Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-PasteSite-ChunkedDeadDropExfil.
Upgrade to ProChunked Multi-Paste Exfiltration to Text Storage Dead Drops
Free-tier text storage sites (Pastebin, dpaste, Ghostbin, paste.ee) enforce per-paste size caps that typically range from 512KB to a few megabytes. Adversaries and data-extortion crews exfiltrating a large staged archive (credential dumps, database exports, source code trees) via these services split the payload into sequential chunks — using `split`, PowerShell `Get-Content -ReadCount`, or a bundled exfil script — and upload each chunk as a separate paste, sometimes across multiple throwaway accounts to evade per-account rate limiting. This defeats naive single-event, single-large-transfer detection because no individual upload looks abnormal in isolation; the signal only emerges from correlating a burst of same-host, same-account paste-site uploads within a short window, each falling suspiciously below the platform's known size ceiling. This pattern is distinct from the ad-hoc single-paste developer or IR-analyst use already covered by the base T1567.003 technique detection: it requires both a local file-splitting or chunk-naming precursor and a subsequent burst of small, same-destination uploads. Both data-extortion crews staging data ahead of ransom negotiation and espionage actors moving smaller artifacts are known to use public paste and text-storage sites as dead drops; chunking credential material across many small pastes specifically evades proxy-level DLP thresholds tuned to single-request byte counts.
What is THREAT-PasteSite-ChunkedDeadDropExfil Chunked Multi-Paste Exfiltration to Text Storage Dead Drops?
Chunked Multi-Paste Exfiltration to Text Storage Dead Drops (THREAT-PasteSite-ChunkedDeadDropExfil) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.
This page provides production-ready detection logic for Chunked Multi-Paste Exfiltration to Text Storage Dead Drops, covering the data sources and telemetry it touches: Process: Process Creation, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Exfiltration
let PasteSites = dynamic([
"pastebin.com", "hastebin.com", "ghostbin.co", "ghostbin.com",
"paste.ee", "paste2.org", "dpaste.org", "dpaste.com",
"sprunge.us", "ix.io", "termbin.com", "controlc.com",
"0bin.net", "pastie.org", "pasteio.com", "rentry.co"
]);
// Signal 1: local chunking/splitting of a file into sequentially numbered parts shortly before exfil
let ChunkStaging =
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName in~ ("split", "split.exe") and ProcessCommandLine has_any ("-b", "--bytes", "-l", "--lines"))
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any ("Get-Content", "ReadCount", "Split-Path") and ProcessCommandLine has_any ("-ReadCount", "chunk", "part"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signal = "LocalFileChunking";
// Signal 2: burst of paste-site uploads from the same device/account within a 15-minute window
let PasteBurst =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (PasteSites)
| where RemotePort in (80, 443)
| summarize UploadCount = count(),
TotalBytes = sum(BytesSent),
Processes = make_set(InitiatingProcessFileName),
Destinations = make_set(RemoteUrl),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by DeviceName, AccountName = InitiatingProcessAccountName, bin(Timestamp, 15m)
| where UploadCount >= 3
| extend AvgBytesPerUpload = TotalBytes / UploadCount
| where AvgBytesPerUpload < 1048576
| extend Signal = "BurstPasteUploads";
ChunkStaging
| join kind=leftouter (PasteBurst) on DeviceName, AccountName
| where isnotempty(UploadCount) or Signal == "LocalFileChunking"
| sort by Timestamp desc Correlates two signals for chunked paste-site exfiltration: (1) local execution of a file-splitting utility (`split`, or PowerShell chunked `Get-Content`) shortly before network activity, which stages a large file into upload-sized pieces; (2) a burst of three or more paste-site uploads from the same device and account within a 15-minute window, where the average bytes-per-upload stays below 1MB — consistent with deliberate chunking to stay under platform size caps rather than a single legitimate large paste. Either signal alone is lower-confidence; both together from the same host/account in the same window is high-confidence.
Data Sources
Required Tables
False Positives
- Log-splitting or report-generation scripts that legitimately chunk output files for other purposes (backup rotation, mail attachment size limits) unrelated to paste sites
- Developers or QA engineers uploading multiple small, unrelated debug snippets to a paste site within a short session
- CI/CD pipelines that publish multiple build artifact logs to a paste service as separate pastes during a single pipeline run
- Security tooling that legitimately chunks and uploads sanitized IOC lists to a paste site for team sharing
Sigma rule & cross-platform mapping
The detection logic for Chunked Multi-Paste Exfiltration to Text Storage Dead Drops (THREAT-PasteSite-ChunkedDeadDropExfil) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-PasteSite-ChunkedDeadDropExfil
Testing Methodology
Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Split a Staged File and Upload as Multiple Pastebin Chunks
Expected signal: Process creation event for `split` with `-b 100k` and an output prefix argument. Three or more curl process creation events within a short window, each with a command line referencing pastebin.com/api/api_post.php. Corresponding network connection events to pastebin.com on port 443 for each curl invocation.
- Test 2PowerShell Chunked Read-and-Upload Loop to dpaste
Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-Content', 'ReadCount', and 'dpaste.org'. Multiple Sysmon Event ID 3 network connections from powershell.exe to dpaste.org within the same execution window. PowerShell ScriptBlock Log Event ID 4104 capturing the full loop.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-PasteSite-ChunkedDeadDropExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month
Related Detections
Tactic Hub
Detection Variants (1)
Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.