T1567.001 Exfiltration to Code Repository
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
Procedure Examples
Mitigations
ID |
Mitigation |
Description |
M1021 |
Restrict Web-Based Content |
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
Detection
References