Potential Secret Scanning via Gitleaks

  1[metadata]
  2creation_date = "2025/11/28"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike", "auditd_manager"]
  4maturity = "production"
  5updated_date = "2025/11/28"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects the execution of Gitleaks, a tool used to search for high-entropy strings and secrets in code
 11repositories, which may indicate an attempt to access credentials.
 12"""
 13false_positives = [
 14    """
 15    Gitleaks is a legitimate open-source tool used by security professionals and developers to search for sensitive
 16    information, such as passwords, API keys, and other secrets, within code repositories. It is commonly employed
 17    during security assessments and code reviews to identify potential vulnerabilities.
 18    """,
 19]
 20from = "now-9m"
 21index = [
 22    "endgame-*",
 23    "logs-crowdstrike.fdr*",
 24    "logs-endpoint.events.process-*",
 25    "logs-m365_defender.event-*",
 26    "logs-sentinel_one_cloud_funnel.*",
 27    "logs-system.security*",
 28    "logs-windows.forwarded*",
 29    "logs-windows.sysmon_operational-*",
 30    "winlogbeat-*",
 31    "auditbeat-*",
 32    "logs-auditd_manager.auditd-*"
 33]
 34language = "eql"
 35license = "Elastic License v2"
 36name = "Potential Secret Scanning via Gitleaks"
 37note = """## Triage and analysis
 38
 39> **Disclaimer**:
 40> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 41
 42### Investigating Potential Secret Scanning via Gitleaks
 43
 44This alert fires when a host launches Gitleaks, a secret-scanning utility that hunts high-entropy strings and credentials in source code and repositories, signaling potential credential harvesting. An attacker may clone internal repos or traverse local workspace directories, drop a portable gitleaks binary in /tmp or %TEMP%, run recursive scans with wide rule sets and JSON output, then archive the results to exfiltrate tokens, API keys, and passwords for lateral movement and service impersonation.
 45
 46### Possible investigation steps
 47
 48- Review the full command line to identify --path/--repo/--report/--format flags, which reveal scope and whether results are being written for exfiltration.
 49- Examine parent and ancestry plus user session to determine if it was launched by CI/dev tooling versus an interactive shell, and note execution from temp or unusual directories suggesting a dropped portable binary.
 50- Locate and inspect newly created artifacts (gitleaks.json, .sarif, .csv, zip archives) near the event time, confirm the presence of secrets, and map their sensitivity to affected systems.
 51- Correlate with network and data movement around the event for clones to internal repos and outbound transfers to cloud storage, paste sites, or email, and capture repository URLs or destinations if present.
 52- Trace how the binary arrived by checking recent downloads and file writes (curl/wget, package managers, GitHub releases), verify the binary’s hash and signer, and compare against known-good sources.
 53
 54### False positive analysis
 55
 56- A developer or security team member intentionally runs gitleaks to audit internal code for secrets during routine hygiene, producing local report artifacts and showing normal parent processes without exfiltration behavior.
 57- A user invokes gitleaks with --version or --help to validate installation or review usage, which generates a process start event but performs no scanning or credential access.
 58
 59### Response and remediation
 60
 61- If the run was unauthorized or executed from /tmp, %TEMP%, or a user profile, terminate gitleaks.exe/gitleaks, isolate the host from the network, and capture the binary path and hash for forensics.
 62- Quarantine report artifacts produced by the run (gitleaks.json, .sarif, .csv, and any zip archives) by securing copies for evidence, removing world-readable permissions, and deleting residual copies from the working directory, Downloads, repo folders, and CI workspaces after collection.
 63- Eradicate tooling by removing the dropped gitleaks binary and any wrapper scripts or CI job steps that invoke it, and enforce execution blocking for gitleaks in user-writable paths via application control or EDR policy.
 64- Immediately revoke and rotate any secrets confirmed in the reports or repository (cloud API keys, service tokens, SSH keys, credentials), purge them from repo history (git filter-repo/BFG) if present, redeploy updated secrets from the vault, and force password resets for affected accounts.
 65- Review git activity and data movement around the event for repo clones and exports, and inspect outbound transfers of report files to cloud storage, paste sites, or email; escalate to Incident Response and Legal if any report left the device or if production/customer credentials are exposed.
 66- Harden going forward by enabling approved server-side and CI secret scanning, enforcing pre-commit hooks, prohibiting PATs with broad scopes, restricting egress to paste/file-sharing sites, and blocking execution of portable binaries from temp and user-writable locations."""
 67references = [
 68    "https://www.elastic.co/blog/shai-hulud-worm-npm-supply-chain-compromise",
 69    "https://socket.dev/blog/shai-hulud-strikes-again-v2",
 70]
 71risk_score = 47
 72rule_id = "f92171ed-a4d3-4baa-98f9-4df1652cb11b"
 73severity = "medium"
 74tags = [
 75    "Domain: Endpoint",
 76    "OS: Linux",
 77    "OS: Windows",
 78    "OS: macOS",
 79    "Use Case: Threat Detection",
 80    "Tactic: Credential Access",
 81    "Data Source: Elastic Endgame",
 82    "Data Source: Elastic Defend",
 83    "Data Source: Windows Security Event Logs",
 84    "Data Source: Microsoft Defender for Endpoint",
 85    "Data Source: Sysmon",
 86    "Data Source: SentinelOne",
 87    "Data Source: Crowdstrike",
 88    "Data Source: Auditd Manager",
 89    "Resources: Investigation Guide",
 90]
 91timestamp_override = "event.ingested"
 92type = "eql"
 93query = '''
 94process where event.type == "start" and event.action like ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started", "Process Create*") and
 95process.name : ("gitleaks.exe", "gitleaks")
 96'''
 97
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100
101[[rule.threat.technique]]
102id = "T1003"
103name = "OS Credential Dumping"
104reference = "https://attack.mitre.org/techniques/T1003/"
105
106[[rule.threat.technique]]
107id = "T1555"
108name = "Credentials from Password Stores"
109reference = "https://attack.mitre.org/techniques/T1555/"
110
111[rule.threat.tactic]
112id = "TA0006"
113name = "Credential Access"
114reference = "https://attack.mitre.org/tactics/TA0006/"