Exfiltration to Text Storage Sites

let PasteSites = dynamic([
  "pastebin.com", "pastebin.pl", "pastebin.osuosl.org",
  "hastebin.com", "toptal.com/developers/hastebin",
  "ghostbin.co", "ghostbin.com",
  "paste.ee", "paste2.org", "paste.ofcode.org",
  "dpaste.org", "dpaste.com",
  "sprunge.us", "ix.io",
  "termbin.com",
  "controlc.com",
  "0bin.net",
  "pastie.org",
  "pasteio.com",
  "rentry.co"
]);
let PasteAPIPaths = dynamic([
  "/api/api_post.php",
  "/documents",
  "/api/v2/pastes",
  "/api/pastes"
]);
// Signal 1: Network connections to known paste sites
let NetworkSignal =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (PasteSites)
    or RemoteIPType == "Public" and (RemoteUrl has "paste" or RemoteUrl has "hastebin")
| where RemotePort in (80, 443)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         ProcessName=InitiatingProcessFileName, CommandLine=InitiatingProcessCommandLine,
         RemoteUrl, RemoteIP, RemotePort, BytesSent,
         SignalType="NetworkConnection";
// Signal 2: Process command lines explicitly targeting paste sites
let ProcessSignal =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (PasteSites)
    or ProcessCommandLine has_any ("pastebin", "hastebin", "ghostbin", "paste.ee", "termbin", "sprunge", "ix.io")
| where FileName in~ ("curl.exe", "curl", "wget.exe", "wget", "powershell.exe", "pwsh.exe",
                       "python.exe", "python3", "python", "python3.exe",
                       "nc.exe", "ncat.exe", "node.exe", "ruby.exe", "perl.exe")
| project Timestamp, DeviceName, AccountName, ProcessName=FileName,
         CommandLine=ProcessCommandLine,
         ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine,
         SignalType="ProcessExecution";
// Union both signals
NetworkSignal
| union ProcessSignal
| extend IsCurl = ProcessName in~ ("curl.exe", "curl", "wget.exe", "wget")
| extend IsPowerShell = ProcessName in~ ("powershell.exe", "pwsh.exe")
| extend IsScript = ProcessName in~ ("python.exe", "python3", "python", "python3.exe", "ruby.exe", "perl.exe", "node.exe")
| extend HasPostData = CommandLine has_any ("-d ", "--data", "--data-binary", "--data-raw", "-F ",
                                             "Invoke-RestMethod", "Invoke-WebRequest",
                                             "UploadString", "UploadData",
                                             "requests.post", ".post(", "urllib.request")
| extend HasAPIKey = CommandLine has_any ("api_dev_key", "api_user_key", "api_paste", "X-Auth-Token",
                                          "Authorization:", "--header")
| extend LargeTransfer = BytesSent > 50000
| sort by Timestamp desc

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationHostname="*pastebin*" OR DestinationHostname="*hastebin*" OR DestinationHostname="*ghostbin*"
   OR DestinationHostname="*paste.ee*" OR DestinationHostname="*dpaste*" OR DestinationHostname="*sprunge*"
   OR DestinationHostname="*termbin*" OR DestinationHostname="*ix.io*" OR DestinationHostname="*controlc.com*"
   OR DestinationHostname="*0bin.net*" OR DestinationHostname="*rentry.co*" OR DestinationHostname="*paste2.org*")
  | eval SignalType="NetworkConnection"
  | eval PasteHost=DestinationHostname
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
          DestinationHostname, DestinationPort, DestinationIp, SignalType, PasteHost
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*pastebin*" OR CommandLine="*hastebin*" OR CommandLine="*ghostbin*"
   OR CommandLine="*paste.ee*" OR CommandLine="*dpaste*" OR CommandLine="*sprunge.us*"
   OR CommandLine="*termbin.com*" OR CommandLine="*ix.io*" OR CommandLine="*controlc.com*"
   OR CommandLine="*0bin.net*" OR CommandLine="*rentry.co*" OR CommandLine="*paste2.org*")
  (Image="*\\curl.exe" OR Image="*\\wget.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\nc.exe" OR Image="*\\ncat.exe"
   OR Image="*\\node.exe" OR Image="*\\ruby.exe" OR Image="*\\perl.exe")
  | eval SignalType="ProcessExecution"
  | eval PasteHost=case(
      match(CommandLine, "pastebin"), "pastebin.com",
      match(CommandLine, "hastebin"), "hastebin.com",
      match(CommandLine, "ghostbin"), "ghostbin.co",
      match(CommandLine, "paste\.ee"), "paste.ee",
      match(CommandLine, "dpaste"), "dpaste.org",
      match(CommandLine, "sprunge"), "sprunge.us",
      match(CommandLine, "termbin"), "termbin.com",
      match(CommandLine, "ix\.io"), "ix.io",
      1=1, "unknown-paste-site")
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, SignalType, PasteHost
]
| eval IsCurlWget=if(match(Image, "(curl\.exe|wget\.exe)$"), 1, 0)
| eval IsPowerShell=if(match(Image, "(powershell\.exe|pwsh\.exe)$"), 1, 0)
| eval IsScript=if(match(Image, "(python.*\.exe|node\.exe|ruby\.exe|perl\.exe)$"), 1, 0)
| eval HasPostData=if(match(CommandLine, "(-d\s|--data|--data-binary|--data-raw|Invoke-RestMethod|Invoke-WebRequest|UploadString|requests\.post|urllib\.request)"), 1, 0)
| eval HasAPIKey=if(match(CommandLine, "(api_dev_key|api_user_key|api_paste|X-Auth-Token|Authorization:)"), 1, 0)
| eval SuspicionScore=IsCurlWget + IsPowerShell + IsScript + HasPostData + HasAPIKey
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        SignalType, PasteHost, IsCurlWget, IsPowerShell, IsScript, HasPostData, HasAPIKey, SuspicionScore
| sort - _time

