title: Exfiltration to Text Storage Sites (T1567.003)
id: df00tech-t1567-003
status: experimental
description: "Adversaries may exfiltrate data to text storage sites such as pastebin.com, hastebin.com, paste.ee, ghostbin.co, or similar services instead of using their primary command and control channel. These sites are designed for sharing code and text snippets, often allowing anonymous or low-friction uploads with optional encryption and access controls. Threat actors leverage these services because traffic to them blends with normal developer activity, the sites are rarely blocked by firewalls, and paste content is ephemeral or access-controlled. Exfiltrated data may include credential dumps, configuration files, source code, reconnaissance output, or any collected sensitive data."
references:
  - https://attack.mitre.org/techniques/T1567/003/
  - https://df00tech.com/detections/T1567.003
author: df00tech
date: 2026/03/13
tags:
  - attack.t1567.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Developers legitimately sharing code snippets or debug output to pastebin/hastebin during normal work
  - CI/CD pipelines or build scripts that publish logs or artifacts to paste sites for sharing build results
  - Security researchers or incident responders sharing sanitized IOCs or analysis outputs via paste sites
  - IT support staff using paste sites to share configuration examples or troubleshooting commands with users
  - Automated testing tools that upload test results to hastebin or similar for review
level: high