Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)
Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-17 | Remote Access | mitigates | T1567.003 | Exfiltration to Text Storage Sites | |
| AC-04 | Information Flow Enforcement | mitigates | T1567.003 | Exfiltration to Text Storage Sites | |
| SC-07 | Boundary Protection | mitigates | T1567.003 | Exfiltration to Text Storage Sites |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1567.003 | Exfiltration to Text Storage Sites | |
| attribute.confidentiality.data_disclosure | None | related-to | T1567.003 | Exfiltration to Text Storage Sites |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_firewall | Azure Firewall | technique_scores | T1567.003 | Exfiltration to Text Storage Sites |
Comments
This control can detect exfiltration attempts to text storage sites.
References
|
| azure_firewall | Azure Firewall | technique_scores | T1567.003 | Exfiltration to Text Storage Sites |
Comments
This control can protect from exfiltration to text storage site by blocking unauthorized sites.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| chrome_enterprise_premium | Chrome Enterprise Premium | technique_scores | T1567.003 | Exfiltration to Text Storage Sites |
Comments
Chrome Enterprise Premium provides Data Loss Prevention (DLP) features that can detect and block sensitive data for files that are uploaded and downloaded and for content that is pasted or dragged and dropped via the Chrome browser. This can provide protection against adversaries that may try to steal data over network protocols.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1567.003 | Exfiltration to Text Storage Sites |
Comments
The following finding types in GuardDuty flag events where adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command-and-control channel.
Exfiltration:S3/ObjectRead.Unusual Exfiltration:S3/MaliciousIPCaller Exfiltration:IAMUser/AnomalousBehavior Behavior:EC2/TrafficVolumeUnusual
References
|