Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-20 | Use of External Systems | Protects | T1567.001 | Exfiltration to Code Repository | |
| AC-4 | Information Flow Enforcement | Protects | T1567.001 | Exfiltration to Code Repository | |
| SC-7 | Boundary Protection | Protects | T1567.001 | Exfiltration to Code Repository |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_sentinel | Azure Sentinel | technique_scores | T1567.001 | Exfiltration to Code Repository |
Comments
The Azure Sentinel Analytics "Powershell Empire cmdlets seen in command line" query can identify use of Empire, which can use Dropbox and GitHub for data exfiltration. The Azure Sentinel Analytics "SharePointFileOperation via previously unseen IPs" can detect potential exfiltration activity via SharePoint. The coverage for these queries is minimal resulting in an overall Minimal score.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1567.001 | Exfiltration to Code Repository |
Comments
This control can identify large volume potential exfiltration activity.
References
|
| cloud_app_security_policies | Cloud App Security Policies | technique_scores | T1567.001 | Exfiltration to Code Repository |
Comments
This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
References
|