← Back to Explore
T1567.001
Exfiltration to Code Repository
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
LinuxmacOSWindowsESXi
9
Detections
2
Sources
0
Threat Actors
BY SOURCE
7elastic2sigma
PROCEDURES (5)
General Monitoring4 detections
Auto-extracted: 4 detections for general monitoring
Exfiltrat2 detections
Auto-extracted: 2 detections for exfiltrat
Network Connection Monitoring1 detections
Auto-extracted: 1 detections for network connection monitoring
Persist1 detections
Auto-extracted: 1 detections for persist
Persist1 detections
Auto-extracted: 1 detections for persist
DETECTIONS (9)
Connection to Commonly Abused Web Services
elasticlow
GitHub Exfiltration via High Number of Repository Clones by User
elasticmedium
GitHub Private Repository Turned Public
elasticlow
GitHub Repository Pages Site Changed to Public
sigmalow
High Number of Closed Pull Requests by User
elasticmedium
High Number of Protected Branch Force Pushes by User
elasticmedium
Network Connection Initiated To DevTunnels Domain
sigmamedium
Potential PowerShell HackTool Script by Function Names
elasticmedium
Several Failed Protected Branch Force Pushes by User
elasticmedium