Detect Code Repositories in CrowdStrike LogScale
Adversaries may leverage code repositories to collect valuable information including proprietary source code and unsecured credentials embedded within software. Code repositories such as GitHub, GitLab, Bitbucket, and Azure DevOps store source code and automate software builds, and may be hosted internally or externally. Once adversaries gain access via compromised credentials, stolen OAuth tokens, or insider access, they may bulk-clone repositories, run automated secret-scanning tools (trufflehog, gitleaks) to harvest embedded API keys and passwords, or enumerate organizational repositories at scale via API calls. LAPSUS$ searched victim networks for GitLab and GitHub instances to discover high-privilege credentials; Scattered Spider enumerated internal GitHub repositories as part of broader data theft operations; APT41 cloned victim Git repositories during intrusions. Successful exploitation provides adversaries with source code for developing targeted exploits, service credentials for lateral movement, and intellectual property for competitive or financial gain.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.003 Code Repositories
- Canonical reference
- https://attack.mitre.org/techniques/T1213/003/
LogScale Detection Query
#event_simpleName=ProcessRollup2
// Classify secret scanning tool usage
| IsSecretScan := FileName = /trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets/i
OR CommandLine = /trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets/i
// Classify repository API enumeration by scripting engines
| IsAPIEnum := CommandLine = /api\.github\.com\/(orgs|users|repos|search)|gitlab\.com\/api\/v4\/(projects|groups)|api\.bitbucket\.org\/2\.0\/repositories|dev\.azure\.com/i
AND FileName = /python3?(\.exe)?$|powershell(\.exe)?$|pwsh(\.exe)?$|curl(\.exe)?$|wget(\.exe)?$/i
// Classify git bulk extraction
| IsBulkExtract := FileName = /\bgit(\.exe)?$/i
AND CommandLine = /\b(archive|bundle)\b/i
// Classify git clone
| IsBulkClone := FileName = /\bgit(\.exe)?$/i
AND CommandLine = /\bclone\b/i
// Keep only relevant events
| IsSecretScan = true OR IsAPIEnum = true OR IsBulkExtract = true OR IsBulkClone = true
// Aggregate per host, user, and process within 1-hour buckets
| groupBy(
[ComputerName, UserName, FileName, IsSecretScan, IsAPIEnum, IsBulkExtract, IsBulkClone],
function=[
count(as=EventCount),
collect(CommandLine, limit=15, as=CommandSamples),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
])
// Apply threshold: bulk clone requires 5+ events, all others fire immediately
| IsSecretScan = true
OR IsAPIEnum = true
OR IsBulkExtract = true
OR (IsBulkClone = true AND EventCount >= 5)
// Label detection type
| DetectionType := case {
IsSecretScan = true => "SecretScanningToolExecution";
IsAPIEnum = true => "RepositoryAPIEnumeration";
IsBulkExtract = true => "GitBulkExtraction";
IsBulkClone = true AND EventCount >= 5 => "BulkRepositoryCloning";
* => "MultipleSignals"
}
| table([FirstSeen, LastSeen, ComputerName, UserName, FileName, DetectionType, EventCount, CommandSamples])
| sort(FirstSeen, order=desc)CrowdStrike LogScale (Falcon Data Replicator) query detecting T1213.003 code repository collection via ProcessRollup2 events. Classifies events into four detection types: SecretScanningToolExecution (trufflehog, gitleaks, gitrob, shhgit, etc.), RepositoryAPIEnumeration (scripting tools hitting GitHub/GitLab/Bitbucket/Azure DevOps APIs), GitBulkExtraction (git archive/bundle), and BulkRepositoryCloning (5+ git clone events per hour). Aggregates per host, user, and binary.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor installed on CI/CD build agents where git clone, gitleaks, or detect-secrets run as part of standard automated pipeline steps.
- Security team workstations running authorized secret-scanning assessments (trufflehog, gitrob) against internal or external repositories during penetration tests.
- DevOps tooling scripts that call GitHub or GitLab APIs to automate repository provisioning, settings management, or webhook configuration.
- Developer onboarding automation scripts that bulk-clone a standard set of repositories (5+) for environment setup on new machines.
Other platforms for T1213.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk Repository Cloning via Shell Loop
Expected signal: Sysmon Event ID 1 (if configured on Linux via auditd): multiple git process creation events with CommandLine containing 'clone' within seconds. On Windows endpoints: DeviceProcessEvents entries for git.exe with ProcessCommandLine matching 'clone https://github.com/'. Five or more clone events from the same AccountName within a 1-hour bin.
- Test 2Secret Scanning with Trufflehog Against Local Repository
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'trufflehog' or CommandLine containing 'trufflehog'. If trufflehog is not installed, the which command still creates a process event. DeviceProcessEvents: FileName='trufflehog' or ProcessCommandLine has 'trufflehog'.
- Test 3GitHub Organization Repository Enumeration via API
Expected signal: Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.github.com/orgs'. Sysmon Event ID 3: Network Connection to api.github.com:443. DeviceProcessEvents: FileName='curl' with ProcessCommandLine has 'api.github.com/orgs'. DeviceNetworkEvents: RemoteUrl containing 'api.github.com'.
- Test 4Git Archive Bulk Content Extraction
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'git' and CommandLine containing 'archive --format'. Sysmon Event ID 11: File Create events for the extracted files in /tmp. DeviceProcessEvents: FileName='git' with ProcessCommandLine has 'archive'. DeviceFileEvents: multiple file creation events from the git process in output directory.
References (11)
- https://attack.mitre.org/techniques/T1213/003/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/
- https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/gitleaks/gitleaks
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-github-ec
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.003/T1213.003.md
Unlock Pro Content
Get the full detection package for T1213.003 including response playbook, investigation guide, and atomic red team tests.