Adversaries may use raw paste services to exfiltrate or download encrypted/encoded payloads as part of their second-stage malware deployment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware execution and data exfiltration activities early.
Detection Rule
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
- https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1102.001
- attack.t1102.003
- attack.defense-evasion
logsource:
category: proxy
detection:
selection:
c-uri|contains:
- '.paste.ee/r/'
- '.pastebin.com/raw/'
- '.hastebin.com/raw/'
- '.ghostbin.co/paste/*/raw/'
- 'pastetext.net/'
- 'pastebin.pl/'
- 'paste.ee/'
condition: selection
falsepositives:
- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
imWebSession
| where Url contains ".paste.ee/r/" or Url contains ".pastebin.com/raw/" or Url contains ".hastebin.com/raw/" or (Url contains ".ghostbin.co/paste/" and Url contains "/raw/") or Url contains "pastetext.net/" or Url contains "pastebin.pl/" or Url contains "paste.ee/"Scenario: System administrator accesses raw paste content for forensic analysis
Filter/Exclusion: process.name != "cmd.exe" AND process.name != "powershell.exe" AND user.account != "admin_account"
Scenario: Scheduled job retrieves raw paste content for automated code analysis
Filter/Exclusion: process.name == "schtasks.exe" OR process.name == "task scheduler"
Scenario: Developer uses Pastebin to store encrypted configuration files for a CI/CD pipeline
Filter/Exclusion: process.name == "git.exe" OR process.name == "jenkins.exe" OR request.url contains "pastebin.com"
Scenario: IT team uses Gist to store temporary scripts for system automation
Filter/Exclusion: process.name == "notepad.exe" OR process.name == "vim.exe" OR request.url contains "gist.github.com"
Scenario: Security team accesses raw paste content for threat intelligence purposes
Filter/Exclusion: user.account == "security_team" OR request.url contains "pastebin.com" AND request.method == "GET" AND request.query contains "raw=1"