Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Thu Dec 05Updated Thu Jan 195468045b-4fcc-4d1a-973c-c9c9578edacbweb
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic1 selector
detection:
    selection:
        c-uri|contains:
            - '.paste.ee/r/'
            - '.pastebin.com/raw/'
            - '.hastebin.com/raw/'
            - '.ghostbin.co/paste/*/raw/'
            - 'pastetext.net/'
            - 'pastebin.pl/'
            - 'paste.ee/'
    condition: selection
False Positives

User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)

References
1
Resolving title…
virustotal.com
MITRE ATT&CK
Rule Metadata
Rule ID
5468045b-4fcc-4d1a-973c-c9c9578edacb
Status
test
Level
high
Type
Detection
Created
Thu Dec 05
Modified
Thu Jan 19
Author
Florian Roth (Nextron Systems)
Path
rules/web/proxy_generic/proxy_raw_paste_service_access.yml
Raw Tags
attack.command-and-controlattack.t1071.001attack.t1102.001attack.t1102.003attack.defense-evasion
View on GitHub