MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1567.003: Exfiltration to Text Storage Sites

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

microsoft_sharepoint: PT-CR-2111: Sharepoint_critical_data_manipulation: An action with a critical file is performed

Detection

IDDS0029Data source and componentNetwork Traffic: Network Traffic ContentDescription

Monitor and analyze network traffic for exfiltration attempts using text storage sites, i.e. POST requests to text storage sites.

IDDS0029Data source and componentNetwork Traffic: Network Traffic FlowDescription

Monitor network data for uncommon data flows, specifically to text storage sites such as Pastebin[.]com, Paste[.]ee, and Pastebin[.]pl.

Mitigation

IDM1021NameRestrict Web-Based ContentDescription

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.