title: Code Repositories (T1213.003)
id: df00tech-t1213-003
status: experimental
description: "Adversaries may leverage code repositories to collect valuable information including proprietary source code and unsecured credentials embedded within software. Code repositories such as GitHub, GitLab, Bitbucket, and Azure DevOps store source code and automate software builds, and may be hosted internally or externally. Once adversaries gain access via compromised credentials, stolen OAuth tokens, or insider access, they may bulk-clone repositories, run automated secret-scanning tools (trufflehog, gitleaks) to harvest embedded API keys and passwords, or enumerate organizational repositories at scale via API calls. LAPSUS$ searched victim networks for GitLab and GitHub instances to discover high-privilege credentials; Scattered Spider enumerated internal GitHub repositories as part of broader data theft operations; APT41 cloned victim Git repositories during intrusions. Successful exploitation provides adversaries with source code for developing targeted exploits, service credentials for lateral movement, and intellectual property for competitive or financial gain."
references:
  - https://attack.mitre.org/techniques/T1213/003/
  - https://df00tech.com/detections/T1213.003
author: df00tech
date: 2026/04/19
tags:
  - attack.t1213.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "CI/CD pipeline agents (Jenkins, GitHub Actions runners, Azure DevOps build agents) that perform bulk repository clones as part of legitimate build orchestration"
  - "Security engineering teams running authorized secret scanning (gitleaks, trufflehog) as part of AppSec pipeline or pre-commit hooks"
  - Developer onboarding scripts that clone multiple repositories simultaneously to set up a local development environment
  - Backup and archival automation jobs that use git bundle or git archive to create scheduled snapshots of organizational repositories
  - "Supply chain security tools (Dependabot, Renovate, Snyk) that enumerate repositories to check for vulnerable dependencies"
level: high