Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-20 | Use of External Systems | Protects | T1567.001 | Exfiltration to Code Repository |
| AC-4 | Information Flow Enforcement | Protects | T1567.001 | Exfiltration to Code Repository |
| SC-7 | Boundary Protection | Protects | T1567.001 | Exfiltration to Code Repository |
| azure_sentinel | Azure Sentinel | technique_scores | T1567.001 | Exfiltration to Code Repository |
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1567.001 | Exfiltration to Code Repository |
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1567.001 | Exfiltration to Code Repository |