title: Code Repositories (T1593.003)
id: df00tech-t1593-003
status: experimental
description: "Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Adversaries search these repositories for sensitive data including accidentally leaked credentials, API keys, internal hostnames, technology stack details, and employee names. Groups such as LAPSUS$, HAFNIUM, and Contagious Interview have actively exploited public repository leaks to discover valid credentials and identify victims for targeting."
references:
  - https://attack.mitre.org/techniques/T1593/003/
  - https://df00tech.com/detections/T1593.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1593.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security teams running authorized secret scanning tools (truffleHog, gitleaks) as part of internal security audits or CI/CD pipeline security checks"
  - "Developers using GitHub CLI (gh.exe) or IDE integrations (VS Code, JetBrains) that make legitimate API calls to GitHub — covered by the exclusion list but new IDE tools may need to be added"
  - DevSecOps automation pipelines running repository scanning tools on build agents — these would generate bulk API calls from CI runner processes
  - "Penetration testers with written authorization conducting red team exercises against the organization's own GitHub repositories"
  - GitHub Actions or GitLab CI runners executing on self-hosted agents that connect to GitHub APIs as part of normal pipeline operations
level: medium