Suspicious Git Clone

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious

MITRE ATT&CK coverage

Tactic	Techniques
Reconnaissance	`T1593.003` Search Open Websites/Domains: Code Repositories

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\git-remote-https.exe'
Image|endswith: '\git.exe'
OriginalFileName: git.exe

Stage 2: `all of selection_cli`

or:
CommandLine|contains: ' clone '
CommandLine|contains: 'git-remote-https '

Stage 3: `all of selection_keyword`

or:
CommandLine|contains: CVE-
CommandLine|contains: Invoke-
CommandLine|contains: MS17-
CommandLine|contains: ProofOfConcept
CommandLine|contains: RemoteCodeExecution
CommandLine|contains: Vulns
CommandLine|contains: eternal-blue
CommandLine|contains: eternalblue
CommandLine|contains: exploit
CommandLine|contains: log4shell
CommandLine|contains: poc-
CommandLine|contains: proxyshell
CommandLine|contains: vulnerability

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`clone` `CVE-` `Invoke-` corpus 5 (sigma 5) `MS17-` `ProofOfConcept` `RemoteCodeExecution` `Vulns` `eternal-blue` `eternalblue` `exploit` `git-remote-https` `log4shell` `poc-` `proxyshell` `vulnerability`
`Image`	ends_with	`\git-remote-https.exe` `\git.exe`
`OriginalFileName`	eq	`git.exe`