sigmahighHunting

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

MITRE ATT&CK

T1071.001 T1102.001 T1102.003

command-and-controldefense-evasion

Detection Query

selection:
  c-uri|contains:
    - .paste.ee/r/
    - .pastebin.com/raw/
    - .hastebin.com/raw/
    - .ghostbin.co/paste/*/raw/
    - pastetext.net/
    - pastebin.pl/
    - paste.ee/
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2019-12-05

Data Sources

proxy

References

https://www.virustotal.com/gui/domain/paste.ee/relations

Tags

attack.command-and-controlattack.t1071.001attack.t1102.001attack.t1102.003attack.defense-evasion

Raw Content

title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
    - https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.001
    - attack.t1102.003
    - attack.defense-evasion
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains:
            - '.paste.ee/r/'
            - '.pastebin.com/raw/'
            - '.hastebin.com/raw/'
            - '.ghostbin.co/paste/*/raw/'
            - 'pastetext.net/'
            - 'pastebin.pl/'
            - 'paste.ee/'
    condition: selection
falsepositives:
    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high