Skip to content

T1567.001 Exfiltration to Code Repository

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

Item Value
ID T1567.001
Sub-techniques T1567.001, T1567.002, T1567.003
Tactics TA0010
Platforms Linux, Windows, macOS
Version 1.0
Created 09 March 2020
Last Modified 28 March 2020

Procedure Examples

ID Name Description
S0363 Empire Empire can use GitHub for data exfiltration.1

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access
DS0029 Network Traffic Network Traffic Content

References

  1. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.