Description
Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Adversaries may search various public code repositories for various information about a victim. Public code repositories can often be a source of various general information about victims, such as commonly used programming languages and libraries as well as the names of employees. Adversaries may also identify more sensitive data, including accidentally leaked credentials or API keys.(Citation: GitHub Cloud Service Credentials) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information), establishing operational resources (ex: Compromise Accounts or Compromise Infrastructure), and/or initial access (ex: Valid Accounts or Phishing).
Note: This is distinct from Code Repositories, which focuses on Collection from private and internally hosted code repositories.
Platforms
Mitigations (2)
Application Developer GuidanceM1013
Application developers uploading to public code repositories should be careful to avoid publishing sensitive information such as credentials and API keys.
AuditM1047
Scan public code repositories for exposed credentials or other sensitive information before making commits. Ensure that any leaked credentials are removed from the commit history, not just the current latest version of the code.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) had identified and solicited victims through code repositories such as GitHub.(Citation:... |
| G1004 | LAPSUS$ | [LAPSUS$](https://attack.mitre.org/groups/G1004) has searched public code repositories for exposed credentials.(Citation: MSTIC DEV-0537 Mar 2022) |
| G0125 | HAFNIUM | [HAFNIUM](https://attack.mitre.org/groups/G0125) has discovered leaked corporate credentials on public repositories including GitHub.(Citation: Micros... |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S9008 | Shai-Hulud | Malware | [Shai-Hulud](https://attack.mitre.org/software/S9008) has the ability to search open sites and code repositories for compromised credentials.(Citation... |
References
Frequently Asked Questions
What is T1593.003 (Code Repositories)?
T1593.003 is a MITRE ATT&CK technique named 'Code Repositories'. It belongs to the Reconnaissance tactic(s). Adversaries may search public code repositories for information about victims that can be used during targeting. Victims may store code in repositories on various third-party websites such as GitHub,...
How can T1593.003 be detected?
Detection of T1593.003 (Code Repositories) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1593.003?
There are 2 documented mitigations for T1593.003. Key mitigations include: Application Developer Guidance, Audit.
Which threat groups use T1593.003?
Known threat groups using T1593.003 include: Contagious Interview, LAPSUS$, HAFNIUM.