Kevin Dienst
98471bc53c
Add another paste provider website, ghostbin.co to the list. Note that saved pastes generate pseudo random 5 character strings before being suffixed with `/raw` at the end of the URL. e.g. `https://ghostbin.co/paste/y4e9a/raw` Thus, I've added a regex match between /paste and /raw. I'm unsure if this is supported, I skimmed the Sigma specification wiki but didn't see anything other than that contains adds '*' to end and beginning of each selection. If this regex isn't going to work then I'd imagine we just have to remove the `.+/raw/` from the URI.
29 lines
882 B
YAML
29 lines
882 B
YAML
title: Raw Paste Service Access
|
|
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
|
|
status: experimental
|
|
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
|
|
references:
|
|
- https://www.virustotal.com/gui/domain/paste.ee/relations
|
|
author: Florian Roth
|
|
date: 2019/12/05
|
|
tags:
|
|
- attack.t1102
|
|
- attack.defense_evasion
|
|
logsource:
|
|
category: proxy
|
|
detection:
|
|
selection:
|
|
c-uri|contains:
|
|
- '.paste.ee/r/'
|
|
- '.pastebin.com/raw/'
|
|
- '.hastebin.com/raw/'
|
|
- '.ghostbin.co/paste/.+/raw/'
|
|
condition: selection
|
|
fields:
|
|
- ClientIP
|
|
- c-uri
|
|
- c-useragent
|
|
falsepositives:
|
|
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
|
|
level: high
|