Skip to content

DET0318 Detection Strategy for Exfiltration to Code Repository

Item Value
ID DET0318
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1567.001 (Exfiltration to Code Repository)

Analytics

Windows

AN0895

Processes such as PowerShell, Git, or curl initiating outbound HTTPS POST requests to known code repository APIs (e.g., github.com, gitlab.com) immediately following large file reads. Defender view: correlation between file access of sensitive directories (e.g., Documents, Finance) and abnormal data uploads to repository domains.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
MonitoredDomains List of external code repository domains to monitor (github.com, gitlab.com, bitbucket.org).
ExfilVolumeThreshold Threshold for outbound data volume per session to flag suspicious uploads.

Linux

AN0896

Processes like git, curl, or python scripts executing commands that package files (tar, gzip) followed by HTTPS uploads to code repository endpoints. Defender view: detect unusual git push activity or scripted HTTPS requests outside normal developer work hours.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:EXECVE git push, curl -X POST
File Access (DC0055) auditd:SYSCALL open/read of sensitive directories
Network Traffic Flow (DC0078) NSM:Flow large outbound HTTPS uploads to repo domains
Mutable Elements
Field Description
WorkHours Baseline normal developer activity periods to reduce false positives.
RepoDomainList Known allowed internal or external repository domains.

macOS

AN0897

Office or scripting applications initiating unusual HTTPS traffic to code repository APIs with high outbound-to-inbound ratios. Defender perspective: monitor for sensitive file access in combination with network connections to github.com, gitlab.com, or bitbucket.org.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog execution of curl, git, or Office processes with network connections
File Access (DC0055) macos:unifiedlog read of user document directories
Network Traffic Content (DC0085) macos:unifiedlog outbound HTTPS connections to code repository APIs
Mutable Elements
Field Description
MonitoredApplications Applications not expected to upload large data sets to repos (Word, Excel, Preview).

ESXi

AN0898

ESXi host processes (vmx, hostd) initiating HTTPS sessions toward external code repositories. Defender perspective: detect datastore reads followed by outbound web traffic inconsistent with administrative baselines.

Log Sources
Data Component Name Channel
File Access (DC0055) esxi:hostd datastore file access
Network Traffic Flow (DC0078) esxi:vmkernel HTTPS traffic to repository domains
Mutable Elements
Field Description
DatastoreTransferThreshold Amount of data moved from datastore to external services before raising alert.