AN0895: Analytic 0895

Processes such as PowerShell, Git, or curl initiating outbound HTTPS POST requests to known code repository APIs (e.g., github.com, gitlab.com) immediately following large file reads. Defender view: correlation between file access of sensitive directories (e.g., Documents, Finance) and abnormal data uploads to repository domains.

EnterpriseAN0895AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because it describes a practical data-loss pattern: a Windows process such as PowerShell, Git, or curl reads large files from potentially sensitive user or business directories and then sends HTTPS POST traffic to code repository APIs such as GitHub or GitLab. For leaders, the value is not assuming every repository upload is malicious, but confirming whether the organization can distinguish normal developer activity from suspicious movement of business data into external code-hosting services.

Executive priority

Prioritize this as a data protection and incident readiness validation item for Windows environments. Security leaders should ask whether SOC, IR, and compliance teams can prove they collect both file-access evidence and outbound web/API evidence, and whether they can correlate them quickly enough to support containment, legal, privacy, or audit decisions. This is especially relevant where finance, document, or other sensitive directories exist on endpoints and where legitimate use of GitHub, GitLab, Git, PowerShell, or curl could create noisy but business-critical exceptions.

Technical view

For SOC and detection engineering, validate correlation coverage on Windows between large file reads from sensitive paths and near-term outbound HTTPS POST requests by processes named in the analytic, including PowerShell, Git, and curl. The supplied ATT&CK object does not provide a formal detection rule or tactic mapping, so teams should treat it as a behavioral detection concept and tune it against local repository usage patterns, developer workflows, sanctioned automation, and known business processes.

Likely telemetry

Windows process execution telemetry for PowerShell, Git, curl, and similar command-line or automation tools
File access telemetry showing large reads from user or business-sensitive directories such as Documents or Finance
Outbound network or proxy telemetry showing HTTPS POST requests
Destination domain and URL/API context for known code repository services such as github.com and gitlab.com
Timestamp correlation between file reads and subsequent external uploads

Detection direction

Validate that endpoint and network telemetry can be joined by host, user, process, and time window; this analytic depends on correlation, not a single event.
Tune for local legitimate repository activity to reduce false positives from developers, build systems, scripts, and approved automation.
Pay attention to blind spots where HTTPS inspection, proxy logging, endpoint file auditing, or command-line capture is absent or inconsistent.
Use sensitive directory context carefully; the ATT&CK description gives examples such as Documents and Finance, but each organization must define its own high-value paths.
Because no official detection logic is supplied, test candidate analytics with known-good business workflows before using them for high-severity alerting.

Mitigation priorities

Define and maintain approved use cases for external code repository access from Windows endpoints.
Ensure sensitive business directories are identified so monitoring and response teams know which file-read events deserve higher scrutiny.
Strengthen endpoint and web egress logging before relying on this analytic for compliance or incident evidence.
Review whether PowerShell, Git, and curl usage is expected on non-developer systems and apply appropriate administrative controls where business need is limited.
Create response playbooks for suspected external repository uploads, including validation of user intent, repository destination, data sensitivity, and containment decision points.

Analyst notes and limits

This object is a detection analytic, not a technique entry. Its main decision value is helping teams test whether they can correlate endpoint file access with outbound API uploads to repository domains on Windows. The absence of relationship context means this take should not infer a specific ATT&CK tactic, threat actor, campaign, or impact outcome.

The official object provides a description but no official detection logic, no tactics, and no relationship context. It supports Windows only. Local environment evidence is required to determine what counts as sensitive directories, abnormal upload behavior, sanctioned repository usage, and alert severity.

Official MITRE ATT&CK definition

Analytic 0895

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: be5a0330f62456ec...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`be5a0330f624…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0895
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use