Exfiltration Over Web Service: Exfiltration to Code Repository

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

ID: T1567.001
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: ESXi, Linux, Windows, macOS
Version: 1.2
Created: 09 March 2020
Last Modified: 15 April 2025

Procedure Examples

ID Name Description
S0363 Empire

Empire can use GitHub for data exfiltration.[1]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor for execution of commands for repository interaction (git push, curl, gh repo create, git clone), use of API clients (e.g., curl -X POST https://api.github.com/repos/user/repo/contents/), or unusual usage of PowerShell or Bash scripts to automate repository uploads.

Analytic 1 - Detecting Repository Uploads via Command Execution

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("git push", "gh repo create", "curl -X POST", "git clone", "git add", "git commit"))| eval risk_score=case( command IN ("git push", "gh repo create"), 9, command IN ("curl -X POST", "git commit"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score

DS0022 File File Access

Monitor for files being accessed to exfiltrate data to a code repository rather than over their primary command and control channel.

Analytic 1 - Detecting File Staging for Exfiltration to Code Repositories

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/home//repos/", "C:\Users\\Documents\git_repos\", "/var/tmp/repos/"))| eval risk_score=case( file_path LIKE "/home//repos/%", 9, file_path LIKE "C:\Users\\Documents\git_repos\%", 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score

DS0029 Network Traffic Network Traffic Content

Monitor for outbound network connections to code repository services (e.g., github.com, gitlab.com), web API calls to repository endpoints (POST https://api.github.com/repos/...), or SSH traffic to Git services (git@github.com:username/repo.git).

Analytic 1 - Detecting Outbound Connections to Code Repositories

(EventCode=3 OR source="zeek_conn.log" OR source="firewall_logs")| where (dest_ip IN (known_code_repos) AND bytes_out > 5000000)| stats count, sum(bytes_out) as total_bytes by _time, host, process, dest_ip| where total_bytes > 50000000| eval risk_score=case( total_bytes > 100000000, 9, total_bytes > 50000000, 8)| where risk_score >= 8| table host, dest_ip, total_bytes, risk_score

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for use of code repositories for data exfiltration.

References