network where event.type == "connection" and
  network.direction == "outbound" and
  (
    destination.domain : ("pastebin.com","hastebin.com","ghostbin.co","paste.ee",
                           "dpaste.org","dpaste.com","sprunge.us","ix.io","termbin.com",
                           "controlc.com","rentry.co","paste.c-net.org") and
    network.bytes > 1048576
  ) or
  (
    destination.domain : ("api.paste.ee","pastebin.com") and
    process.name : ("powershell.exe","pwsh.exe","python*","perl","ruby","curl.exe","wget.exe") and
    network.bytes > 102400
  )

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource,
  "sourceip" as SourceIP, "Image" as ProcessImage,
  "DestinationHostname" as PasteSite, SUM("BytesSent") as TotalBytes,
  CASE WHEN SUM("BytesSent") > 5242880 THEN 10
       WHEN LOWER("Image") LIKE '%powershell%' AND SUM("BytesSent") > 102400 THEN 9
       ELSE 6 END as RiskScore
FROM events
WHERE "DestinationHostname" ILIKE ANY
  ('%pastebin.com%','%hastebin%','%ghostbin%','%paste.ee%','%dpaste%',
   '%sprunge.us%','%ix.io%','%termbin%','%controlc.com%','%rentry.co%',
   '%github.com%','%gist.github.com%','%gitlab.com%')
  AND "Direction" = 'outbound'
GROUP BY "sourceip", "Image", "DestinationHostname", FLOOR(devicetime/3600000)
HAVING TotalBytes > 102400
ORDER BY TotalBytes DESC

_sourceCategory=windows/sysmon OR _sourceCategory=network/flow
| json auto
| where EventID == "3" OR Direction == "outbound"
| eval hostname = toLower(coalesce(DestinationHostname, ""))
| where hostname matches ".*(pastebin|hastebin|ghostbin|paste\.ee|dpaste|sprunge|ix\.io|termbin|controlc|rentry|gist\.github).*"
| eval ImageLower = toLower(coalesce(Image,""))
| eval is_scripted = if(ImageLower matches ".*(powershell|pwsh|python|perl|ruby|curl|wget).*", 1, 0)
| timeslice 1h
| stats sum(BytesSent) as TotalBytes, count() as Connections, dc(DestinationHostname) as UniqueSites
        by SourceIP, Image, _timeslice
| where TotalBytes > 102400
| eval TotalKB = round(TotalBytes / 1024, 1)
| eval risk = if(TotalBytes > 5242880, "critical", if(TotalBytes > 1048576, "high", "medium"))
| table _timeslice, SourceIP, Image, TotalKB, Connections, UniqueSites, risk
| sort by TotalKB desc

rule paste_site_exfiltration {
  meta:
    author = "Detection Engineering"
    description = "Detects data exfiltration to paste sites and code repos (T1567.003)"
    severity = "HIGH"
    tactic = "TA0010"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    re.regex($e.target.hostname, `(?i)(pastebin\.com|hastebin\.com|ghostbin|paste\.ee|dpaste|sprunge\.us|ix\.io|termbin|controlc\.com|gist\.github\.com)`) nocase
    $e.network.sent_bytes > 102400

  condition:
    $e
}

#event_simpleName = "NetworkConnectIP4"
| DomainName = /(pastebin\.com|hastebin|ghostbin|paste\.ee|dpaste|sprunge|termbin|controlc|gist\.github)/i
| stats sum(BytesOut) as TotalBytes, count() as Connections by ContextBaseFileName, DomainName, span(timestamp, 1h)
| where TotalBytes > 102400
| eval TotalKB = round(TotalBytes / 1024, 1)
| eval risk = if(TotalBytes > 5242880, "critical", if(TotalBytes > 1048576, "high", "medium"))
| table timestamp, ComputerName, UserName, ContextBaseFileName, DomainName, TotalKB, Connections, risk
| sort by TotalKB desc