T1593.003 CrowdStrike LogScale · LogScale

Detect Code Repositories in CrowdStrike LogScale

Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Adversaries search these repositories for sensitive data including accidentally leaked credentials, API keys, internal hostnames, technology stack details, and employee names. Groups such as LAPSUS$, HAFNIUM, and Contagious Interview have actively exploited public repository leaks to discover valid credentials and identify victims for targeting.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1593 Search Open Websites/Domains
Sub-technique
T1593.003 Code Repositories
Canonical reference
https://attack.mitre.org/techniques/T1593/003/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1593.003 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1593.003 - OSINTTool";
    * => TechniqueLabel := "T1593.003 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])
medium severity low confidence

CrowdStrike LogScale (Falcon) CQL detection for Code Repositories (T1593.003). Uses CrowdStrike event simpleName taxonomy with regex-based field filtering, groupBy aggregation, and case-based risk classification. Designed for the Falcon platform's LogScale query language.

Data Sources

CrowdStrike FalconCrowdStrike LogScale

Required Tables

ProcessRollup2ProcessRollup2

False Positives & Tuning

  • Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks
  • Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added
  • DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
  • Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories
Download portable Sigma rule (.yml)

Other platforms for T1593.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Repository Secret Scan with truffleHog

    Expected signal: Linux auditd: execve syscall for pip3 and trufflehog processes. Sysmon for Linux (if deployed): Event ID 1 (Process Create) with Image containing 'trufflehog' and CommandLine containing the repository URL. Network connections to api.github.com and raw.githubusercontent.com on port 443. File creation events in /tmp for any cloned repository content.

  2. Test 2Repository Secret Scan with gitleaks

    Expected signal: Sysmon Event ID 1: Process Create for git.exe (clone operation) with CommandLine containing the GitHub URL. Sysmon Event ID 1: Process Create for gitleaks.exe with '--source' and '--report-path' arguments. Sysmon Event ID 3: Network connections to github.com on port 443 for the clone operation. Sysmon Event ID 11: File creation for gitleaks-report.json in %TEMP%.

  3. Test 3GitHub API Search for Leaked Credentials via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'api.github.com', 'Invoke-RestMethod', and 'credential' or 'password'. Sysmon Event ID 3: Network connection to api.github.com:443. PowerShell ScriptBlock Log Event ID 4104 containing the full script with GitHub API query.

  4. Test 4Git Log History Search for Hardcoded Secrets

    Expected signal: Linux auditd or Sysmon for Linux Event ID 1: Process Create for git with CommandLine containing 'log --all --full-history' and the repository URL. Process Create for grep with pattern matching credential keywords. Network connection to github.com:443 for the initial clone. File system access to .git/objects during history traversal.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1593.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1593Search Open Websites/Domains

Related Sub-techniques

T1593.001Social MediaT1593.002Search Engines

Related Techniques

T1593Search Open Websites/DomainsT1593.001Social MediaT1593.002Search EnginesT1213.003Code RepositoriesT1552.001Credentials In FilesT1552.004Private KeysT1078Valid AccountsT1566PhishingT1586Compromise AccountsT1584Compromise InfrastructureT1598Phishing for Information

Same Tactic: Reconnaissance

Popular Detections