Skip to content

DET0284 Detection Strategy for Exfiltration to Text Storage Sites

Item Value
ID DET0284
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1567.003 (Exfiltration to Text Storage Sites)

Analytics

Windows

AN0787

Unexpected processes (e.g., powershell.exe, wscript.exe, office apps) initiating HTTP POST/PUT requests to text storage domains like pastebin.com or hastebin.com, particularly when preceded by file access in sensitive directories. Defender perspective: correlation of process lineage, large clipboard/file read operations, and outbound uploads to text storage services.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
TextStorageDomains Domains to monitor such as pastebin.com, hastebin.com, ghostbin.com.
UploadSizeThreshold Minimum data size (e.g., >500KB) to trigger alerts for suspicious uploads.
UserContext User accounts with legitimate business justification for posting to text storage sites.

Linux

AN0788

Use of curl, wget, or custom scripts to POST data to pastebin-like services. Defender perspective: identify chained behavior where files are compressed/read followed by HTTPS POST requests to text-sharing endpoints.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:EXECVE curl -d, wget –post-data
File Access (DC0055) auditd:SYSCALL read/open of sensitive file directories
Network Traffic Content (DC0085) NSM:Flow large HTTPS POST requests to text storage domains
Mutable Elements
Field Description
AllowedTools Whitelist of tools (e.g., curl for package repos) to reduce false positives.
WorkHours Expected time ranges for developer interactions with external paste sites.

macOS

AN0789

Processes such as osascript, curl, or office applications sending data to text storage APIs/domains. Defender perspective: anomalous clipboard or file reads by unexpected applications immediately followed by outbound HTTPS requests to pastebin-like services.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog execution of curl, osascript, or unexpected Office processes
File Access (DC0055) macos:unifiedlog file read of sensitive directories
Network Traffic Flow (DC0078) macos:unifiedlog HTTPS POST requests to pastebin.com or similar
Mutable Elements
Field Description
WatchedApps Processes not normally associated with data uploads (e.g., Preview, Calculator).
EntropyThreshold High entropy detection to flag encoded or encrypted data exfiltration.

ESXi

AN0790

ESXi services (vmx, hostd) generating outbound HTTPS POST requests to text storage sites. Defender perspective: anomalous datastore or log reads chained with traffic to pastebin-like destinations.

Log Sources
Data Component Name Channel
File Access (DC0055) esxi:hostd datastore/log file access
Network Traffic Content (DC0085) esxi:vmkernel HTTPS POST connections to pastebin-like domains
Mutable Elements
Field Description
DatastoreExfilThreshold Threshold of bytes exfiltrated from ESXi datastore files.
ApprovedDestinations Whitelist of domains approved for API communication to prevent false positives.