1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Web Service
  5. Exfiltration to Code Repository

Exfiltration Over Web Service: Exfiltration to Code Repository

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage
T1567.003 Exfiltration to Text Storage Sites
T1567.004 Exfiltration Over Webhook

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

ID: T1567.001
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: ESXi, Linux, Windows, macOS
Version: 1.2
Created: 09 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0363 Empire

Empire can use GitHub for data exfiltration.[1]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0318 Detection Strategy for Exfiltration to Code Repository AN0895

Processes such as PowerShell, Git, or curl initiating outbound HTTPS POST requests to known code repository APIs (e.g., github.com, gitlab.com) immediately following large file reads. Defender view: correlation between file access of sensitive directories (e.g., Documents, Finance) and abnormal data uploads to repository domains.
AN0896

Processes like git, curl, or python scripts executing commands that package files (tar, gzip) followed by HTTPS uploads to code repository endpoints. Defender view: detect unusual git push activity or scripted HTTPS requests outside normal developer work hours.
AN0897

Office or scripting applications initiating unusual HTTPS traffic to code repository APIs with high outbound-to-inbound ratios. Defender perspective: monitor for sensitive file access in combination with network connections to github.com, gitlab.com, or bitbucket.org.
AN0898

ESXi host processes (vmx, hostd) initiating HTTPS sessions toward external code repositories. Defender perspective: detect datastore reads followed by outbound web traffic inconsistent with administrative baselines.

References

  1. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.