T1567.003 Elastic Security · Elastic

Detect Exfiltration to Text Storage Sites in Elastic Security

Adversaries may exfiltrate data to text storage sites such as pastebin.com, hastebin.com, paste.ee, ghostbin.co, or similar services instead of using their primary command and control channel. These sites are designed for sharing code and text snippets, often allowing anonymous or low-friction uploads with optional encryption and access controls. Threat actors leverage these services because traffic to them blends with normal developer activity, the sites are rarely blocked by firewalls, and paste content is ephemeral or access-controlled. Exfiltrated data may include credential dumps, configuration files, source code, reconnaissance output, or any collected sensitive data.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1567 Exfiltration Over Web Service
Sub-technique
T1567.003 Exfiltration to Text Storage Sites
Canonical reference
https://attack.mitre.org/techniques/T1567/003/

Elastic Detection Query

Elastic Security (Elastic)
eql 
network where event.type == "connection" and
  network.direction == "outbound" and
  (
    destination.domain : ("pastebin.com","hastebin.com","ghostbin.co","paste.ee",
                           "dpaste.org","dpaste.com","sprunge.us","ix.io","termbin.com",
                           "controlc.com","rentry.co","paste.c-net.org") and
    network.bytes > 1048576
  ) or
  (
    destination.domain : ("api.paste.ee","pastebin.com") and
    process.name : ("powershell.exe","pwsh.exe","python*","perl","ruby","curl.exe","wget.exe") and
    network.bytes > 102400
  )
high severity medium confidence

Detects data exfiltration to paste sites and code repositories via large outbound transfers or scripted POST requests.

Data Sources

Network Flow EventsEndpoint Network Events

Required Tables

logs-endpoint.events.network-*

False Positives & Tuning

  • Developers legitimately sharing code snippets or debug output to pastebin/hastebin during normal work
  • CI/CD pipelines or build scripts that publish logs or artifacts to paste sites for sharing build results
  • Security researchers or incident responders sharing sanitized IOCs or analysis outputs via paste sites
  • IT support staff using paste sites to share configuration examples or troubleshooting commands with users
  • Automated testing tools that upload test results to hastebin or similar for review
Download portable Sigma rule (.yml)

Other platforms for T1567.003

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate Data to Pastebin via API (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'pastebin.com', 'api_dev_key', 'Invoke-RestMethod', and 'api_paste_code'. Sysmon Event ID 3: Network connection to pastebin.com on port 443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full hashtable and Invoke-RestMethod call. DNS Event ID 22 for pastebin.com resolution.

  2. Test 2Exfiltrate Data to Hastebin via curl (Linux/macOS)

    Expected signal: Linux auditd EXECVE record for curl with arguments including 'hastebin.com', '-X', 'POST', and '-d'. Sysmon for Linux Event ID 3: Network connection to hastebin.com port 443. DNS resolution event for hastebin.com. The command substitution $(hostname) and $(whoami) will also generate process creation events for those utilities as children of the curl parent.

  3. Test 3Exfiltrate Data to ix.io via netcat pipe (Linux)

    Expected signal: Auditd EXECVE records for echo and curl as a pipeline. Curl process with parent bash/sh and CommandLine containing 'ix.io' and '-F'. Sysmon for Linux Event ID 3: Network connection to ix.io port 443. The form upload flag (-F 'f:1=@-') with stdin pipe represents programmatic upload.

  4. Test 4Exfiltrate Data to Pastebin via Python requests (Windows/Linux/macOS)

    Expected signal: Sysmon Event ID 1: Process Create with Image=python3.exe (or python.exe), CommandLine containing 'urllib.request', 'pastebin.com', 'api_dev_key', and 'urlopen'. Sysmon Event ID 3: Network connection from python3.exe to pastebin.com port 443. DNS Event ID 22 for pastebin.com resolution.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1567.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567Exfiltration Over Web Service

Related Sub-techniques

T1567.001Exfiltration to Code RepositoryT1567.002Exfiltration to Cloud StorageT1567.004Exfiltration Over Webhook

Related Techniques

T1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1567.004Exfiltration Over WebhookT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1027Obfuscated Files or InformationT1119Automated CollectionT1003OS Credential DumpingT1608Stage Capabilities

Same Tactic: Exfiltration

Popular Detections