1. Home
  2. ATT&CK Techniques
  3. T1567
  4. T1567.001
Exfiltration

T1567.001: Exfiltration to Code Repository

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access...

T1567.001 · Sub-technique ·4 platforms

Description

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

Platforms

ESXiLinuxmacOSWindows

Mitigations (1)

Restrict Web-Based ContentM1021

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Associated Software (2)

IDNameTypeContext
S0363EmpireTool[Empire](https://attack.mitre.org/software/S0363) can use GitHub for data exfiltration.(Citation: Github PowerShell Empire)
S9008Shai-HuludMalware[Shai-Hulud](https://attack.mitre.org/software/S9008) has created a repository named `Shai-Hulud` under the compromised account that commits a JSON du...

Frequently Asked Questions

What is T1567.001 (Exfiltration to Code Repository)?

T1567.001 is a MITRE ATT&CK technique named 'Exfiltration to Code Repository'. It belongs to the Exfiltration tactic(s). Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access...

How can T1567.001 be detected?

Detection of T1567.001 (Exfiltration to Code Repository) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1567.001?

There are 1 documented mitigations for T1567.001. Key mitigations include: Restrict Web-Based Content.

Which threat groups use T1567.001?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.