T1213.003 IBM QRadar · QRadar

Detect Code Repositories in IBM QRadar

Adversaries may leverage code repositories to collect valuable information including proprietary source code and unsecured credentials embedded within software. Code repositories such as GitHub, GitLab, Bitbucket, and Azure DevOps store source code and automate software builds, and may be hosted internally or externally. Once adversaries gain access via compromised credentials, stolen OAuth tokens, or insider access, they may bulk-clone repositories, run automated secret-scanning tools (trufflehog, gitleaks) to harvest embedded API keys and passwords, or enumerate organizational repositories at scale via API calls. LAPSUS$ searched victim networks for GitLab and GitHub instances to discover high-privilege credentials; Scattered Spider enumerated internal GitHub repositories as part of broader data theft operations; APT41 cloned victim Git repositories during intrusions. Successful exploitation provides adversaries with source code for developing targeted exploits, service credentials for lateral movement, and intellectual property for competitive or financial gain.

MITRE ATT&CK

Tactic
Collection
Technique
T1213 Data from Information Repositories
Sub-technique
T1213.003 Code Repositories
Canonical reference
https://attack.mitre.org/techniques/T1213/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS LastSeen,
  sourceip,
  username,
  "Process Name",
  "Command",
  COUNT(*) AS EventCount,
  CASE
    WHEN LOWER("Command") MATCHES '.*trufflehog.*|.*gitleaks.*|.*git.secrets.*|.*gitrob.*|.*shhgit.*|.*detect.secrets.*|.*git.hound.*|.*gitallsecrets.*' THEN 'SecretScanningToolExecution'
    WHEN LOWER("Command") MATCHES '.*(api\.github\.com/(orgs|users|repos|search)|gitlab\.com/api/v4/(projects|groups)|api\.bitbucket\.org/2\.0/repositories|dev\.azure\.com).*' THEN 'RepositoryAPIEnumeration'
    WHEN LOWER("Process Name") MATCHES '.*\\bgit(\.exe)?$' AND LOWER("Command") MATCHES '.*(\barchive\b|\bbundle\b).*' THEN 'GitBulkExtraction'
    WHEN LOWER("Process Name") MATCHES '.*\\bgit(\.exe)?$' AND LOWER("Command") MATCHES '.*\bclone\b.*' THEN 'BulkRepositoryCloning'
    ELSE 'MultipleSignals'
  END AS DetectionType
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (
    -- Microsoft Windows Security Event Log (EventID 4688)
    12,
    -- Sysmon (EventID 1)
    396
  )
  AND starttime > NOW() - 86400 SECONDS
  AND (
    LOWER("Command") MATCHES '.*trufflehog.*'
    OR LOWER("Command") MATCHES '.*gitleaks.*'
    OR LOWER("Command") MATCHES '.*git.secrets.*'
    OR LOWER("Command") MATCHES '.*gitrob.*'
    OR LOWER("Command") MATCHES '.*shhgit.*'
    OR LOWER("Command") MATCHES '.*detect.secrets.*'
    OR LOWER("Command") MATCHES '.*git.hound.*'
    OR LOWER("Command") MATCHES '.*gitallsecrets.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/orgs.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/users/.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/repos.*'
    OR LOWER("Command") MATCHES '.*api\.github\.com/search/repositories.*'
    OR LOWER("Command") MATCHES '.*gitlab\.com/api/v4/projects.*'
    OR LOWER("Command") MATCHES '.*gitlab\.com/api/v4/groups.*'
    OR LOWER("Command") MATCHES '.*api\.bitbucket\.org/2\.0/repositories.*'
    OR LOWER("Command") MATCHES '.*dev\.azure\.com.*'
    OR (
      LOWER("Process Name") MATCHES '.*\\bgit(\.exe)?$'
      AND LOWER("Command") MATCHES '.*(\barchive\b|\bbundle\b|\bclone\b).*'
    )
  )
GROUP BY sourceip, username, "Process Name", "Command"
HAVING
  DetectionType != 'BulkRepositoryCloning'
  OR (DetectionType = 'BulkRepositoryCloning' AND EventCount >= 5)
ORDER BY FirstSeen DESC
high severity medium confidence

AQL query for IBM QRadar detecting T1213.003 code repository collection. Queries Windows Security Event Log (EventID 4688) and Sysmon (EventID 1) log sources for secret scanning tool execution, repository API enumeration via scripting engines, git bulk archive/bundle operations, and bulk clone activity (5+ events threshold). Groups by source IP, username, process, and command to surface aggregated attacker activity.

Data Sources

Windows Security Event Log (EventID 4688 - Process Creation)Sysmon EventID 1 via Windows log sourceLinux Audit (execve syscall) if parsed into QRadar events

Required Tables

events

False Positives & Tuning

  • Automated build servers (Jenkins, GitLab CI runners) that legitimately call git clone, archive, or API endpoints as part of standard CI/CD pipelines.
  • Security engineering teams with authorized gitleaks or trufflehog scanning integrated into pre-commit or scheduled pipeline jobs.
  • DevOps engineers scripting repository management tasks (repo creation, mirroring, archiving) via GitHub or GitLab APIs during normal business hours.
  • Third-party code quality or SAST tools that invoke git commands internally when analyzing repositories.
Download portable Sigma rule (.yml)

Other platforms for T1213.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Bulk Repository Cloning via Shell Loop

    Expected signal: Sysmon Event ID 1 (if configured on Linux via auditd): multiple git process creation events with CommandLine containing 'clone' within seconds. On Windows endpoints: DeviceProcessEvents entries for git.exe with ProcessCommandLine matching 'clone https://github.com/'. Five or more clone events from the same AccountName within a 1-hour bin.

  2. Test 2Secret Scanning with Trufflehog Against Local Repository

    Expected signal: Sysmon Event ID 1: Process Create with Image containing 'trufflehog' or CommandLine containing 'trufflehog'. If trufflehog is not installed, the which command still creates a process event. DeviceProcessEvents: FileName='trufflehog' or ProcessCommandLine has 'trufflehog'.

  3. Test 3GitHub Organization Repository Enumeration via API

    Expected signal: Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.github.com/orgs'. Sysmon Event ID 3: Network Connection to api.github.com:443. DeviceProcessEvents: FileName='curl' with ProcessCommandLine has 'api.github.com/orgs'. DeviceNetworkEvents: RemoteUrl containing 'api.github.com'.

  4. Test 4Git Archive Bulk Content Extraction

    Expected signal: Sysmon Event ID 1: Process Create with Image containing 'git' and CommandLine containing 'archive --format'. Sysmon Event ID 11: File Create events for the extracted files in /tmp. DeviceProcessEvents: FileName='git' with ProcessCommandLine has 'archive'. DeviceFileEvents: multiple file creation events from the git process in output directory.

Last updated: 2026-04-19 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1213.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1213Data from Information Repositories

Related Sub-techniques

T1213.001ConfluenceT1213.002SharepointT1213.004Customer Relationship Management SoftwareT1213.005Messaging ApplicationsT1213.006Databases

Related Techniques

T1213Data from Information RepositoriesT1552Unsecured CredentialsT1552.001Credentials In FilesT1078Valid AccountsT1078.004Cloud AccountsT1530Data from Cloud StorageT1587.004ExploitsT1048Exfiltration Over Alternative ProtocolT1213.002SharepointT1593.003Code Repositories

Same Tactic: Collection

Popular Detections