← Library
sigmaDRL-1.1from SigmaHQ/sigma

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Quality
100
FP risk
Forks
0
Views
0
ATT&CK techniques
T1071.001T1102.001T1102.003
Rule sourcerules/web/proxy_generic/proxy_raw_paste_service_access.yml
title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: test
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
    - https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth (Nextron Systems)
date: 2019-12-05
modified: 2023-01-19
tags:
    - attack.command-and-control
    - attack.t1071.001
    - attack.t1102.001
    - attack.t1102.003
    - attack.defense-evasion
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains:
            - '.paste.ee/r/'
            - '.pastebin.com/raw/'
            - '.hastebin.com/raw/'
            - '.ghostbin.co/paste/*/raw/'
            - 'pastetext.net/'
            - 'pastebin.pl/'
            - 'paste.ee/'
    condition: selection
falsepositives:
    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high