Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
32 lines
1.0 KiB
YAML
32 lines
1.0 KiB
YAML
title: Raw Paste Service Access
|
|
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
|
|
status: test
|
|
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
|
|
references:
|
|
- https://www.virustotal.com/gui/domain/paste.ee/relations
|
|
author: Florian Roth (Nextron Systems)
|
|
date: 2019-12-05
|
|
modified: 2023-01-19
|
|
tags:
|
|
- attack.command-and-control
|
|
- attack.t1071.001
|
|
- attack.t1102.001
|
|
- attack.t1102.003
|
|
- attack.defense-evasion
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri|contains:
|
|
- '.paste.ee/r/'
|
|
- '.pastebin.com/raw/'
|
|
- '.hastebin.com/raw/'
|
|
- '.ghostbin.co/paste/*/raw/'
|
|
- 'pastetext.net/'
|
|
- 'pastebin.pl/'
|
|
- 'paste.ee/'
|
|
condition: selection
|
|
falsepositives:
|
|
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
|
|
level: high
|