Detect Code Repositories in Elastic Security
Adversaries may leverage code repositories to collect valuable information including proprietary source code and unsecured credentials embedded within software. Code repositories such as GitHub, GitLab, Bitbucket, and Azure DevOps store source code and automate software builds, and may be hosted internally or externally. Once adversaries gain access via compromised credentials, stolen OAuth tokens, or insider access, they may bulk-clone repositories, run automated secret-scanning tools (trufflehog, gitleaks) to harvest embedded API keys and passwords, or enumerate organizational repositories at scale via API calls. LAPSUS$ searched victim networks for GitLab and GitHub instances to discover high-privilege credentials; Scattered Spider enumerated internal GitHub repositories as part of broader data theft operations; APT41 cloned victim Git repositories during intrusions. Successful exploitation provides adversaries with source code for developing targeted exploits, service credentials for lateral movement, and intellectual property for competitive or financial gain.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.003 Code Repositories
- Canonical reference
- https://attack.mitre.org/techniques/T1213/003/
Elastic Detection Query
process where event.type == "start" and (
/* Secret scanning tools by process name or args */
process.name in~ ("trufflehog", "gitleaks", "git-secrets", "gitrob", "shhgit", "detect-secrets", "git-hound", "gitallsecrets")
or process.args in~ ("trufflehog", "gitleaks", "git-secrets", "gitrob", "shhgit", "detect-secrets", "git-hound", "gitallsecrets")
/* Git bulk extraction via archive or bundle */
or (
process.name in~ ("git", "git.exe")
and process.args : ("archive", "bundle")
)
/* Git clone — pair with threshold alert for 5+ per hour */
or (
process.name in~ ("git", "git.exe")
and process.args : "clone"
)
/* Scripting tools hitting repo API endpoints */
or (
process.name in~ ("python", "python3", "python.exe", "python3.exe", "powershell.exe", "pwsh.exe", "curl", "curl.exe", "wget", "wget.exe")
and (
process.command_line : "*api.github.com/orgs*"
or process.command_line : "*api.github.com/users/*"
or process.command_line : "*api.github.com/repos*"
or process.command_line : "*api.github.com/search/repositories*"
or process.command_line : "*gitlab.com/api/v4/projects*"
or process.command_line : "*gitlab.com/api/v4/groups*"
or process.command_line : "*api.bitbucket.org/2.0/repositories*"
or process.command_line : "*dev.azure.com*"
)
)
)Detects T1213.003 code repository collection via process telemetry: secret scanning tool execution (trufflehog, gitleaks, gitrob, etc.), git bulk extraction operations (archive/bundle), scripting tools enumerating repository APIs (GitHub, GitLab, Bitbucket, Azure DevOps). Pair with a threshold rule to catch 5+ clone events per host per hour from the same user.
Data Sources
Required Tables
False Positives & Tuning
- Developer CI pipelines legitimately run gitleaks or detect-secrets as pre-commit hooks or build steps on dedicated build agents.
- Security teams running authorized red-team tooling (trufflehog, gitrob) against internal repos during sanctioned assessments.
- DevOps automation scripts that mirror or archive repositories for backup purposes via git archive/bundle on scheduled intervals.
- Internal developer onboarding scripts that bulk-clone a set of starter repositories for new engineers.
Other platforms for T1213.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk Repository Cloning via Shell Loop
Expected signal: Sysmon Event ID 1 (if configured on Linux via auditd): multiple git process creation events with CommandLine containing 'clone' within seconds. On Windows endpoints: DeviceProcessEvents entries for git.exe with ProcessCommandLine matching 'clone https://github.com/'. Five or more clone events from the same AccountName within a 1-hour bin.
- Test 2Secret Scanning with Trufflehog Against Local Repository
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'trufflehog' or CommandLine containing 'trufflehog'. If trufflehog is not installed, the which command still creates a process event. DeviceProcessEvents: FileName='trufflehog' or ProcessCommandLine has 'trufflehog'.
- Test 3GitHub Organization Repository Enumeration via API
Expected signal: Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.github.com/orgs'. Sysmon Event ID 3: Network Connection to api.github.com:443. DeviceProcessEvents: FileName='curl' with ProcessCommandLine has 'api.github.com/orgs'. DeviceNetworkEvents: RemoteUrl containing 'api.github.com'.
- Test 4Git Archive Bulk Content Extraction
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'git' and CommandLine containing 'archive --format'. Sysmon Event ID 11: File Create events for the extracted files in /tmp. DeviceProcessEvents: FileName='git' with ProcessCommandLine has 'archive'. DeviceFileEvents: multiple file creation events from the git process in output directory.
References (11)
- https://attack.mitre.org/techniques/T1213/003/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/
- https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/gitleaks/gitleaks
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-github-ec
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.003/T1213.003.md
Unlock Pro Content
Get the full detection package for T1213.003 including response playbook, investigation guide, and atomic red team tests.