Description
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or Unsecured Credentials contained within software's source code. Having access to software's source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.(Citation: Wired Uber Breach)(Citation: Krebs Adobe)
Note: This is distinct from Code Repositories, which focuses on conducting Reconnaissance via public code repositories.
Platforms
Mitigations (4)
User TrainingM1017
Develop and publish policies that define acceptable information to be stored in code repositories.
AuditM1047
Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information.
User Account ManagementM1018
Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization for code repositories.
Multi-factor AuthenticationM1032
Use multi-factor authentication for logons to code repositories.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has searched a victim's network for code repositories like GitLab and GitHub to discover further high... |
| G1015 | Scattered Spider | [Scattered Spider](https://attack.mitre.org/groups/G1015) enumerates data stored within victim code repositories, such as internal GitHub repositories... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) cloned victim user Git repositories during intrusions.(Citation: Rostovcev APT41 2021) |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S9010 | GlassWorm | Malware | [GlassWorm](https://attack.mitre.org/software/S9010) has gathered code repository authentication materials for NPM and GitHub.(Citation: Koi Glassworm... |
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has downloaded existing packages from code repositories and extracted data stored within them.(C... |
| S9009 | TruffleHog | Tool | [TruffleHog](https://attack.mitre.org/software/S9009) has gathered data and credentials from code repositories.(Citation: Github TruffleSecurity Truff... |
References
- Andy Greenberg. (2017, January 21). Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach. Retrieved May 14, 2021.
- Brian Krebs. (2013, October 3). Adobe To Announce Source Code, Customer Data Breach. Retrieved May 17, 2021.
Frequently Asked Questions
What is T1213.003 (Code Repositories)?
T1213.003 is a MITRE ATT&CK technique named 'Code Repositories'. It belongs to the Collection tactic(s). Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or p...
How can T1213.003 be detected?
Detection of T1213.003 (Code Repositories) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1213.003?
There are 4 documented mitigations for T1213.003. Key mitigations include: User Training, Audit, User Account Management, Multi-factor Authentication.
Which threat groups use T1213.003?
Known threat groups using T1213.003 include: LAPSUS$, Scattered Spider, APT41.