T1567.003: Exfiltration to Text Storage Sites

View on MITRE ATT&CK	T1567.003
Tactic(s)	Exfiltration

Data from MITRE ATT&CK®:

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Mitigations for this technique

MITRE ATT&CK Mitigations

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

How to detect this technique

MITRE ATT&CK Data Components

Network Traffic Content (Network Traffic)

Logged network traffic data showing both protocol header and body values (ex: PCAP)

Network Traffic Flow (Network Traffic)

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Control Validation Tests for this Technique

Use Atomic Red Team tests to test your defenses against this technique.

Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)

windows