Adversaries may use suspicious Git clone activity to exfiltrate data or deploy malicious payloads under the guise of legitimate code repositories. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of development environments and prevent lateral movement.
Detection Rule
title: Suspicious Git Clone - Linux
id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
status: test
description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
references:
- https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-03
modified: 2023-01-05
tags:
- attack.reconnaissance
- attack.t1593.003
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/git'
CommandLine|contains: ' clone '
selection_keyword:
CommandLine|contains:
# Add more suspicious keywords
- 'exploit'
- 'Vulns'
- 'vulnerability'
- 'RCE'
- 'RemoteCodeExecution'
- 'Invoke-'
- 'CVE-'
- 'poc-'
- 'ProofOfConcept'
# Add more vuln names
- 'proxyshell'
- 'log4shell'
- 'eternalblue'
- 'eternal-blue'
- 'MS17-'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where (TargetProcessName endswith "/git" and TargetProcessCommandLine contains " clone ") and (TargetProcessCommandLine contains "exploit" or TargetProcessCommandLine contains "Vulns" or TargetProcessCommandLine contains "vulnerability" or TargetProcessCommandLine contains "RCE" or TargetProcessCommandLine contains "RemoteCodeExecution" or TargetProcessCommandLine contains "Invoke-" or TargetProcessCommandLine contains "CVE-" or TargetProcessCommandLine contains "poc-" or TargetProcessCommandLine contains "ProofOfConcept" or TargetProcessCommandLine contains "proxyshell" or TargetProcessCommandLine contains "log4shell" or TargetProcessCommandLine contains "eternalblue" or TargetProcessCommandLine contains "eternal-blue" or TargetProcessCommandLine contains "MS17-")Scenario: Scheduled Git Repository Backup Job
Description: A legitimate scheduled job runs git clone to back up a repository to a remote server.
Filter/Exclusion: Check for --depth 1 or --single-branch flags, and filter by source and destination paths known to be used for backups.
Scenario: Developer Pulling Code from Internal Repo
Description: A developer clones a Git repository from an internal Git server as part of their daily workflow.
Filter/Exclusion: Filter by user (e.g., user.name = "dev-team") and check if the clone is to a known developer workspace directory.
Scenario: CI/CD Pipeline Initialization
Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) clones a repository to initialize a build environment.
Filter/Exclusion: Check for presence of CI/CD environment variables (e.g., CI=true) and filter by known CI/CD agent directories.
Scenario: System Update via Git Repo
Description: A system administrator uses a Git repository to manage configuration files and clones it during system updates.
Filter/Exclusion: Filter by process name (e.g., update.sh, config-sync.sh) and check for known system update directories.
Scenario: Git Clone for Code Review or Merge
Description: A developer clones a repository to perform a code review or prepare for a merge.
Filter/Exclusion: Filter by user (e.g., user.name = "reviewer") and check for presence of git fetch or git merge in the same session.