T1567.003 Microsoft Sentinel · KQL

Detect Exfiltration to Text Storage Sites in Microsoft Sentinel

Adversaries may exfiltrate data to text storage sites such as pastebin.com, hastebin.com, paste.ee, ghostbin.co, or similar services instead of using their primary command and control channel. These sites are designed for sharing code and text snippets, often allowing anonymous or low-friction uploads with optional encryption and access controls. Threat actors leverage these services because traffic to them blends with normal developer activity, the sites are rarely blocked by firewalls, and paste content is ephemeral or access-controlled. Exfiltrated data may include credential dumps, configuration files, source code, reconnaissance output, or any collected sensitive data.

MITRE ATT&CK

Tactic
Exfiltration
Technique
T1567 Exfiltration Over Web Service
Sub-technique
T1567.003 Exfiltration to Text Storage Sites
Canonical reference
https://attack.mitre.org/techniques/T1567/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let PasteSites = dynamic([
  "pastebin.com", "pastebin.pl", "pastebin.osuosl.org",
  "hastebin.com", "toptal.com/developers/hastebin",
  "ghostbin.co", "ghostbin.com",
  "paste.ee", "paste2.org", "paste.ofcode.org",
  "dpaste.org", "dpaste.com",
  "sprunge.us", "ix.io",
  "termbin.com",
  "controlc.com",
  "0bin.net",
  "pastie.org",
  "pasteio.com",
  "rentry.co"
]);
let PasteAPIPaths = dynamic([
  "/api/api_post.php",
  "/documents",
  "/api/v2/pastes",
  "/api/pastes"
]);
// Signal 1: Network connections to known paste sites
let NetworkSignal =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (PasteSites)
    or RemoteIPType == "Public" and (RemoteUrl has "paste" or RemoteUrl has "hastebin")
| where RemotePort in (80, 443)
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         ProcessName=InitiatingProcessFileName, CommandLine=InitiatingProcessCommandLine,
         RemoteUrl, RemoteIP, RemotePort, BytesSent,
         SignalType="NetworkConnection";
// Signal 2: Process command lines explicitly targeting paste sites
let ProcessSignal =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (PasteSites)
    or ProcessCommandLine has_any ("pastebin", "hastebin", "ghostbin", "paste.ee", "termbin", "sprunge", "ix.io")
| where FileName in~ ("curl.exe", "curl", "wget.exe", "wget", "powershell.exe", "pwsh.exe",
                       "python.exe", "python3", "python", "python3.exe",
                       "nc.exe", "ncat.exe", "node.exe", "ruby.exe", "perl.exe")
| project Timestamp, DeviceName, AccountName, ProcessName=FileName,
         CommandLine=ProcessCommandLine,
         ParentProcess=InitiatingProcessFileName, ParentCommandLine=InitiatingProcessCommandLine,
         SignalType="ProcessExecution";
// Union both signals
NetworkSignal
| union ProcessSignal
| extend IsCurl = ProcessName in~ ("curl.exe", "curl", "wget.exe", "wget")
| extend IsPowerShell = ProcessName in~ ("powershell.exe", "pwsh.exe")
| extend IsScript = ProcessName in~ ("python.exe", "python3", "python", "python3.exe", "ruby.exe", "perl.exe", "node.exe")
| extend HasPostData = CommandLine has_any ("-d ", "--data", "--data-binary", "--data-raw", "-F ",
                                             "Invoke-RestMethod", "Invoke-WebRequest",
                                             "UploadString", "UploadData",
                                             "requests.post", ".post(", "urllib.request")
| extend HasAPIKey = CommandLine has_any ("api_dev_key", "api_user_key", "api_paste", "X-Auth-Token",
                                          "Authorization:", "--header")
| extend LargeTransfer = BytesSent > 50000
| sort by Timestamp desc
high severity medium confidence

Detects exfiltration activity targeting text storage and paste sites. Uses two correlated signals: (1) DeviceNetworkEvents identifying outbound connections to a curated list of known paste site domains, optionally filtering for high byte transfer volumes; (2) DeviceProcessEvents identifying process command lines (curl, wget, PowerShell, Python, etc.) that reference paste site hostnames or APIs. Enrichment fields flag POST data patterns, API key usage, and large outbound transfers to help analysts prioritize.

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEventsDeviceProcessEvents

False Positives & Tuning

  • Developers legitimately sharing code snippets or debug output to pastebin/hastebin during normal work
  • CI/CD pipelines or build scripts that publish logs or artifacts to paste sites for sharing build results
  • Security researchers or incident responders sharing sanitized IOCs or analysis outputs via paste sites
  • IT support staff using paste sites to share configuration examples or troubleshooting commands with users
  • Automated testing tools that upload test results to hastebin or similar for review
Download portable Sigma rule (.yml)

Other platforms for T1567.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exfiltrate Data to Pastebin via API (PowerShell)

    Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe, CommandLine containing 'pastebin.com', 'api_dev_key', 'Invoke-RestMethod', and 'api_paste_code'. Sysmon Event ID 3: Network connection to pastebin.com on port 443 from powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the full hashtable and Invoke-RestMethod call. DNS Event ID 22 for pastebin.com resolution.

  2. Test 2Exfiltrate Data to Hastebin via curl (Linux/macOS)

    Expected signal: Linux auditd EXECVE record for curl with arguments including 'hastebin.com', '-X', 'POST', and '-d'. Sysmon for Linux Event ID 3: Network connection to hastebin.com port 443. DNS resolution event for hastebin.com. The command substitution $(hostname) and $(whoami) will also generate process creation events for those utilities as children of the curl parent.

  3. Test 3Exfiltrate Data to ix.io via netcat pipe (Linux)

    Expected signal: Auditd EXECVE records for echo and curl as a pipeline. Curl process with parent bash/sh and CommandLine containing 'ix.io' and '-F'. Sysmon for Linux Event ID 3: Network connection to ix.io port 443. The form upload flag (-F 'f:1=@-') with stdin pipe represents programmatic upload.

  4. Test 4Exfiltrate Data to Pastebin via Python requests (Windows/Linux/macOS)

    Expected signal: Sysmon Event ID 1: Process Create with Image=python3.exe (or python.exe), CommandLine containing 'urllib.request', 'pastebin.com', 'api_dev_key', and 'urlopen'. Sysmon Event ID 3: Network connection from python3.exe to pastebin.com port 443. DNS Event ID 22 for pastebin.com resolution.

Last updated: 2026-03-13 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1567.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1567Exfiltration Over Web Service

Related Sub-techniques

T1567.001Exfiltration to Code RepositoryT1567.002Exfiltration to Cloud StorageT1567.004Exfiltration Over Webhook

Related Techniques

T1567Exfiltration Over Web ServiceT1567.001Exfiltration to Code RepositoryT1567.004Exfiltration Over WebhookT1041Exfiltration Over C2 ChannelT1560Archive Collected DataT1027Obfuscated Files or InformationT1119Automated CollectionT1003OS Credential DumpingT1608Stage Capabilities

Same Tactic: Exfiltration

Popular Detections