ATTACK-T1567.003Active

Exfiltration to Text Storage Sites

Statement

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information.

Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec)

Note: This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.

Location

Tactic: Exfiltration

Technique Details

Identifier: ATTACK-T1567.003
Parent Technique: ATTACK-T1567
ATT&CK Page: View on MITRE

Tactics

Exfiltration

Platforms

LinuxmacOSWindowsESXi

Detection

Detection Strategy for Exfiltration to Text Storage Sites

Mitigations

Restrict Web-Based Content: Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures:

Deploy Web Proxy Filtering:

Use solutions to filter web traffic based on categories, reputation, and content types.
Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

Implement tools to restrict access to domains associated with malware or phishing campaigns.
Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
Configure alerts for access attempts to blocked domains or repeated file download failures.

No cross-framework mappings available

← Back to Exfiltration

Deploy Web Proxy Filtering:

Use solutions to filter web traffic based on categories, reputation, and content types.
Enforce policies that block unsafe websites or file types at the gateway level.

Enable DNS-Based Filtering:

Implement tools to restrict access to domains associated with malware or phishing campaigns.
Use public DNS filtering services to enhance protection.

Enforce Content Security Policies (CSP):

Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests.

Control Browser Features:

Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting.
Enforce policies through tools like Group Policy Management to control browser settings.

Monitor and Alert on Web-Based Threats:

Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity.
Configure alerts for access attempts to blocked domains or repeated file download failures.

Exfiltration to Text Storage Sites

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0

Exfiltration to Text Storage Sites

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings0