Description
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)
Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.
Platforms
Mitigations (1)
Restrict Web-Based ContentM1021
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.
References
Frequently Asked Questions
What is T1567.003 (Exfiltration to Text Storage Sites)?
T1567.003 is a MITRE ATT&CK technique named 'Exfiltration to Text Storage Sites'. It belongs to the Exfiltration tactic(s). Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to...
How can T1567.003 be detected?
Detection of T1567.003 (Exfiltration to Text Storage Sites) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1567.003?
There are 1 documented mitigations for T1567.003. Key mitigations include: Restrict Web-Based Content.
Which threat groups use T1567.003?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.