Data from Information Repositories: Code Repositories

ID Name
T1213.001 Confluence
T1213.002 Sharepoint
T1213.003 Code Repositories

Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software's source code. Having access to software's source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.[1][2]

Note: This is distinct from Code Repositories, which focuses on conducting Reconnaissance via public code repositories.

ID: T1213.003
Sub-technique of:  T1213
Tactic: Collection
Platforms: SaaS
Contributors: Itamar Mizrahi, Cymptom; Josh Liburdi, @jshlbrd; Toby Kohlenberg
Version: 1.1
Created: 11 May 2021
Last Modified: 18 October 2022

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.[3][4]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 downloaded source code from code repositories.[5]

Mitigations

ID Mitigation Description
M1047 Audit

Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information.

M1032 Multi-factor Authentication

Use multi-factor authentication for logons to code repositories.

M1018 User Account Management

Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization for code repositories.

M1017 User Training

Develop and publish policies that define acceptable information to be stored in code repositories.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may leverage code repositories to collect valuable information. Monitor access to code repositories, especially performed by privileged users such as Active Directory Domain or Enterprise Administrators as these types of accounts should generally not be used to access code repositories. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies.

DS0028 Logon Session Logon Session Creation

Monitor for newly constructed logon behavior across code repositories (e.g. Github) which can be configured to report access to certain pages and documents.

References