Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-20 | Use of External Systems | mitigates | T1567.001 | Exfiltration to Code Repository | |
| AC-04 | Information Flow Enforcement | mitigates | T1567.001 | Exfiltration to Code Repository | |
| SC-07 | Boundary Protection | mitigates | T1567.001 | Exfiltration to Code Repository |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1567.001 | Exfiltration to Code Repository | |
| attribute.confidentiality.data_disclosure | None | related-to | T1567.001 | Exfiltration to Code Repository |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1567.001 | Exfiltration to Code Repository |
Comments
The Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Microsoft Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1567.001 | Exfiltration to Code Repository |
Comments
The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.
Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1567.001 | Exfiltration to Code Repository |
Comments
This control can identify large volume potential exfiltration activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | Technique Scores | T1567.001 | Exfiltration to Code Repository |
Comments
This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
References
|