Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-PasteSite-TextStorageExfil.

Upgrade to Pro
THREAT-PasteSite-TextStorageExfil

Data Exfiltration to Public Paste and Text-Storage Sites

Exfiltration Last updated:

Public paste and text-storage sites — Pastebin, Ghostbin, Rentry, Hastebin, dpaste, paste.ee, and similar services — let anyone post arbitrary text via a simple HTTPS POST with no authentication and no account required. Unlike code-repository exfiltration (T1567.001, e.g. GitHub Gist, which requires an account and leaves attributable commit metadata) or cloud-storage exfiltration (T1567.002, e.g. S3/Azure Blob, which requires provisioned storage and credentials), paste sites are frictionless: an adversary drops one HTTP request and the data is live at a public URL within seconds. Web-filtering categorization rarely blocks them (most proxies bucket paste sites under 'technology' or 'reference', not 'file sharing' or 'uploads'), and the destination is TLS-encrypted, so DLP tooling that inspects only unencrypted egress or that keys off file-sharing categories misses it entirely. This makes paste sites a favorite low-effort channel for two distinct actor classes: commodity infostealers (RedLine, Vidar, LummaC2 builders have shipped configurations that POST harvested credential/cookie logs directly to Pastebin's API endpoint) and extortion/data-leak operators (LAPSUS$ and similar groups have posted proof-of-compromise source-code snippets and credential dumps to paste sites as pre-ransom leverage before standing up a dedicated leak site). The detection signal is a non-browser process — a script interpreter, a compiled malware binary, or an automation tool that has no legitimate reason to post to a paste service — issuing an HTTPS connection to a paste-site domain, particularly one immediately following bulk file or credential-store access.

What is THREAT-PasteSite-TextStorageExfil Data Exfiltration to Public Paste and Text-Storage Sites?

Data Exfiltration to Public Paste and Text-Storage Sites (THREAT-PasteSite-TextStorageExfil) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Data Exfiltration to Public Paste and Text-Storage Sites, covering the data sources and telemetry it touches: Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint (DeviceNetworkEvents). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let LookbackWindow = 24h;
let PasteSiteDomains = dynamic([
  "pastebin.com", "paste.ee", "ghostbin.com", "rentry.co", "hastebin.com",
  "dpaste.org", "dpaste.com", "controlc.com", "0bin.net", "paste2.org",
  "pastelink.net", "justpaste.it", "privatebin.net"
]);
let KnownBrowsers = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "brave.exe", "opera.exe", "iexplore.exe"]);
DeviceNetworkEvents
| where Timestamp > ago(LookbackWindow)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| where RemoteUrl has_any (PasteSiteDomains)
| where InitiatingProcessFileName !in~ (KnownBrowsers)
| summarize
    ConnectionCount = count(),
    Domains = make_set(RemoteUrl, 5),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine
| project FirstSeen, LastSeen, DeviceName, AccountName, InitiatingProcessFileName,
    InitiatingProcessFolderPath, InitiatingProcessCommandLine, ConnectionCount, Domains
| sort by LastSeen desc

Flags any process other than a recognized browser establishing an outbound HTTPS connection to a known paste/text-storage site domain. DeviceNetworkEvents.RemoteUrl is populated for HTTP(S) connections resolved by the sensor's user-mode network hooking, allowing domain-level matching without needing a separate proxy log. A script interpreter, unsigned binary, or automation tool posting to a paste service is a high-signal anomaly since these sites have no legitimate business-application use case on an endpoint.

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint (DeviceNetworkEvents)

Required Tables

DeviceNetworkEvents

False Positives

  • Security researchers or developers who legitimately use Pastebin/dpaste to share code snippets or config examples from a personal script or CLI tool rather than a browser
  • Browser extensions or CLI utilities (e.g. a 'paste' shell alias, gist-cli-style tools) intentionally posting non-sensitive content
  • CI/CD pipelines or logging tools that upload build logs to a paste service for team sharing — should be documented and excluded by process name and service account
  • Automated vulnerability scanners or OSINT tooling that legitimately queries paste sites for leaked-credential monitoring (read-only GET traffic, not POST) — distinguish by reviewing proxy method where available

Sigma rule & cross-platform mapping

The detection logic for Data Exfiltration to Public Paste and Text-Storage Sites (THREAT-PasteSite-TextStorageExfil) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated Non-Browser POST to a Paste-Site-Style Endpoint

    Expected signal: Sysmon Event ID 3 (Network Connection) / DeviceNetworkEvents: powershell.exe connecting to 127.0.0.1:8443 with a RemoteUrl resembling a paste-API path. If a local test listener is running, its logs will show the POST body containing the synthetic credential payload.

  2. Test 2Repeated Paste-Style Connections from a Temp-Directory Binary

    Expected signal: Sysmon Event ID 1: update_helper.exe (a copy of powershell.exe) executing from %TEMP%\atomic_paste_test\. Sysmon Event ID 3: three network connection events to the test endpoint spaced ~5 seconds apart, initiated by the temp-directory binary.

  3. Test 3Bulk File Staging Followed by Paste-Style Post

    Expected signal: Process creation for tar and curl; a network connection event (Sysmon-for-Linux Event ID 3 / auditd network record) from curl to the test endpoint within seconds of the archive being written to /tmp.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-PasteSite-TextStorageExfil — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Detection Variants (1)

Different telemetry and tradecraft for the same technique — pick the one that matches the data you collect.