2019-12-05 08:54:42 +01:00
title : Raw Paste Service Access
id : 5468045b-4fcc-4d1a-973c-c9c9578edacb
2021-11-27 11:33:14 +01:00
status : test
2019-12-05 08:54:42 +01:00
description : Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
2020-09-15 07:02:30 -06:00
references :
2022-10-25 10:08:58 +02:00
- https://www.virustotal.com/gui/domain/paste.ee/relations
2023-02-01 11:14:59 +01:00
author : Florian Roth (Nextron Systems)
2024-08-12 12:02:50 +02:00
date : 2019-12-05
modified : 2023-01-19
2022-10-25 10:08:58 +02:00
tags :
2024-08-12 12:02:50 +02:00
- attack.command-and-control
2022-10-25 10:08:58 +02:00
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
2024-08-12 12:02:50 +02:00
- attack.defense-evasion
2019-12-05 08:54:42 +01:00
logsource :
2022-10-25 10:08:58 +02:00
category : proxy
2019-12-05 08:54:42 +01:00
detection :
2022-10-25 10:08:58 +02:00
selection :
c-uri|contains :
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
2023-01-19 22:07:31 +01:00
- 'pastetext.net/'
- 'pastebin.pl/'
- 'paste.ee/'
2022-10-25 10:08:58 +02:00
condition : selection
2019-12-05 08:54:42 +01:00
falsepositives :
2022-10-25 10:08:58 +02:00
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
2019-12-05 08:54:42 +01:00
level : high
