Exfiltration Over Web Service: Exfiltration to Code Repository

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

ID: T1567.001
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Requires Network:  Yes
Version: 1.0
Created: 09 March 2020
Last Modified: 28 March 2020

Procedure Examples

ID Name Description
S0363 Empire

Empire can use GitHub for data exfiltration.[1]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to code repositories. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

References