T1567.001

Exfiltration to Code Repository

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. Tools such as Empire have been observed using GitHub for data exfiltration, leveraging the GitHub API to stage and retrieve data as part of a C2 channel.

Microsoft Sentinel / Defender

kusto

let CodeRepoDomains = dynamic(["github.com", "api.github.com", "gitlab.com", "api.gitlab.com", "bitbucket.org", "api.bitbucket.org", "dev.azure.com", "raw.githubusercontent.com", "gist.github.com", "codeberg.org"]);
// Signal 1: Large outbound data transfers from scripting/git tools to code repository domains
let NetworkSignal = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (CodeRepoDomains)
| where InitiatingProcessFileName has_any ("git", "curl", "wget", "python", "powershell", "pwsh", "node", "ruby", "perl")
| where BytesSent > 524288
| extend Signal = "LargeUploadToCodeRepo"
| extend BytesSentMB = round(toreal(BytesSent) / 1048576, 2)
| project Timestamp, DeviceName, AccountName, Signal, RemoteUrl, RemotePort, BytesSent, BytesSentMB, BytesReceived, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName;
// Signal 2: Git push commands explicitly targeting external repository URLs
let GitPushSignal = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "git.exe" or FileName =~ "git"
| where ProcessCommandLine has "push"
| where ProcessCommandLine has_any (CodeRepoDomains)
| extend Signal = "GitPushToExternalRepo"
| extend BytesSentMB = 0.0
| project Timestamp, DeviceName, AccountName, Signal, RemoteUrl="", RemotePort=0, BytesSent=tolong(0), BytesSentMB, BytesReceived=tolong(0), InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName=InitiatingProcessParentFileName;
// Signal 3: Direct API calls to repository REST APIs using PUT/POST (file upload without git client)
let ApiUploadSignal = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any ("curl", "wget", "python", "powershell", "pwsh", "node", "ruby")
| where ProcessCommandLine has_any ("api.github.com", "api.gitlab.com", "api.bitbucket.org", "gist.github.com")
| where ProcessCommandLine has_any ("-X PUT", "-X POST", "method='PUT'", "method='POST'", "requests.put", "requests.post", "Invoke-RestMethod", "Invoke-WebRequest", "contents", "gists")
| extend Signal = "CodeRepoAPIUpload"
| extend BytesSentMB = 0.0
| project Timestamp, DeviceName, AccountName, Signal, RemoteUrl="", RemotePort=443, BytesSent=tolong(0), BytesSentMB, BytesReceived=tolong(0), InitiatingProcessFileName=FileName, InitiatingProcessCommandLine=ProcessCommandLine, InitiatingProcessParentFileName;
union NetworkSignal, GitPushSignal, ApiUploadSignal
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Content Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

Software developers legitimately pushing code to GitHub or GitLab as part of normal development workflow — especially on developer workstations
CI/CD pipeline agents (Jenkins build servers, GitHub Actions self-hosted runners, GitLab CI runners) performing automated builds and deployments that push artifacts or release assets
Developer IDEs with integrated Git (VS Code, IntelliJ, Visual Studio) performing background sync, auto-push on save, or pull request creation via API
Backup and configuration management scripts that legitimately use GitHub/GitLab as a storage backend for infrastructure-as-code or configuration files
Security tools such as Dependabot, Renovate, or Snyk that create automated pull requests by pushing fix branches to repositories

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
  ((EventCode="3"
    (DestinationHostname="github.com" OR DestinationHostname="api.github.com" OR DestinationHostname="gitlab.com" OR DestinationHostname="api.gitlab.com" OR DestinationHostname="bitbucket.org" OR DestinationHostname="api.bitbucket.org" OR DestinationHostname="dev.azure.com" OR DestinationHostname="gist.github.com" OR DestinationHostname="codeberg.org")
    (Image="*\\git.exe" OR Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe" OR Image="*\\node.exe" OR Image="*\\ruby.exe"))
  OR
  (EventCode="1"
    (Image="*\\git.exe")
    (CommandLine="*push*")
    (CommandLine="*github.com*" OR CommandLine="*gitlab.com*" OR CommandLine="*bitbucket.org*" OR CommandLine="*dev.azure.com*"))
  OR
  (EventCode="1"
    (Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    (CommandLine="*api.github.com*" OR CommandLine="*api.gitlab.com*" OR CommandLine="*gist.github.com*")
    (CommandLine="*PUT*" OR CommandLine="*POST*" OR CommandLine="*contents*" OR CommandLine="*gists*" OR CommandLine="*upload*" OR CommandLine="*Invoke-RestMethod*" OR CommandLine="*requests.put*" OR CommandLine="*requests.post*")))
| eval Signal=case(
    EventCode="3", "NetworkConnectionToCodeRepo",
    EventCode="1" AND match(CommandLine, "push") AND match(CommandLine, "(github\.com|gitlab\.com|bitbucket\.org)"), "GitPushExternal",
    EventCode="1" AND match(CommandLine, "(api\.github\.com|api\.gitlab\.com|gist\.github\.com)"), "CodeRepoAPIUpload",
    1==1, "Unknown")
| eval IsCISystem=if(match(host, "(?i)(jenkins|gitlab-runner|ci[-_]|build[-_]|deploy|devops|runner|bamboo|teamcity)"), 1, 0)
| eval IsKnownIDE=if(match(ParentImage, "(?i)(code\.exe|idea64\.exe|pycharm|devenv\.exe|sourcetree|gitkraken|fork\.exe|tower\.exe)"), 1, 0)
| eval SuspicionScore=case(
    Signal="GitPushExternal" AND IsCISystem=0, 3,
    Signal="CodeRepoAPIUpload" AND IsCISystem=0, 3,
    Signal="NetworkConnectionToCodeRepo" AND IsCISystem=0 AND IsKnownIDE=0, 2,
    Signal="NetworkConnectionToCodeRepo" AND IsCISystem=0 AND IsKnownIDE=1, 1,
    1==1, 0)
| where SuspicionScore >= 2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DestinationHostname, Signal, IsCISystem, IsKnownIDE, SuspicionScore
| sort - SuspicionScore - _time

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software developers legitimately pushing code to GitHub or GitLab — especially when parent process is a known IDE (VS Code, IntelliJ, PyCharm)
CI/CD pipeline agents with hostnames not matching the IsCISystem regex pattern (e.g., numeric hostnames) — tune the regex to match your CI infrastructure naming
Developer IDEs with Git integration performing background repository sync operations that spawn git.exe
Automated dependency update tools (Dependabot, Renovate) running on developer machines or build servers
Security scanning tools that push scan results or automated fix branches to repositories

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [network where event.type == "connection" and
   network.direction == "outbound" and
   (
     destination.domain : ("github.com", "api.github.com", "gitlab.com", "api.gitlab.com",
                            "bitbucket.org", "api.bitbucket.org", "dev.azure.com",
                            "raw.githubusercontent.com", "gist.github.com", "codeberg.org")
   ) and
   process.name : ("git", "git.exe", "curl", "curl.exe", "wget", "wget.exe",
                   "python", "python.exe", "python3", "python3.exe",
                   "powershell.exe", "pwsh", "pwsh.exe", "node", "node.exe",
                   "ruby", "ruby.exe", "perl", "perl.exe") and
   network.bytes_sent > 524288]
until [process where event.type == "end" and process.name : ("git", "git.exe")]

OR

any where
  (
    event.category == "process" and event.type == "start" and
    process.name : ("git", "git.exe") and
    process.args : "push" and
    process.command_line : ("*github.com*", "*gitlab.com*", "*bitbucket.org*", "*dev.azure.com*", "*codeberg.org*")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.name : ("curl", "curl.exe", "wget", "wget.exe", "python", "python.exe",
                    "python3", "python3.exe", "powershell.exe", "pwsh", "pwsh.exe",
                    "node", "node.exe", "ruby", "ruby.exe") and
    process.command_line : ("*api.github.com*", "*api.gitlab.com*", "*api.bitbucket.org*", "*gist.github.com*") and
    process.command_line : ("*-X PUT*", "*-X POST*", "*PUT*", "*POST*", "*contents*", "*gists*",
                            "*requests.put*", "*requests.post*", "*Invoke-RestMethod*", "*Invoke-WebRequest*", "*upload*")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent (network events) Auditbeat Winlogbeat with Sysmon

