Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-PasteSite-ChunkedDeadDropExfil.

Upgrade to Pro
THREAT-PasteSite-ChunkedDeadDropExfil Splunk · SPL

Detect Chunked Multi-Paste Exfiltration to Text Storage Dead Drops in Splunk

Free-tier text storage sites (Pastebin, dpaste, Ghostbin, paste.ee) enforce per-paste size caps that typically range from 512KB to a few megabytes. Adversaries and data-extortion crews exfiltrating a large staged archive (credential dumps, database exports, source code trees) via these services split the payload into sequential chunks — using `split`, PowerShell `Get-Content -ReadCount`, or a bundled exfil script — and upload each chunk as a separate paste, sometimes across multiple throwaway accounts to evade per-account rate limiting. This defeats naive single-event, single-large-transfer detection because no individual upload looks abnormal in isolation; the signal only emerges from correlating a burst of same-host, same-account paste-site uploads within a short window, each falling suspiciously below the platform's known size ceiling. This pattern is distinct from the ad-hoc single-paste developer or IR-analyst use already covered by the base T1567.003 technique detection: it requires both a local file-splitting or chunk-naming precursor and a subsequent burst of small, same-destination uploads. Both data-extortion crews staging data ahead of ransom negotiation and espionage actors moving smaller artifacts are known to use public paste and text-storage sites as dead drops; chunking credential material across many small pastes specifically evades proxy-level DLP thresholds tuned to single-request byte counts.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
| multisearch
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  ((Image="*\\split" OR Image="*\\split.exe") AND (CommandLine="*-b*" OR CommandLine="*--bytes*" OR CommandLine="*-l*"))
  OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe") AND CommandLine="*Get-Content*" AND (CommandLine="*ReadCount*" OR CommandLine="*chunk*" OR CommandLine="*part*"))
  | eval Signal="LocalFileChunking"
  | table _time, host, User, Image, CommandLine, Signal ]
[ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationHostname="*pastebin*" OR DestinationHostname="*hastebin*" OR DestinationHostname="*ghostbin*" OR DestinationHostname="*paste.ee*" OR DestinationHostname="*dpaste*" OR DestinationHostname="*sprunge*" OR DestinationHostname="*termbin*" OR DestinationHostname="*ix.io*" OR DestinationHostname="*controlc.com*" OR DestinationHostname="*rentry.co*")
  | bucket _time span=15m
  | stats count as UploadCount, values(DestinationHostname) as Destinations by host, User, _time
  | where UploadCount >= 3
  | eval Signal="BurstPasteUploads" ]
| stats values(Signal) as Signals, values(CommandLine) as Commands, values(Destinations) as Destinations, sum(UploadCount) as TotalUploads by host, User
| where mvcount(Signals) > 0
| sort - TotalUploads
high severity medium confidence

SPL equivalent of the two-signal correlation: Sysmon Event ID 1 for local file-splitting utility execution (`split`, chunked `Get-Content`), and Sysmon Event ID 3 for a 15-minute bucketed burst of three or more distinct paste-site network connections from the same host/user. Results are grouped by host and user so an analyst can see both the staging and the burst-upload signal together.

Data Sources

Sysmon Event ID 1Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Log-splitting or report-generation scripts unrelated to paste-site exfiltration
  • Developers uploading several small, unrelated debug snippets in one session
  • CI/CD pipelines publishing multiple build logs as separate pastes
  • Security tooling chunking and uploading sanitized IOC lists for team sharing

Other platforms for THREAT-PasteSite-ChunkedDeadDropExfil


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Split a Staged File and Upload as Multiple Pastebin Chunks

    Expected signal: Process creation event for `split` with `-b 100k` and an output prefix argument. Three or more curl process creation events within a short window, each with a command line referencing pastebin.com/api/api_post.php. Corresponding network connection events to pastebin.com on port 443 for each curl invocation.

  2. Test 2PowerShell Chunked Read-and-Upload Loop to dpaste

    Expected signal: Sysmon Event ID 1 for powershell.exe with CommandLine containing 'Get-Content', 'ReadCount', and 'dpaste.org'. Multiple Sysmon Event ID 3 network connections from powershell.exe to dpaste.org within the same execution window. PowerShell ScriptBlock Log Event ID 4104 capturing the full loop.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-PasteSite-ChunkedDeadDropExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.