Adversaries may use GET requests with keyword-based URL strings to enumerate source code, indicating potential reconnaissance or exploitation of web applications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of targeted attacks and prevent unauthorized access to sensitive code repositories.
Detection Rule
title: Source Code Enumeration Detection by Keyword
id: 953d460b-f810-420a-97a2-cfca4c98e602
status: test
description: Detects source code enumeration that use GET requests by keyword searches in URL strings
references:
- https://pentester.land/tutorials/2018/10/25/source-code-disclosure-via-exposed-git-folder.html
- https://medium.com/@logicbomb_1/bugbounty-how-i-was-able-to-download-the-source-code-of-indias-largest-telecom-service-52cf5c5640a1
author: James Ahearn
date: 2019-06-08
modified: 2022-10-05
tags:
- attack.discovery
- attack.t1083
logsource:
category: webserver
detection:
keywords:
- '.git/'
condition: keywords
falsepositives:
- Unknown
level: medium
imWebSession
| where ".git/"Scenario: Developer using a code repository tool to fetch source code
Description: A developer is using a tool like git or svn to clone or pull source code from a remote repository, which may include URLs with keywords like index.php or source.php.
Filter/Exclusion: Check for the presence of known repository URLs (e.g., [email protected], svn://, https://github.com) or include a filter for processes associated with git, svn, or hg.
Scenario: Scheduled job for code version control synchronization
Description: A scheduled job (e.g., via cron, task scheduler, or Jenkins) is running a script to synchronize code between development and staging environments, which may include URLs with source code keywords.
Filter/Exclusion: Filter by process names like cron, jenkins, or scheduled_task, or include a filter for known CI/CD tools and their associated processes.
Scenario: Admin task to deploy application code using a deployment tool
Description: An administrator is using a deployment tool like Ansible, Chef, or Puppet to deploy code to a server, which may involve URLs with source code enumeration keywords.
Filter/Exclusion: Include filters for known deployment tools and their associated processes (e.g., ansible, chef-client, puppet), or check for the presence of deployment-related command-line arguments.
Scenario: Internal tool for code documentation or static analysis
Description: An internal tool (e.g., Doxygen, Sphinx, or SonarQube) is being used to generate documentation or perform static analysis on source code, which may involve URLs with source code keywords.
Filter/Exclusion: Filter by the process names of the documentation or static analysis tools