T1567.001: Exfiltration to Code Repository
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
Analyst context for executives and security teams
Exfiltration to Code Repository matters because it can make data theft look like normal developer or automation traffic. If code repository services are already allowed over HTTPS, an adversary may get cover from trusted destinations and encrypted web traffic instead of using an obvious command-and-control channel.
Executive priority
Treat this as a control-validation issue for organizations that use code repositories, developer tooling, or automated build workflows from ESXi, Linux, macOS, or Windows systems. Leaders should ask whether repository access is business-justified by host and identity, whether web filtering policy can distinguish approved from unapproved repository use, and whether SOC and IR teams can produce evidence of unusual uploads to repository APIs during an investigation.
Technical view
This is an exfiltration sub-technique of Exfiltration Over Web Service. SOC and detection teams should validate visibility into outbound HTTPS connections to code repository services and APIs, especially from systems or accounts that do not normally publish code or artifacts. ATT&CK does not provide official detection text for this object, but the relationship to DET0318 indicates a detection strategy exists. The related mitigation is M1021 Restrict Web-Based Content, so validation should focus on whether proxy, URL filtering, and web access controls can limit or alert on unauthorized repository destinations and behaviors.
Likely telemetry
- Web proxy and secure web gateway logs for repository domains and API endpoints
- DNS queries and network connection metadata for outbound HTTPS to code repository services
- Endpoint process and command-line telemetry associated with repository clients, scripts, or API upload activity
- Authentication and access logs from approved code repository services where available
- Data transfer volume, timing, and destination metadata for unusual outbound uploads
Detection direction
- Baseline which hosts, users, service accounts, and automation systems are expected to access code repositories, then alert on deviations.
- Prioritize detection of unusual upload volume, new repository destinations, API access from non-developer systems, or repository access outside normal workflows.
- Tune carefully for legitimate developer and CI/CD activity; popular repository services may be common in the environment and create false positives without asset and identity context.
- Confirm whether HTTPS inspection, proxy logging, or destination metadata is sufficient; encryption may limit content visibility.
- Use relationship context from the parent technique, Exfiltration Over Web Service, to look for abuse of legitimate web services permitted by firewall policy.
Mitigation priorities
- Restrict web-based content by allowing repository access only where business-justified, using proxy or URL filtering controls.
- Define approved repository services and block or monitor access to unapproved repository destinations and APIs.
- Tie access policy to asset role and identity so servers, workstations, and automation accounts do not all have the same outbound permissions.
- Review repository authentication and access governance, especially for accounts and tokens used by developer or automation workflows.
- Ensure incident response playbooks include collection of proxy, endpoint, DNS, and repository audit evidence for suspected exfiltration.
Analyst notes and limits
Related software includes Empire and Shai-Hulud as using this technique, and the parent technique is Exfiltration Over Web Service. These relationships increase the need to evaluate both endpoint and web-service telemetry, but they do not by themselves prove exposure or active activity in any specific environment.
The supplied ATT&CK object has no official detection text. Details such as specific repository providers, API paths, event IDs, or validated analytics are not provided in the source fields, so local baselines and control evidence are required before making coverage claims.
Exfiltration to Code Repository
Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.
Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567 | Exfiltration Over Web Service | This object subtechnique of Exfiltration Over Web Service. |
Groups, software, and campaigns
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S9008: Shai-Hulud
Shai-Hulud is a supply chain worm, first reported in September 2025, that spreads through code repositories, including GitHub and NPM packages. It exploits CI/CD pipeline dependencies to propagate to victims and poisons the supply chain by publishing malicious packages. Once inside a victim environment, Shai-Hulud steals credentials and access tokens from compromised repository accounts and exfiltrates them to attacker-controlled servers via encoded GitHub Actions workflows.[1][2][3][4][5][6][7]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 0bf1a1d3c016… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack T1567.001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.