Unexpected processes (e.g., powershell.exe, wscript.exe, office apps) initiating HTTP POST/PUT requests to text storage domains like pastebin.com or hastebin.com, particularly when preceded by file access in sensitive directories. Defender perspective: correlation of process lineage, large clipboard/file read operations, and outbound uploads to text storage services.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4663 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TextStorageDomains | Domains to monitor such as pastebin.com, hastebin.com, ghostbin.com. |
| UploadSizeThreshold | Minimum data size (e.g., >500KB) to trigger alerts for suspicious uploads. |
| UserContext | User accounts with legitimate business justification for posting to text storage sites. |
Use of curl, wget, or custom scripts to POST data to pastebin-like services. Defender perspective: identify chained behavior where files are compressed/read followed by HTTPS POST requests to text-sharing endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | auditd:EXECVE | curl -d, wget --post-data |
| File Access (DC0055) | auditd:SYSCALL | read/open of sensitive file directories |
| Network Traffic Content (DC0085) | NSM:Flow | large HTTPS POST requests to text storage domains |
| Field | Description |
|---|---|
| AllowedTools | Whitelist of tools (e.g., curl for package repos) to reduce false positives. |
| WorkHours | Expected time ranges for developer interactions with external paste sites. |
Processes such as osascript, curl, or office applications sending data to text storage APIs/domains. Defender perspective: anomalous clipboard or file reads by unexpected applications immediately followed by outbound HTTPS requests to pastebin-like services.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | execution of curl, osascript, or unexpected Office processes |
| File Access (DC0055) | macos:unifiedlog | file read of sensitive directories |
| Network Traffic Flow (DC0078) | macos:unifiedlog | HTTPS POST requests to pastebin.com or similar |
| Field | Description |
|---|---|
| WatchedApps | Processes not normally associated with data uploads (e.g., Preview, Calculator). |
| EntropyThreshold | High entropy detection to flag encoded or encrypted data exfiltration. |
ESXi services (vmx, hostd) generating outbound HTTPS POST requests to text storage sites. Defender perspective: anomalous datastore or log reads chained with traffic to pastebin-like destinations.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | esxi:hostd | datastore/log file access |
| Network Traffic Content (DC0085) | esxi:vmkernel | HTTPS POST connections to pastebin-like domains |
| Field | Description |
|---|---|
| DatastoreExfilThreshold | Threshold of bytes exfiltrated from ESXi datastore files. |
| ApprovedDestinations | Whitelist of domains approved for API communication to prevent false positives. |