Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-CodeRepo-GistExfil.

Upgrade to Pro
THREAT-CodeRepo-GistExfil IBM QRadar · QRadar

Detect Data Exfiltration via GitHub Gists and Private Code Repositories in IBM QRadar

Adversaries and malicious insiders increasingly use code-hosting platforms (GitHub, GitLab, Bitbucket) as covert exfiltration channels because traffic to these domains is rarely blocked by web proxies and blends with routine developer activity. Two distinct abuse patterns are observed: (1) anonymous or throwaway-account Gist/paste creation used as a low-friction dead drop for small stolen artifacts (credentials, config files, session tokens) — documented in Turla dead-drop resolver infrastructure and multiple commodity loader families that stage stolen data via the GitHub Gist API before onward retrieval; and (2) bulk exfiltration via `git push` or GitHub API PUT/POST calls to a personal or attacker-controlled repository, seen in APT41 intrusions abusing developer tooling and in Lazarus Group operations staging stolen source code and credentials on GitHub/GitLab ahead of retrieval. The same channel is a leading insider-threat vector: departing employees push proprietary source code or customer data to a personal GitHub account under the cover of routine commits. Detection must distinguish these from the overwhelming volume of legitimate CI/CD and developer git traffic, so the strongest signals are (a) git remotes that do not match the organisation's registered GitHub/GitLab organisation, (b) anonymous Gist creation (no owning account, effectively unlisted/unattributable), and (c) API calls using PUT/POST verbs against content endpoints from processes other than the organisation's recognised CI/CD runners.

MITRE ATT&CK

Tactic
Exfiltration

QRadar Detection Query

IBM QRadar (QRadar)
sql
SELECT
    DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
    hostname AS Hostname,
    username AS User,
    "Process Name" AS ProcessName,
    "Command Line" AS CommandLine,
    LOGSOURCETYPENAME(logsourceid) AS LogSourceType,
    CASE
        WHEN LOWER("Command Line") LIKE '%push%' AND (LOWER("Command Line") LIKE '%github.com%' OR LOWER("Command Line") LIKE '%gitlab.com%' OR LOWER("Command Line") LIKE '%bitbucket.org%') THEN 'GitPushNonCorpRemote'
        WHEN LOWER("Command Line") LIKE '%api.github.com/gists%' THEN 'AnonGistCreate'
        WHEN (LOWER("Command Line") LIKE '%/contents/%' OR LOWER("Command Line") LIKE '%/repos/%') THEN 'ContentsApiUpload'
        ELSE 'Unclassified'
    END AS Signal
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    (LOWER("Process Name") LIKE '%git.exe%' AND LOWER("Command Line") LIKE '%push%')
    OR (
        (LOWER("Process Name") LIKE '%curl.exe%' OR LOWER("Process Name") LIKE '%powershell.exe%' OR LOWER("Process Name") LIKE '%python.exe%')
        AND (LOWER("Command Line") LIKE '%api.github.com%' OR LOWER("Command Line") LIKE '%api.gitlab.com%' OR LOWER("Command Line") LIKE '%api.bitbucket.org%')
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 500
high severity medium confidence

QRadar AQL query detecting code-repository exfiltration by monitoring process creation events from Windows Security Event Log and Sysmon log sources. Flags git push commands referencing GitHub/GitLab/Bitbucket, scripting-engine calls to the Gist API, and direct Contents/Repos API calls. Requires WinCollect or a Universal DSM configured to extract the 'Process Name' and 'Command Line' custom event properties; filter the 'push' branch further against your organisation's git remote in a QRadar reference set for lower noise.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log (via WinCollect)Sysmon Events (via WinCollect or Universal DSM)

Required Tables

events

False Positives & Tuning

  • Approved open-source contribution: developers pushing to personal forks of external projects as part of their role — populate a QRadar reference set of approved external namespaces and exclude matching Command Line values
  • DevRel/security research Gist publishing: staff authorised for public snippet sharing — suppress via a reference set of approved usernames rather than a blanket exclusion

Other platforms for THREAT-CodeRepo-GistExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Exfiltration via Anonymous GitHub Gist

    Expected signal: Sysmon Event ID 1: curl.exe process creation with command line referencing api.github.com/gists and a POST body.

  2. Test 2Simulate Exfiltration via Git Push to Non-Corporate Remote

    Expected signal: Process creation events for git with 'push' in the command line and a remote URL not matching the corporate org.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-CodeRepo-GistExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections