Esc
Exfiltration to Code Repository - T1567.001

(ATT&CK® Technique)
Definition

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1567001["Exfiltration to Code Repository"] --> |may-produce| OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"]; class T1567001 OffensiveTechniqueNode;
        class OutboundInternetEncryptedWebTraffic ArtifactNode; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";
        click T1567001 href "/offensive-technique/attack/T1567.001/"; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic"; T1567001["Exfiltration to Code Repository"] --> |may-produce| OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"]; class T1567001 OffensiveTechniqueNode;
        class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode; click OutboundInternetEncryptedRemoteTerminalTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedRemoteTerminalTraffic";
        click T1567001 href "/offensive-technique/attack/T1567.001/"; click OutboundInternetEncryptedRemoteTerminalTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedRemoteTerminalTraffic";                 T1567001["Exfiltration to Code Repository"] --> |produces| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1567001 OffensiveTechniqueNode;
        class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";
        click T1567001 href "/offensive-technique/attack/T1567.001/"; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";          RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";                     ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";       RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis";                    NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                                 Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";           NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";    NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                           PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";                     PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";            RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";        ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";                             Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | May Detect | T1567001["Exfiltration to Code Repository"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";                 UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";           OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | May Isolate | T1567001["Exfiltration to Code Repository"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";                   OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";         NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | May Isolate | T1567001["Exfiltration to Code Repository"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedRemoteTerminalTraffic["Outbound Internet Encrypted Remote Terminal Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedRemoteTerminalTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                  NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetWebTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";
json