Required Tables

logs-endpoint.events.network-* logs-endpoint.events.process-* logs-system.syslog-*

False Positives

Legitimate CI/CD pipelines (Jenkins, GitHub Actions runners, GitLab CI runners) performing scheduled code pushes or artifact uploads to repository APIs as part of automated deployment workflows
Developers using IDE git integrations (VS Code, IntelliJ, PyCharm, SourceTree) to push large binary assets, design files, or datasets tracked via Git LFS to hosted repositories
Security or DevOps teams using infrastructure-as-code tools (Terraform, Ansible) that commit state files or rendered manifests back to a central repository as part of GitOps workflows
Data science teams using DVC (Data Version Control) or similar tools to push experiment artifacts and model weights to repository storage backends
Open-source maintainers or automated bots (Dependabot, Renovate) creating PRs with large auto-generated changelogs or dependency lock files

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestPort,
  username AS UserName,
  "Computer" AS Hostname,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  LONG("BytesSent") AS BytesSent,
  CASE
    WHEN LONG("BytesSent") > 524288
      AND ("destinationhostname" ILIKE '%github.com%'
        OR "destinationhostname" ILIKE '%gitlab.com%'
        OR "destinationhostname" ILIKE '%bitbucket.org%'
        OR "destinationhostname" ILIKE '%dev.azure.com%'
        OR "destinationhostname" ILIKE '%codeberg.org%')
    THEN 'LargeUploadToCodeRepo'
    WHEN "Process Name" ILIKE '%git%'
      AND "CommandLine" ILIKE '%push%'
      AND ("CommandLine" ILIKE '%github.com%'
        OR "CommandLine" ILIKE '%gitlab.com%'
        OR "CommandLine" ILIKE '%bitbucket.org%'
        OR "CommandLine" ILIKE '%dev.azure.com%')
    THEN 'GitPushToExternalRepo'
    WHEN ("CommandLine" ILIKE '%api.github.com%'
       OR "CommandLine" ILIKE '%api.gitlab.com%'
       OR "CommandLine" ILIKE '%gist.github.com%')
      AND ("CommandLine" ILIKE '%PUT%'
        OR "CommandLine" ILIKE '%POST%'
        OR "CommandLine" ILIKE '%contents%'
        OR "CommandLine" ILIKE '%gists%'
        OR "CommandLine" ILIKE '%Invoke-RestMethod%'
        OR "CommandLine" ILIKE '%requests.put%'
        OR "CommandLine" ILIKE '%requests.post%')
    THEN 'CodeRepoAPIUpload'
    ELSE 'Unknown'
  END AS Signal
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    -- Signal 1: Network connections to code repo domains with large transfer
    (
      qid IN (SELECT qid FROM QID WHERE name ILIKE '%network connection%' OR name ILIKE '%sysmon event 3%')
      AND (
        "destinationhostname" ILIKE '%github.com%'
        OR "destinationhostname" ILIKE '%api.github.com%'
        OR "destinationhostname" ILIKE '%gitlab.com%'
        OR "destinationhostname" ILIKE '%bitbucket.org%'
        OR "destinationhostname" ILIKE '%dev.azure.com%'
        OR "destinationhostname" ILIKE '%codeberg.org%'
        OR "destinationhostname" ILIKE '%gist.github.com%'
      )
      AND (
        "Process Name" ILIKE '%git%' OR "Process Name" ILIKE '%curl%'
        OR "Process Name" ILIKE '%wget%' OR "Process Name" ILIKE '%python%'
        OR "Process Name" ILIKE '%powershell%' OR "Process Name" ILIKE '%pwsh%'
        OR "Process Name" ILIKE '%node%' OR "Process Name" ILIKE '%ruby%'
      )
      AND LONG("BytesSent") > 524288
    )
    OR
    -- Signal 2: git push to external repo
    (
      qid IN (SELECT qid FROM QID WHERE name ILIKE '%process create%' OR name ILIKE '%sysmon event 1%')
      AND "Process Name" ILIKE '%git%'
      AND "CommandLine" ILIKE '%push%'
      AND (
        "CommandLine" ILIKE '%github.com%'
        OR "CommandLine" ILIKE '%gitlab.com%'
        OR "CommandLine" ILIKE '%bitbucket.org%'
        OR "CommandLine" ILIKE '%dev.azure.com%'
      )
    )
    OR
    -- Signal 3: REST API upload via scripting tools
    (
      qid IN (SELECT qid FROM QID WHERE name ILIKE '%process create%' OR name ILIKE '%sysmon event 1%')
      AND (
        "Process Name" ILIKE '%curl%' OR "Process Name" ILIKE '%wget%'
        OR "Process Name" ILIKE '%python%' OR "Process Name" ILIKE '%powershell%'
        OR "Process Name" ILIKE '%pwsh%' OR "Process Name" ILIKE '%node%'
      )
      AND (
        "CommandLine" ILIKE '%api.github.com%'
        OR "CommandLine" ILIKE '%api.gitlab.com%'
        OR "CommandLine" ILIKE '%gist.github.com%'
      )
      AND (
        "CommandLine" ILIKE '%PUT%' OR "CommandLine" ILIKE '%POST%'
        OR "CommandLine" ILIKE '%contents%' OR "CommandLine" ILIKE '%gists%'
        OR "CommandLine" ILIKE '%Invoke-RestMethod%'
        OR "CommandLine" ILIKE '%requests.put%' OR "CommandLine" ILIKE '%requests.post%'
      )
    )
  )
  AND Signal != 'Unknown'
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon via Windows Event Forwarding QRadar Network Activity

