T1593.003 Code Repositories Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let RepoReconTools = dynamic([
  "trufflehog", "gitleaks", "gitrob", "git-secrets", "repo-supervisor",
  "gitguardian", "detect-secrets", "noseyparker", "secretscanner",
  "git-hound", "gitallsecrets", "github-dorks", "github-search"
]);
let GitHubAPIEndpoints = dynamic([
  "api.github.com", "github.com/search", "raw.githubusercontent.com",
  "gitlab.com/api", "api.bitbucket.org"
]);
let LegitBrowsers = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
  "safari", "opera.exe", "brave.exe"
]);
// Branch 1: OSINT/repo-scraping tools executed on internal endpoints
let ReconToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (RepoReconTools)
    or ProcessCommandLine has_any (RepoReconTools)
    or ProcessCommandLine has_any ("trufflehog", "gitleaks", "gitrob", "github-dorks", "gitallsecrets")
| extend DetectionBranch = "ReconToolExecution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
// Branch 2: Non-browser processes making bulk API calls to code repository APIs
let BulkRepoAPIAccess = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (GitHubAPIEndpoints)
    or RemoteIPType == "Public" and (RemoteUrl has "github" or RemoteUrl has "gitlab" or RemoteUrl has "bitbucket")
| where not (InitiatingProcessFileName has_any (LegitBrowsers))
| where InitiatingProcessFileName !in~ ("git.exe", "gh.exe", "code.exe", "devenv.exe", "rider64.exe", "idea64.exe")
| summarize RequestCount = count(),
            UniqueURLs = dcount(RemoteUrl),
            SampleURLs = make_set(RemoteUrl, 5),
            Earliest = min(Timestamp),
            Latest = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
| where RequestCount > 10 or UniqueURLs > 3
| extend DetectionBranch = "BulkRepoAPIAccess"
| extend Timestamp = Earliest;
// Branch 3: PowerShell or scripting engines querying GitHub search/API
let ScriptRepoQuery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe", "python.exe", "python3", "curl.exe", "wget.exe")
| where ProcessCommandLine has "github.com" or ProcessCommandLine has "api.github.com"
    or ProcessCommandLine has "gitlab.com" or ProcessCommandLine has "bitbucket.org"
| where ProcessCommandLine has_any ("search", "code", "token", "secret", "password", "api_key", "credential", "leak")
| extend DetectionBranch = "ScriptRepoQuery"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch;
union ReconToolExecution, ScriptRepoQuery
| sort by Timestamp desc

medium severity low confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks
Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added
DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories
GitHub Actions or GitLab CI runners executing on self-hosted agents that connect to GitHub APIs as part of normal pipeline operations

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval Image_lower=lower(Image)
`comment("--- Score: Known OSINT / repo reconnaissance tools ---")`
| eval ReconTool=if(
    match(Image_lower, "(trufflehog|gitleaks|gitrob|noseyparker|gitallsecrets|repo-supervisor|secretscanner|git-hound)") OR
    match(CommandLine, "(trufflehog|gitleaks|gitrob|noseyparker|gitallsecrets|repo-supervisor|secretscanner|git-hound|github-dorks)"),
    1, 0)
`comment("--- Score: Script/CLI processes referencing repo APIs ---")`
| eval ScriptRepoQuery=if(
    match(Image_lower, "(powershell|pwsh|python|curl|wget|ruby|node)") AND
    match(CommandLine, "(github\.com|api\.github\.com|gitlab\.com|bitbucket\.org)") AND
    match(CommandLine, "(search|secret|password|token|api_key|credential|key|leak)"),
    1, 0)
`comment("--- Score: git CLI used with log/grep patterns targeting secrets ---")`
| eval GitSecretSearch=if(
    match(Image_lower, "(git\.exe|git)$") AND
    match(CommandLine, "(grep|log|diff|show)") AND
    match(CommandLine, "(password|secret|token|api_key|aws_|private_key)"),
    1, 0)
| eval SuspicionScore=ReconTool + ScriptRepoQuery + GitSecretSearch
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        ReconTool, ScriptRepoQuery, GitSecretSearch, SuspicionScore
| sort - SuspicionScore, - _time

medium severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized security team secret scanning runs during quarterly code audits — operations team should submit change tickets before running these tools
CI/CD build agents (Jenkins, GitHub Actions self-hosted runners) that execute gitleaks or truffleHog as part of automated pre-commit or PR security gates
Developers using git log with grep to search their own local repositories for debugging purposes — distinguish by checking if the repo is a local path vs. a cloned public repository
Security researchers or red team operators with written authorization performing authorized code repository reconnaissance exercises
Package managers or dependency scanners that interact with GitHub release APIs to check for updates — these would typically show as known package manager process names

Elastic Security (EQL)

eql

// T1593.003 — Code Repository Recon
process where process.name : ("python.exe", "python3", "git.exe", "git")
  and process.command_line : (
    "*trufflehog*", "*gitleaks*", "*gitrob*", "*git-secrets*",
    "*noseyparker*", "*github-dorks*", "*gitallsecrets*",
    "*gitguardian*", "*secretscanner*"
  )

medium severity low confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks
Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added
DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN LOWER("CommandLine") ILIKE '%trufflehog%' OR LOWER("CommandLine") ILIKE '%gitleaks%' OR LOWER("CommandLine") ILIKE '%gitrob%' OR LOWER("CommandLine") ILIKE '%noseyparker%' THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE (LOWER("CommandLine") ILIKE '%trufflehog%' OR LOWER("CommandLine") ILIKE '%gitleaks%' OR LOWER("CommandLine") ILIKE '%gitrob%' OR LOWER("CommandLine") ILIKE '%noseyparker%')
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity low confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks
Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added
DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity low confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks
Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added
DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories

Google Chronicle / SecOps

yaral

rule t1593_003_code_repositories {
  meta:
    author = "df00tech"
    description = "Detects Code Repositories (T1593.003)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1593.003"
    confidence = "low"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity low confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks
Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added
DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1593.003 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1593.003 - OSINTTool";
    * => TechniqueLabel := "T1593.003 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity low confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks
Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added
DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories

Code Repositories

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections