1. Home
  2. Techniques
  3. Enterprise
  4. Search Open Websites/Domains
  5. Code Repositories

Search Open Websites/Domains: Code Repositories

ID Name
T1593.001 Social Media
T1593.002 Search Engines
T1593.003 Code Repositories

Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.[1] Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information), establishing operational resources (ex: Compromise Accounts or Compromise Infrastructure), and/or initial access (ex: Valid Accounts or Phishing).

Note: This is distinct from Code Repositories, which focuses on Collection from private and internally hosted code repositories.

ID: T1593.003
Sub-technique of:  T1593
Tactic: Reconnaissance
Platforms: PRE
Contributors: Matt Burrough, @mattburrough, Microsoft; Vinayak Wadhwa, SAFE Security
Version: 1.0
Created: 09 August 2022
Last Modified: 26 October 2022
Version Permalink

Procedure Examples

ID Name Description
G1004 LAPSUS$

LAPSUS$ has searched public code repositories for exposed credentials.[2]

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance

Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys.
M1047 Audit

Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.

Detection

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

References

  1. Runa A. Sandvik. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved August 9, 2022.
  1. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.