T1567.001 Exfiltration to Code Repository Mappings

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository
attribute.confidentiality.data_disclosure None related-to T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_guardduty Amazon GuardDuty technique_scores T1567.001 Exfiltration to Code Repository
Comments
The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual
References