Exfiltration Over Web Service: Exfiltration to Text Storage Sites

Other sub-techniques of Exfiltration Over Web Service (4)

ID	Name
T1567.001	Exfiltration to Code Repository
T1567.002	Exfiltration to Cloud Storage
T1567.003	Exfiltration to Text Storage Sites
T1567.004	Exfiltration Over Webhook

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.^[1]

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

ID: T1567.003

Sub-technique of: T1567

ⓘ

Tactic: Exfiltration

ⓘ

Platforms: ESXi, Linux, Windows, macOS

Contributors: Harun Küßner

Version: 1.1

Created: 27 February 2023

Last Modified: 15 April 2025

Version Permalink

Live Version

Mitigations

ID	Mitigation	Description
M1021	Restrict Web-Based Content	Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0029	Network Traffic	Network Traffic Content	Monitor and analyze network traffic for exfiltration attempts using text storage sites, i.e. POST requests to text storage sites, Base64 or other obfuscated data within outbound web requests, or unusual user-agent strings indicating API-based exfiltration.' Analytic 1 - Detecting Large Data Transfers to Pastebin or Similar Services (EventCode=3 OR source="zeek_http.log" OR source="firewall_logs")\| where (dest_domain LIKE ".pastebin.com" OR dest_domain LIKE ".hastebin.com" OR dest_domain LIKE ".rentry.co" OR dest_domain LIKE ".ghostbin.com")\| where (http_method="POST")\| stats count, sum(bytes_out) as total_bytes by _time, host, user, dest_domain, user_agent\| where total_bytes > 500000\| eval risk_score=case( total_bytes > 10000000, 9, total_bytes > 500000, 8)\| where risk_score >= 8\| table host, user, dest_domain, total_bytes, user_agent, risk_score
		Network Traffic Flow	Monitor network data for uncommon data flows, specifically to text storage sites such as `Pastebin[.]com`, `Paste[.]ee`, and `Pastebin[.]pl`.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze network traffic for exfiltration attempts using text storage sites, i.e. POST requests to text storage sites, Base64 or other obfuscated data within outbound web requests, or unusual user-agent strings indicating API-based exfiltration.'

Analytic 1 - Detecting Large Data Transfers to Pastebin or Similar Services

(EventCode=3 OR source="zeek_http.log" OR source="firewall_logs")| where (dest_domain LIKE ".pastebin.com" OR dest_domain LIKE ".hastebin.com" OR dest_domain LIKE ".rentry.co" OR dest_domain LIKE ".ghostbin.com")| where (http_method="POST")| stats count, sum(bytes_out) as total_bytes by _time, host, user, dest_domain, user_agent| where total_bytes > 500000| eval risk_score=case( total_bytes > 10000000, 9, total_bytes > 500000, 8)| where risk_score >= 8| table host, user, dest_domain, total_bytes, user_agent, risk_score

Network Traffic Flow

Monitor network data for uncommon data flows, specifically to text storage sites such as Pastebin[.]com, Paste[.]ee, and Pastebin[.]pl.

References

Ciarniello, A. (2019, September 24). What is Pastebin and Why Do Hackers Love It?. Retrieved April 11, 2023.