Raw Paste Service Access

calendar Feb 26, 2024 · attack.command_and_control attack.t1071.001 attack.t1102.001 attack.t1102.003 attack.defense_evasion  ·
Share on: linkedin copy

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Sigma rule (View on GitHub)

 1title: Raw Paste Service Access
 2id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
 3status: test
 4description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
 5references:
 6    - https://www.virustotal.com/gui/domain/paste.ee/relations
 7author: Florian Roth (Nextron Systems)
 8date: 2019/12/05
 9modified: 2023/01/19
10tags:
11    - attack.command_and_control
12    - attack.t1071.001
13    - attack.t1102.001
14    - attack.t1102.003
15    - attack.defense_evasion
16logsource:
17    category: proxy
18detection:
19    selection:
20        c-uri|contains:
21            - '.paste.ee/r/'
22            - '.pastebin.com/raw/'
23            - '.hastebin.com/raw/'
24            - '.ghostbin.co/paste/*/raw/'
25            - 'pastetext.net/'
26            - 'pastebin.pl/'
27            - 'paste.ee/'
28    condition: selection
29falsepositives:
30    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
31level: high

References

Related rules

to-top