Required Tables

events

False Positives

Automated CI/CD pipeline agents (Jenkins workers, GitLab Runner, Azure DevOps build agents) performing scheduled pushes and releases generate high-volume git and API activity to code hosting domains
Developer workstations running IDEs with background git sync, auto-commit plugins, or backup extensions that periodically push local changes to remote repositories
DevSecOps tooling that submits SARIF security scan results, test coverage reports, or generated API documentation via GitHub/GitLab API endpoints using POST/PUT methods

Sumo Logic CSE

sql

// Signal 1: Network connections to code repo domains (Sysmon Event 3)
(_sourceCategory="windows/sysmon" OR _sourceCategory="siem/windows/sysmon")
| parse "EventID>*<" as EventID nodrop
| parse "DestinationHostname>*<" as DestinationHostname nodrop
| parse "Image>*<" as Image nodrop
| parse "User>*<" as User nodrop
| parse "Computer>*<" as Computer nodrop
| where EventID = "3"
| where DestinationHostname matches "*github.com*"
  OR DestinationHostname matches "*gitlab.com*"
  OR DestinationHostname matches "*bitbucket.org*"
  OR DestinationHostname matches "*dev.azure.com*"
  OR DestinationHostname matches "*codeberg.org*"
  OR DestinationHostname matches "*gist.github.com*"
| where Image matches "*\\git.exe" OR Image matches "*\\curl.exe"
  OR Image matches "*\\wget.exe" OR Image matches "*\\python.exe"
  OR Image matches "*\\python3.exe" OR Image matches "*\\powershell.exe"
  OR Image matches "*\\pwsh.exe" OR Image matches "*\\node.exe"
  OR Image matches "*\\ruby.exe"
| eval Signal = "NetworkConnectionToCodeRepo"

// Signal 2: Git push to external repos (Sysmon Event 1)
| union [
  (_sourceCategory="windows/sysmon" OR _sourceCategory="siem/windows/sysmon")
  | parse "EventID>*<" as EventID nodrop
  | parse "Image>*<" as Image nodrop
  | parse "CommandLine>*<" as CommandLine nodrop
  | parse "ParentImage>*<" as ParentImage nodrop
  | parse "User>*<" as User nodrop
  | parse "Computer>*<" as Computer nodrop
  | where EventID = "1"
  | where Image matches "*\\git.exe"
  | where CommandLine matches "*push*"
  | where CommandLine matches "*github.com*"
    OR CommandLine matches "*gitlab.com*"
    OR CommandLine matches "*bitbucket.org*"
    OR CommandLine matches "*dev.azure.com*"
  | eval Signal = "GitPushToExternalRepo"
]

