| groupBy(
    [ComputerName, UserName, FileName, IsSecretScan, IsAPIEnum, IsBulkExtract, IsBulkClone],
    function=[
        count(as=EventCount),
        collect(CommandLine, limit=15, as=CommandSamples),
        min(@timestamp, as=FirstSeen),
        max(@timestamp, as=LastSeen)
    ])
// Apply threshold: bulk clone requires 5+ events, all others fire immediately
| IsSecretScan = true
    OR IsAPIEnum = true
    OR IsBulkExtract = true
    OR (IsBulkClone = true AND EventCount >= 5)
// Label detection type
| DetectionType := case {
    IsSecretScan = true => "SecretScanningToolExecution";
    IsAPIEnum = true => "RepositoryAPIEnumeration";
    IsBulkExtract = true => "GitBulkExtraction";
    IsBulkClone = true AND EventCount >= 5 => "BulkRepositoryCloning";
    * => "MultipleSignals"
  }
| table([FirstSeen, LastSeen, ComputerName, UserName, FileName, DetectionType, EventCount, CommandSamples])
| sort(FirstSeen, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Data Replicator - ProcessRollup2 events CrowdStrike Falcon Insight EDR process telemetry

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2)

False Positives

Falcon sensor installed on CI/CD build agents where git clone, gitleaks, or detect-secrets run as part of standard automated pipeline steps.
Security team workstations running authorized secret-scanning assessments (trufflehog, gitrob) against internal or external repositories during penetration tests.
DevOps tooling scripts that call GitHub or GitLab APIs to automate repository provisioning, settings management, or webhook configuration.
Developer onboarding automation scripts that bulk-clone a standard set of repositories (5+) for environment setup on new machines.

Last updated: 2026-04-19 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1213.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001Confluence T1213.002Sharepoint T1213.004Customer Relationship Management Software T1213.005Messaging Applications T1213.006Databases

Code Repositories

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Collection

Popular Detections