T1567.001 IBM QRadar · QRadar

Detect Exfiltration to Code Repository in IBM QRadar

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. Tools such as Empire have been observed using GitHub for data exfiltration, leveraging the GitHub API to stage and retrieve data as part of a C2 channel.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1567 Exfiltration Over Web Service
Sub-technique
T1567.001 Exfiltration to Code Repository
Canonical reference
https://attack.mitre.org/techniques/T1567/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  destinationip AS DestinationIP,
  destinationport AS DestPort,
  username AS UserName,
  "Computer" AS Hostname,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  LONG("BytesSent") AS BytesSent,
  CASE
    WHEN LONG("BytesSent") > 524288
      AND ("destinationhostname" ILIKE '%github.com%'
        OR "destinationhostname" ILIKE '%gitlab.com%'
        OR "destinationhostname" ILIKE '%bitbucket.org%'
        OR "destinationhostname" ILIKE '%dev.azure.com%'
        OR "destinationhostname" ILIKE '%codeberg.org%')
    THEN 'LargeUploadToCodeRepo'
    WHEN "Process Name" ILIKE '%git%'
      AND "CommandLine" ILIKE '%push%'
      AND ("CommandLine" ILIKE '%github.com%'
        OR "CommandLine" ILIKE '%gitlab.com%'
        OR "CommandLine" ILIKE '%bitbucket.org%'
        OR "CommandLine" ILIKE '%dev.azure.com%')
    THEN 'GitPushToExternalRepo'
    WHEN ("CommandLine" ILIKE '%api.github.com%'
       OR "CommandLine" ILIKE '%api.gitlab.com%'
       OR "CommandLine" ILIKE '%gist.github.com%')
      AND ("CommandLine" ILIKE '%PUT%'
        OR "CommandLine" ILIKE '%POST%'
        OR "CommandLine" ILIKE '%contents%'
        OR "CommandLine" ILIKE '%gists%'
        OR "CommandLine" ILIKE '%Invoke-RestMethod%'
        OR "CommandLine" ILIKE '%requests.put%'
        OR "CommandLine" ILIKE '%requests.post%')
    THEN 'CodeRepoAPIUpload'
    ELSE 'Unknown'
  END AS Signal
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 1 DAYS
  AND (
    -- Signal 1: Network connections to code repo domains with large transfer
    (
      qid IN (SELECT qid FROM QID WHERE name ILIKE '%network connection%' OR name ILIKE '%sysmon event 3%')
      AND (
        "destinationhostname" ILIKE '%github.com%'
        OR "destinationhostname" ILIKE '%api.github.com%'
        OR "destinationhostname" ILIKE '%gitlab.com%'
        OR "destinationhostname" ILIKE '%bitbucket.org%'
        OR "destinationhostname" ILIKE '%dev.azure.com%'
        OR "destinationhostname" ILIKE '%codeberg.org%'
        OR "destinationhostname" ILIKE '%gist.github.com%'
      )
      AND (
        "Process Name" ILIKE '%git%' OR "Process Name" ILIKE '%curl%'
        OR "Process Name" ILIKE '%wget%' OR "Process Name" ILIKE '%python%'
        OR "Process Name" ILIKE '%powershell%' OR "Process Name" ILIKE '%pwsh%'
        OR "Process Name" ILIKE '%node%' OR "Process Name" ILIKE '%ruby%'
      )
      AND LONG("BytesSent") > 524288
    )
    OR
    -- Signal 2: git push to external repo
    (
      qid IN (SELECT qid FROM QID WHERE name ILIKE '%process create%' OR name ILIKE '%sysmon event 1%')
      AND "Process Name" ILIKE '%git%'
      AND "CommandLine" ILIKE '%push%'
      AND (
        "CommandLine" ILIKE '%github.com%'
        OR "CommandLine" ILIKE '%gitlab.com%'
        OR "CommandLine" ILIKE '%bitbucket.org%'
        OR "CommandLine" ILIKE '%dev.azure.com%'
      )
    )
    OR
    -- Signal 3: REST API upload via scripting tools
    (
      qid IN (SELECT qid FROM QID WHERE name ILIKE '%process create%' OR name ILIKE '%sysmon event 1%')
      AND (
        "Process Name" ILIKE '%curl%' OR "Process Name" ILIKE '%wget%'
        OR "Process Name" ILIKE '%python%' OR "Process Name" ILIKE '%powershell%'
        OR "Process Name" ILIKE '%pwsh%' OR "Process Name" ILIKE '%node%'
      )
      AND (
        "CommandLine" ILIKE '%api.github.com%'
        OR "CommandLine" ILIKE '%api.gitlab.com%'
        OR "CommandLine" ILIKE '%gist.github.com%'
      )
      AND (
        "CommandLine" ILIKE '%PUT%' OR "CommandLine" ILIKE '%POST%'
        OR "CommandLine" ILIKE '%contents%' OR "CommandLine" ILIKE '%gists%'
        OR "CommandLine" ILIKE '%Invoke-RestMethod%'
        OR "CommandLine" ILIKE '%requests.put%' OR "CommandLine" ILIKE '%requests.post%'
      )
    )
  )
  AND Signal != 'Unknown'
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query detecting T1567.001 exfiltration to code repositories across three signals: large outbound transfers (>512KB) from scripting/git tools to known code hosting domains, explicit git push commands to external repos, and REST API file uploads via PUT/POST to repository APIs. Correlates Sysmon process and network events to classify and score each suspicious activity.

Data Sources

Windows Security Event LogSysmon via Windows Event ForwardingQRadar Network Activity

Required Tables

events

False Positives & Tuning

  • Automated CI/CD pipeline agents (Jenkins workers, GitLab Runner, Azure DevOps build agents) performing scheduled pushes and releases generate high-volume git and API activity to code hosting domains
  • Developer workstations running IDEs with background git sync, auto-commit plugins, or backup extensions that periodically push local changes to remote repositories
  • DevSecOps tooling that submits SARIF security scan results, test coverage reports, or generated API documentation via GitHub/GitLab API endpoints using POST/PUT methods
Download portable Sigma rule (.yml)

Other platforms for T1567.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate Data via GitHub Contents API Using PowerShell

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing 'api.github.com', 'Invoke-RestMethod', 'PUT', and 'token'. Sysmon Event ID 3: Network Connection from powershell.exe to api.github.com:443. PowerShell ScriptBlock Log Event ID 4104 with full API request including the encoded content. Network proxy logs show HTTPS PUT to api.github.com with outbound payload.

  2. Test 2Git Push Sensitive Files to External Repository from Command Shell

    Expected signal: Sysmon Event ID 1: Multiple process creates — cmd.exe, git.exe (init), git.exe (add), git.exe (commit), git.exe (push) with CommandLine containing 'github.com' and '--force'. Sysmon Event ID 3: Network Connection from git.exe to github.com:443. Sysmon Event ID 11: File Create for stolen_creds.txt in %TEMP%\df00tech-exfil. Security Event ID 4688 if command line auditing enabled.

  3. Test 3Exfiltrate Data via GitHub Gist API Using curl

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe spawning curl.exe, CommandLine containing 'api.github.com/gists', '-X POST', and the Authorization header with PAT. Sysmon Event ID 3: Network Connection from curl.exe to api.github.com:443. Proxy logs show HTTPS POST to api.github.com/gists with outbound JSON payload.

  4. Test 4Automated Data Exfiltration via Python GitHub API Script

    Expected signal: Sysmon Event ID 1: Process Create with Image=python.exe and CommandLine containing 'api.github.com', 'PUT', 'urllib.request', and the Authorization token. Sysmon Event ID 3: Network Connection from python.exe to api.github.com:443. No PowerShell ScriptBlock logging (Python process); look for Python audit hooks or endpoint DLP alerts on the data access pattern (reading hosts file).

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1567.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567Exfiltration Over Web Service

Related Sub-techniques

T1567.002Exfiltration to Cloud StorageT1567.003Exfiltration to Text Storage SitesT1567.004Exfiltration Over Webhook

Related Techniques

T1567Exfiltration Over Web ServiceT1567.004Exfiltration Over WebhookT1102.001Dead Drop ResolverT1020Automated ExfiltrationT1560.001Archive via UtilityT1552.001Credentials In FilesT1552.004Private KeysT1078Valid AccountsT1041Exfiltration Over C2 ChannelT1074.001Local Data Staging

Same Tactic: Exfiltration

Popular Detections