Detect Code Repositories in Splunk
Adversaries may leverage code repositories to collect valuable information including proprietary source code and unsecured credentials embedded within software. Code repositories such as GitHub, GitLab, Bitbucket, and Azure DevOps store source code and automate software builds, and may be hosted internally or externally. Once adversaries gain access via compromised credentials, stolen OAuth tokens, or insider access, they may bulk-clone repositories, run automated secret-scanning tools (trufflehog, gitleaks) to harvest embedded API keys and passwords, or enumerate organizational repositories at scale via API calls. LAPSUS$ searched victim networks for GitLab and GitHub instances to discover high-privilege credentials; Scattered Spider enumerated internal GitHub repositories as part of broader data theft operations; APT41 cloned victim Git repositories during intrusions. Successful exploitation provides adversaries with source code for developing targeted exploits, service credentials for lateral movement, and intellectual property for competitive or financial gain.
MITRE ATT&CK
- Tactic
- Collection
- Technique
- T1213 Data from Information Repositories
- Sub-technique
- T1213.003 Code Repositories
- Canonical reference
- https://attack.mitre.org/techniques/T1213/003/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval cmd_lower=lower(CommandLine)
| eval IsBulkClone=if(
match(Image, "(?i)\\\\git\\.exe$|/git$")
AND match(cmd_lower, "\\bclone\\b"),
1, 0)
| eval IsSecretScan=if(
match(cmd_lower, "trufflehog|gitleaks|git.secrets|gitrob|shhgit|detect.secrets|git.hound|gitallsecrets"),
1, 0)
| eval IsAPIEnum=if(
match(cmd_lower, "api\\.github\\.com/(orgs|users|repos|search)|gitlab\\.com/api/v4/(projects|groups)|api\\.bitbucket\\.org/2\\.0/repositories|dev\\.azure\\.com"),
1, 0)
| eval IsBulkExtract=if(
match(Image, "(?i)\\\\git\\.exe$|/git$")
AND match(cmd_lower, "\\b(archive|bundle)\\b"),
1, 0)
| where IsBulkClone=1 OR IsSecretScan=1 OR IsAPIEnum=1 OR IsBulkExtract=1
| stats
count as EventCount,
values(CommandLine) as CommandLines,
max(IsBulkClone) as IsBulkClone,
max(IsSecretScan) as IsSecretScan,
max(IsAPIEnum) as IsAPIEnum,
max(IsBulkExtract) as IsBulkExtract,
earliest(_time) as FirstSeen,
latest(_time) as LastSeen
by host, User, Image
| where IsSecretScan=1
OR IsAPIEnum=1
OR IsBulkExtract=1
OR (IsBulkClone=1 AND EventCount>=5)
| eval DetectionType=case(
IsSecretScan=1, "SecretScanningToolExecution",
IsAPIEnum=1, "RepositoryAPIEnumeration",
IsBulkExtract=1, "GitBulkExtraction",
IsBulkClone=1 AND EventCount>=5, "BulkRepositoryCloning",
1=1, "MultipleSignals"
)
| table FirstSeen, LastSeen, host, User, Image, DetectionType, EventCount, CommandLines
| sort - FirstSeenDetects adversarial code repository collection using Sysmon Event ID 1 (Process Creation). Evaluates process command lines against four detection categories: bulk git clone operations (five or more per aggregation window per account), secret scanning tool execution (trufflehog, gitleaks, gitrob, shhgit, detect-secrets), API-based repository enumeration targeting GitHub/GitLab/Bitbucket organization endpoints via curl/Python/PowerShell, and git archive or bundle commands for bulk content extraction. Aggregates by host and user to surface patterns invisible in single-event views, then filters to high-fidelity conditions before labeling with a DetectionType for analyst routing.
Data Sources
Required Sourcetypes
False Positives & Tuning
- CI/CD pipeline agents (Jenkins, GitHub Actions runners, Azure DevOps build agents) that perform bulk repository clones as part of legitimate build orchestration
- Security engineering teams running authorized secret scanning (gitleaks, trufflehog) as part of AppSec pipeline or pre-commit hooks
- Developer onboarding scripts that clone multiple repositories simultaneously to set up a local development environment
- Backup and archival automation jobs that use git bundle or git archive to create scheduled snapshots of organizational repositories
- Supply chain security tools (Dependabot, Renovate, Snyk) that enumerate repositories to check for vulnerable dependencies
Other platforms for T1213.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Bulk Repository Cloning via Shell Loop
Expected signal: Sysmon Event ID 1 (if configured on Linux via auditd): multiple git process creation events with CommandLine containing 'clone' within seconds. On Windows endpoints: DeviceProcessEvents entries for git.exe with ProcessCommandLine matching 'clone https://github.com/'. Five or more clone events from the same AccountName within a 1-hour bin.
- Test 2Secret Scanning with Trufflehog Against Local Repository
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'trufflehog' or CommandLine containing 'trufflehog'. If trufflehog is not installed, the which command still creates a process event. DeviceProcessEvents: FileName='trufflehog' or ProcessCommandLine has 'trufflehog'.
- Test 3GitHub Organization Repository Enumeration via API
Expected signal: Sysmon Event ID 1: Process Create for curl with CommandLine containing 'api.github.com/orgs'. Sysmon Event ID 3: Network Connection to api.github.com:443. DeviceProcessEvents: FileName='curl' with ProcessCommandLine has 'api.github.com/orgs'. DeviceNetworkEvents: RemoteUrl containing 'api.github.com'.
- Test 4Git Archive Bulk Content Extraction
Expected signal: Sysmon Event ID 1: Process Create with Image containing 'git' and CommandLine containing 'archive --format'. Sysmon Event ID 11: File Create events for the extracted files in /tmp. DeviceProcessEvents: FileName='git' with ProcessCommandLine has 'archive'. DeviceFileEvents: multiple file creation events from the git process in output directory.
References (11)
- https://attack.mitre.org/techniques/T1213/003/
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://www.cisa.gov/sites/default/files/2023-11/aa23-320a_scattered_spider.pdf
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/
- https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/
- https://github.com/trufflesecurity/trufflehog
- https://github.com/gitleaks/gitleaks
- https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization
- https://learn.microsoft.com/en-us/defender-cloud-apps/connect-github-ec
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1213.003/T1213.003.md
Unlock Pro Content
Get the full detection package for T1213.003 including response playbook, investigation guide, and atomic red team tests.