T1593.003 Splunk · SPL

Detect Code Repositories in Splunk

Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Adversaries search these repositories for sensitive data including accidentally leaked credentials, API keys, internal hostnames, technology stack details, and employee names. Groups such as LAPSUS$, HAFNIUM, and Contagious Interview have actively exploited public repository leaks to discover valid credentials and identify victims for targeting.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1593 Search Open Websites/Domains
Sub-technique
T1593.003 Code Repositories
Canonical reference
https://attack.mitre.org/techniques/T1593/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval Image_lower=lower(Image)
`comment("--- Score: Known OSINT / repo reconnaissance tools ---")`
| eval ReconTool=if(
    match(Image_lower, "(trufflehog|gitleaks|gitrob|noseyparker|gitallsecrets|repo-supervisor|secretscanner|git-hound)") OR
    match(CommandLine, "(trufflehog|gitleaks|gitrob|noseyparker|gitallsecrets|repo-supervisor|secretscanner|git-hound|github-dorks)"),
    1, 0)
`comment("--- Score: Script/CLI processes referencing repo APIs ---")`
| eval ScriptRepoQuery=if(
    match(Image_lower, "(powershell|pwsh|python|curl|wget|ruby|node)") AND
    match(CommandLine, "(github\.com|api\.github\.com|gitlab\.com|bitbucket\.org)") AND
    match(CommandLine, "(search|secret|password|token|api_key|credential|key|leak)"),
    1, 0)
`comment("--- Score: git CLI used with log/grep patterns targeting secrets ---")`
| eval GitSecretSearch=if(
    match(Image_lower, "(git\.exe|git)$") AND
    match(CommandLine, "(grep|log|diff|show)") AND
    match(CommandLine, "(password|secret|token|api_key|aws_|private_key)"),
    1, 0)
| eval SuspicionScore=ReconTool + ScriptRepoQuery + GitSecretSearch
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        ReconTool, ScriptRepoQuery, GitSecretSearch, SuspicionScore
| sort - SuspicionScore, - _time
medium severity low confidence

Detects code repository reconnaissance activity using Sysmon Event ID 1 (Process Creation). Scores process executions across three dimensions: (1) known OSINT and secret-scanning tool names in process image or command line; (2) scripting engines (PowerShell, Python, curl) referencing GitHub/GitLab/Bitbucket APIs with credential-related keywords; (3) git CLI invocations using search/grep patterns targeting secrets in commit history. The suspicion score enables analysts to prioritize high-confidence alerts. Complements the proxy/network layer detection that should be run in parallel against web proxy logs.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized security team secret scanning runs during quarterly code audits — operations team should submit change tickets before running these tools
  • CI/CD build agents (Jenkins, GitHub Actions self-hosted runners) that execute gitleaks or truffleHog as part of automated pre-commit or PR security gates
  • Developers using git log with grep to search their own local repositories for debugging purposes — distinguish by checking if the repo is a local path vs. a cloned public repository
  • Security researchers or red team operators with written authorization performing authorized code repository reconnaissance exercises
  • Package managers or dependency scanners that interact with GitHub release APIs to check for updates — these would typically show as known package manager process names
Download portable Sigma rule (.yml)

Other platforms for T1593.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Repository Secret Scan with truffleHog

    Expected signal: Linux auditd: execve syscall for pip3 and trufflehog processes. Sysmon for Linux (if deployed): Event ID 1 (Process Create) with Image containing 'trufflehog' and CommandLine containing the repository URL. Network connections to api.github.com and raw.githubusercontent.com on port 443. File creation events in /tmp for any cloned repository content.

  2. Test 2Repository Secret Scan with gitleaks

    Expected signal: Sysmon Event ID 1: Process Create for git.exe (clone operation) with CommandLine containing the GitHub URL. Sysmon Event ID 1: Process Create for gitleaks.exe with '--source' and '--report-path' arguments. Sysmon Event ID 3: Network connections to github.com on port 443 for the clone operation. Sysmon Event ID 11: File creation for gitleaks-report.json in %TEMP%.

  3. Test 3GitHub API Search for Leaked Credentials via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'api.github.com', 'Invoke-RestMethod', and 'credential' or 'password'. Sysmon Event ID 3: Network connection to api.github.com:443. PowerShell ScriptBlock Log Event ID 4104 containing the full script with GitHub API query.

  4. Test 4Git Log History Search for Hardcoded Secrets

    Expected signal: Linux auditd or Sysmon for Linux Event ID 1: Process Create for git with CommandLine containing 'log --all --full-history' and the repository URL. Process Create for grep with pattern matching credential keywords. Network connection to github.com:443 for the initial clone. File system access to .git/objects during history traversal.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1593.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1593Search Open Websites/Domains

Related Sub-techniques

T1593.001Social MediaT1593.002Search Engines

Related Techniques

T1593Search Open Websites/DomainsT1593.001Social MediaT1593.002Search EnginesT1213.003Code RepositoriesT1552.001Credentials In FilesT1552.004Private KeysT1078Valid AccountsT1566PhishingT1586Compromise AccountsT1584Compromise InfrastructureT1598Phishing for Information

Same Tactic: Reconnaissance

Popular Detections