T1567.003 Exfiltration to Text Storage Sites Mappings

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites
attribute.confidentiality.data_disclosure None related-to T1567.003 Exfiltration Over Web Service: Exfiltration to Text Storage Sites

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_guardduty Amazon GuardDuty technique_scores T1567.003 Exfiltration to Text Storage Sites
Comments
The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel. Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual
References