T1567.001: Exfiltration to Code Repository
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
Positive Technologies products that cover the technique
Detection
PT NAD can detect the service which is accessed. This allows an operator to search, using filters, for abnormal network sessions containing requests to code repositories.
Examples of PT NAD filters
- app_service == "Github"
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed command and arguments that may exfiltrate data to a code repository rather than over their primary command and control channel. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Monitor for use of code repositories for data exfiltration. |
---|
ID | DS0022 | Data source and component | File: File Access | Description | Monitor for files being accessed to exfiltrate data to a code repository rather than over their primary command and control channel. |
---|
Mitigation
ID | M1021 | Name | Restrict Web-Based Content | Description | Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
---|