// Signal 3: REST API file uploads (Sysmon Event 1)
| union [
  (_sourceCategory="windows/sysmon" OR _sourceCategory="siem/windows/sysmon")
  | parse "EventID>*<" as EventID nodrop
  | parse "Image>*<" as Image nodrop
  | parse "CommandLine>*<" as CommandLine nodrop
  | parse "ParentImage>*<" as ParentImage nodrop
  | parse "User>*<" as User nodrop
  | parse "Computer>*<" as Computer nodrop
  | where EventID = "1"
  | where Image matches "*\\curl.exe" OR Image matches "*\\wget.exe"
    OR Image matches "*\\python.exe" OR Image matches "*\\python3.exe"
    OR Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe"
    OR Image matches "*\\node.exe" OR Image matches "*\\ruby.exe"
  | where (CommandLine matches "*api.github.com*"
    OR CommandLine matches "*api.gitlab.com*"
    OR CommandLine matches "*gist.github.com*")
  | where (CommandLine matches "*-X PUT*" OR CommandLine matches "*-X POST*"
    OR CommandLine matches "*contents*" OR CommandLine matches "*gists*"
    OR CommandLine matches "*Invoke-RestMethod*" OR CommandLine matches "*requests.put*"
    OR CommandLine matches "*requests.post*" OR CommandLine matches "*upload*")
  | eval Signal = "CodeRepoAPIUpload"
]

// Scoring and filtering
| eval IsCISystem = if (Computer matches "(?i)jenkins|gitlab-runner|ci[-_]|build[-_]|deploy|devops|runner|bamboo|teamcity", 1, 0)
| eval IsKnownIDE = if (ParentImage matches "(?i)code\\.exe|idea64\\.exe|pycharm|devenv\\.exe|sourcetree|gitkraken|fork\\.exe|tower\\.exe", 1, 0)
| eval SuspicionScore = if (Signal = "GitPushToExternalRepo" AND IsCISystem = 0, 3,
    if (Signal = "CodeRepoAPIUpload" AND IsCISystem = 0, 3,
    if (Signal = "NetworkConnectionToCodeRepo" AND IsCISystem = 0 AND IsKnownIDE = 0, 2,
    if (Signal = "NetworkConnectionToCodeRepo" AND IsCISystem = 0 AND IsKnownIDE = 1, 1, 0))))
| where SuspicionScore >= 2
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, DestinationHostname, Signal, IsCISystem, IsKnownIDE, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

high severity medium confidence

Data Sources

Sysmon (Windows Event Forwarding) Sumo Logic Installed Collector (Windows) Sumo Logic CSE Normalized Records

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=siem/windows/sysmon

False Positives

CI/CD build agents (Jenkins, GitHub Actions self-hosted runners, GitLab Runner, TeamCity agents) running on endpoints will generate frequent git push and API upload activity as part of normal pipeline execution — these are excluded by the IsCISystem filter but custom-named systems may bypass it
Developers using GUI git clients (SourceTree, GitKraken, Fork, Tower) that invoke git.exe or curl.exe as subprocesses when pushing large repositories — IsKnownIDE detection mitigates this but reduces score rather than eliminating the alert
Automated open-source contribution bots or security tools that submit vulnerability disclosures, SARIF reports, or dependency updates to public repositories via the GitHub/GitLab API using PUT/POST HTTP methods

