1. Home
  2. Techniques
  3. Enterprise
  4. Exfiltration Over Web Service
  5. Exfiltration to Text Storage Sites

Exfiltration Over Web Service: Exfiltration to Text Storage Sites

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage
T1567.003 Exfiltration to Text Storage Sites
T1567.004 Exfiltration Over Webhook

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.[1]

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

ID: T1567.003
Sub-technique of:  T1567
Tactic: Exfiltration
Platforms: ESXi, Linux, Windows, macOS
Contributors: Harun Küßner
Version: 1.1
Created: 27 February 2023
Last Modified: 15 April 2025
Version Permalink

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content

Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0284 Detection Strategy for Exfiltration to Text Storage Sites AN0787

Unexpected processes (e.g., powershell.exe, wscript.exe, office apps) initiating HTTP POST/PUT requests to text storage domains like pastebin.com or hastebin.com, particularly when preceded by file access in sensitive directories. Defender perspective: correlation of process lineage, large clipboard/file read operations, and outbound uploads to text storage services.
AN0788

Use of curl, wget, or custom scripts to POST data to pastebin-like services. Defender perspective: identify chained behavior where files are compressed/read followed by HTTPS POST requests to text-sharing endpoints.
AN0789

Processes such as osascript, curl, or office applications sending data to text storage APIs/domains. Defender perspective: anomalous clipboard or file reads by unexpected applications immediately followed by outbound HTTPS requests to pastebin-like services.
AN0790

ESXi services (vmx, hostd) generating outbound HTTPS POST requests to text storage sites. Defender perspective: anomalous datastore or log reads chained with traffic to pastebin-like destinations.

References

  1. Ciarniello, A. (2019, September 24). What is Pastebin and Why Do Hackers Love It?. Retrieved April 11, 2023.