Info
ID: AT-RE004.002
Technique: Public Source Code and Artifacts Analysis
Tactic: Reconnaissance
Platforms: PRE
Static Code Analysis
Static Code Analysis is a sophisticated reconnaissance approach where attackers examine publicly available source code repositories, application binaries, or leaked code fragments without executing the software. This method enables threat actors to identify security weaknesses, authentication mechanisms, API endpoints, hardcoded credentials, cryptographic flaws, and business logic vulnerabilities by analyzing the underlying code structure. Unlike dynamic analysis which requires runtime execution, static analysis can be performed using specialized tools or manual inspection to extract critical information such as API keys, connection strings, encryption algorithms, and software dependencies. Adversaries leverage this information to map application architecture, identify vulnerable components, and develop targeted exploitation strategies while remaining undetected since this analysis occurs entirely outside the target environment, making it a particularly stealthy initial reconnaissance technique.
Procedure Examples
| ID | Name | Description |
|---|---|---|
| AC-0001 | ByBit $1.5B Crypto Heist | Adversaries downloaded the statically hosted Next.js bundle from s3 and reviewed its code and asset paths to learn where and how Safe proposes transactions and serves JavaScript, paving the way for S3 tampering. |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1013 | Application Developer Guidance | Remove hardcoded credentials and sensitive information from public repositories |
| M1016 | Vulnerability Scanning | Regularly scan code repositories for security vulnerabilities and sensitive data exposure |
| M1017 | User Training | Train developers on secure coding practices and risks of exposing vulnerable code publicly |
Detection
| ID | Data Source | Detection |
|---|---|---|
| DS0015 | Application Log | Alert on bulk or out-of-cycle SAST/CodeQL jobs launched from IP ranges or service accounts not normally associated with the repository pipeline. |
| DS0015 | Application Log | Detect high-volume code repository access from suspicious sources. Monitor clone/fetch operations that enumerate all branches or search the full history; high-rate access from unknown networks can indicate preparatory code mining. |
| DS0035 | Internet Scan | Track repeated GitHub/GitLab code-search API requests for organisation-specific names—activity occurs outside the enterprise boundary but can be seen via threat-intel partners and Git audit feeds. |