heroui logo

Git Repository Accessed

Anvilogic Forge

View Source
Summary
The detection rule 'Git Repository Accessed' aims to identify unauthorized access to Git repositories, which may indicate malicious activity by adversaries, such as TeamTNT. This rule utilizes Splunk to capture and analyze web data, specifically targeting requests to the '.git/' directory within web applications. The logic checks for successful HTTP GET requests (status code 200) to any URI that includes '/.git/' and subsequently extracts details regarding the request including timestamps, host information, user data, source and destination IP addresses, and additional HTTP characteristics. It incorporates regex filtering to precisely identify matches in URI paths, and summarizes the data over 5-minute intervals while enriching the dataset with DNS lookups and geolocation data to better understand the context of the potential threat. This rule is valuable for detecting file and directory enumeration attempts that can be part of reconnaissance activities in a compromised environment.
Categories
  • Web
  • Infrastructure
Data Sources
  • Web Credential
  • Network Traffic
ATT&CK Techniques
  • T1083
Created: 2024-02-09