T1213.003 Code Repositories
Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.
Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software’s source code. Having access to software’s source code may allow adversaries to develop Exploits, while credentials may provide access to additional resources using Valid Accounts.12
Note: This is distinct from Code Repositories, which focuses on conducting Reconnaissance via public code repositories.
| Item | Value |
|---|---|
| ID | T1213.003 |
| Sub-techniques | T1213.001, T1213.002, T1213.003 |
| Tactics | TA0009 |
| Platforms | SaaS |
| Version | 1.1 |
| Created | 11 May 2021 |
| Last Modified | 18 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1004 | LAPSUS$ | LAPSUS$ has searched a victim’s network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.3 |
| C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 downloaded source code from code repositories.4 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit | Consider periodic reviews of accounts and privileges for critical and sensitive code repositories. Scan code repositories for exposed credentials or other sensitive information. |
| M1032 | Multi-factor Authentication | Use multi-factor authentication for logons to code repositories. |
| M1018 | User Account Management | Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization for code repositories. |
| M1017 | User Training | Develop and publish policies that define acceptable information to be stored in code repositories. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0015 | Application Log | Application Log Content |
| DS0028 | Logon Session | Logon Session Creation |
References
-
Andy Greenberg. (2017, January 21). Hack Brief: Uber Paid Off Hackers to Hide a 57-Million User Data Breach. Retrieved May 14, 2021. ↩
-
Brian Krebs. (2013, October 3). Adobe To Announce Source Code, Customer Data Breach. Retrieved May 17, 2021. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩
-
MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation – Final Update. Retrieved May 14, 2021. ↩