Google Chronicle / SecOps

yaral

rule t1567_001_exfiltration_to_code_repository {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1567.001 - Exfiltration to Code Repository via git push, large uploads, or REST API file uploads to GitHub, GitLab, Bitbucket, Azure DevOps, or Codeberg"
    mitre_attack_tactic = "Exfiltration"
    mitre_attack_technique = "T1567.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1567/001/"
    version = "1.0"
    created = "2026-04-21"

  events:
    // Signal 1: Large network transfer to code repository domain from scripting/git process
    (
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      AND $e1.network.direction = "OUTBOUND"
      AND (
        $e1.target.hostname = /(?i)(github\.com|api\.github\.com|gitlab\.com|api\.gitlab\.com|bitbucket\.org|api\.bitbucket\.org|dev\.azure\.com|raw\.githubusercontent\.com|gist\.github\.com|codeberg\.org)$/
      )
      AND (
        $e1.principal.process.file.full_path = /(?i)(\\git\.exe|\\curl\.exe|\\wget\.exe|\\python\.exe|\\python3\.exe|\\powershell\.exe|\\pwsh\.exe|\\node\.exe|\\ruby\.exe|\\perl\.exe|^\/(usr\/bin\/|usr\/local\/bin\/|bin\/)(git|curl|wget|python|python3|node|ruby|perl)$)/
      )
      AND $e1.network.sent_bytes > 524288
    )
    OR
    // Signal 2: git push to external code repository (process args)
    (
      $e2.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        $e2.principal.process.file.full_path = /(?i)(\\git\.exe|^\/(usr\/bin\/|usr\/local\/bin\/|bin\/)git$)/
      )
      AND $e2.target.process.command_line = /(?i)push/
      AND $e2.target.process.command_line = /(?i)(github\.com|gitlab\.com|bitbucket\.org|dev\.azure\.com|codeberg\.org)/
    )
    OR
    // Signal 3: REST API upload via scripting tools
    (
      $e3.metadata.event_type = "PROCESS_LAUNCH"
      AND (
        $e3.principal.process.file.full_path = /(?i)(\\curl\.exe|\\wget\.exe|\\python\.exe|\\python3\.exe|\\powershell\.exe|\\pwsh\.exe|\\node\.exe|\\ruby\.exe)/
      )
      AND $e3.target.process.command_line = /(?i)(api\.github\.com|api\.gitlab\.com|api\.bitbucket\.org|gist\.github\.com)/
      AND $e3.target.process.command_line = /(?i)(-X PUT|-X POST|method=.PUT|method=.POST|requests\.put|requests\.post|Invoke-RestMethod|Invoke-WebRequest|contents|gists|upload)/
    )

  condition:
    $e1 or $e2 or $e3
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Forwarder (Windows Sysmon) Chronicle Forwarder (EDR telemetry) Google Workspace Activity Logs

Required Tables

UDM NETWORK_CONNECTION events UDM PROCESS_LAUNCH events

False Positives

Corporate software development workflows where developers or automated build systems regularly push large compiled binaries, release packages, container image layers, or documentation artifacts to GitHub Releases or GitLab package registry endpoints
Security automation pipelines that use curl or Python scripts to programmatically create GitHub/GitLab issues, upload SARIF vulnerability scan results, or trigger repository webhooks via the REST API with PUT or POST methods
Data engineering teams using repositories to store and version large datasets, ML model checkpoints, or ETL pipeline configurations — Python scripts invoking Git LFS or the GitHub API to upload files may exceed the 512KB threshold legitimately

CrowdStrike LogScale (CQL)

cql

// Signal 1: Large network uploads to code repository domains from scripting/git tools
#repo="base_sensor"
#event_simpleName="NetworkConnectIP4"
| ContextBaseFileName = /(?i)^(git|git\.exe|curl|curl\.exe|wget|wget\.exe|python|python\.exe|python3|python3\.exe|powershell\.exe|pwsh|pwsh\.exe|node|node\.exe|ruby|ruby\.exe|perl|perl\.exe)$/
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| join type=inner
  [
    #event_simpleName="DnsRequest"
    | DomainName = /(?i)(github\.com|api\.github\.com|gitlab\.com|api\.gitlab\.com|bitbucket\.org|api\.bitbucket\.org|dev\.azure\.com|raw\.githubusercontent\.com|gist\.github\.com|codeberg\.org)/
    | rename DomainName as CodeRepoDomain
  ]
  on aid, RemoteAddressIP4
| eval Signal = "LargeUploadToCodeRepo"

