gitleaks is a legitimate open-source tool used by security professionals and developers to search for sensitive information, such as passwords, api keys, and other secrets, within code repositories. it is commonly employed during security assessments and code reviews to identify potential vulnerabilities.

t1003
t1555
cross-platform
elastic

Techniques

T1003
T1555

Sample rules

Potential Secret Scanning via Gitleaks

source: elastic
technicques:
- T1003
- T1555

Description

This rule detects the execution of Gitleaks, a tool used to search for high-entropy strings and secrets in code repositories, which may indicate an attempt to access credentials.

Detection logic

process where event.type == "start" and event.action like ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started", "Process Create*") and
process.name : ("gitleaks.exe", "gitleaks")