2019-12-05 08:54:42 +01:00
title : Raw Paste Service Access
id : 5468045b-4fcc-4d1a-973c-c9c9578edacb
2021-11-27 11:33:14 +01:00
status : test
2019-12-05 08:54:42 +01:00
description : Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
author : Florian Roth
2020-09-15 07:02:30 -06:00
references :
2021-11-27 11:33:14 +01:00
- https://www.virustotal.com/gui/domain/paste.ee/relations
date : 2019 /12/05
modified : 2021 /11/27
2019-12-05 08:54:42 +01:00
logsource :
2021-11-27 11:33:14 +01:00
category : proxy
2019-12-05 08:54:42 +01:00
detection :
2021-11-27 11:33:14 +01:00
selection :
c-uri|contains :
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
condition : selection
2019-12-05 08:54:42 +01:00
fields :
2021-11-27 11:33:14 +01:00
- ClientIP
- c-uri
- c-useragent
2019-12-05 08:54:42 +01:00
falsepositives :
2021-11-27 11:33:14 +01:00
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
2019-12-05 08:54:42 +01:00
level : high
2020-09-15 07:02:30 -06:00
tags :
2021-11-27 11:33:14 +01:00
- attack.command_and_control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
- attack.defense_evasion
