Inspired by Proof of Concept or GTFO: 15-07, this PoC demonstrates a covert method for exfiltrating Git repositories by embedding them in PDFs. It highlights risks for security teams and emphasizes the need for proactive defenses.
This diagram illustrates the sequence of steps in the attack scenario, from embedding sensitive code in a PDF to extracting it outside the corporate network.
- Embed: Bundle, encrypt, compress, and embed a Git repository into a PDF.
- Extract: Decrypt, decompress, and extract the repository to restore its original state.
- Obfuscation: Payloads are encrypted and compressed, avoiding detection.
- Extensible: Can scale to multiple repositories and integrate with enterprise systems.
- Low Effort: Minimal setup required for high-impact attacks.
- Exfiltration of sensitive source code bypassing traditional DLP mechanisms.
- Encrypted and compressed attachments evade simple signature-based detection.
- Loss of IP and competitive advantage.
- Catastrophic risk from mass repository exfiltration in enterprise environments.
- Scan PDFs for unusual attachments.
- Enforce role-based access and MFA for repositories.
- Monitor file size anomalies and high-entropy data in outbound documents.
- Detect anomalous repository cloning and PDF generation.
- git bundling becomes high-risk command
make poc