| union
  // Signal 2: Git push to external repository via command line
  [
    #repo="base_sensor"
    #event_simpleName="ProcessRollup2"
    | ImageFileName = /(?i)(\\git\.exe$|\/git$)/
    | CommandLine = /(?i)push/
    | CommandLine = /(?i)(github\.com|gitlab\.com|bitbucket\.org|dev\.azure\.com|codeberg\.org)/
    | eval Signal = "GitPushToExternalRepo"
    | eval CodeRepoDomain = case(
        CommandLine = /github\.com/, "github.com",
        CommandLine = /gitlab\.com/, "gitlab.com",
        CommandLine = /bitbucket\.org/, "bitbucket.org",
        CommandLine = /dev\.azure\.com/, "dev.azure.com",
        CommandLine = /codeberg\.org/, "codeberg.org",
        true(), "unknown"
      )
  ]

| union
  // Signal 3: REST API file upload to code repository APIs
  [
    #repo="base_sensor"
    #event_simpleName="ProcessRollup2"
    | ImageFileName = /(?i)(curl|curl\.exe|wget|wget\.exe|python|python\.exe|python3|python3\.exe|powershell\.exe|pwsh|pwsh\.exe|node|node\.exe|ruby|ruby\.exe)/
    | CommandLine = /(?i)(api\.github\.com|api\.gitlab\.com|api\.bitbucket\.org|gist\.github\.com)/
    | CommandLine = /(?i)(-X PUT|-X POST|method=.PUT|method=.POST|requests\.put|requests\.post|Invoke-RestMethod|Invoke-WebRequest|contents|gists|upload)/
    | eval Signal = "CodeRepoAPIUpload"
    | eval CodeRepoDomain = case(
        CommandLine = /api\.github\.com/, "api.github.com",
        CommandLine = /api\.gitlab\.com/, "api.gitlab.com",
        CommandLine = /gist\.github\.com/, "gist.github.com",
        CommandLine = /api\.bitbucket\.org/, "api.bitbucket.org",
        true(), "unknown"
      )
  ]

// Suppress known CI/CD hostnames
| ComputerName != /(?i)(jenkins|gitlab-runner|ci[-_]|build[-_]|deploy|devops|runner|bamboo|teamcity)/

// Enrich with parent process
| eval IsSuspiciousParent = case(
    ParentBaseFileName = /(?i)(cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|schtasks\.exe|at\.exe|wmic\.exe|msiexec\.exe)/, true(),
    true(), false()
  )

| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, Signal, CodeRepoDomain, IsSuspiciousParent])
| eval RiskScore = case(
    Signal = "GitPushToExternalRepo" AND IsSuspiciousParent = true(), 4,
    Signal = "CodeRepoAPIUpload" AND IsSuspiciousParent = true(), 4,
    Signal = "GitPushToExternalRepo", 3,
    Signal = "CodeRepoAPIUpload", 3,
    Signal = "LargeUploadToCodeRepo" AND IsSuspiciousParent = true(), 3,
    Signal = "LargeUploadToCodeRepo", 2,
    true(), 1
  )
| where RiskScore >= 2
| sort(RiskScore, order=desc, limit=1000)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2) CrowdStrike Falcon Sensor (NetworkConnectIP4) CrowdStrike Falcon Sensor (DnsRequest) CrowdStrike Falcon Sensor (UserLogon)

Required Tables

ProcessRollup2 NetworkConnectIP4 DnsRequest

False Positives

Developer workstations where engineers routinely push code to GitHub/GitLab/Bitbucket through IDE terminal sessions or GUI git clients — these generate ProcessRollup2 git push events continuously during normal business hours and should be baselined per host
Infrastructure automation tools (Terraform, Pulumi, CDK) running on DevOps engineer machines or bastion hosts that use curl or Python to commit generated state files, rendered Helm charts, or SBOM reports back to repositories via API
Security scanning platforms (Snyk, Semgrep, Checkov) that run as background processes and submit findings or pull request annotations to repository APIs using POST/PUT methods with content bodies referencing specific file paths

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1567.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1567Exfiltration Over Web Service

Related Sub-techniques

T1567.002Exfiltration to Cloud Storage T1567.003Exfiltration to Text Storage Sites T1567.004Exfiltration Over Webhook

Exfiltration to Code Repository

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Exfiltration

Popular Detections