SigmaHQ/rules/proxy/proxy_raw_paste_service_access.yml

title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: experimental
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
    - https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth
date: 2019/12/05
modified: 2020/09/03
tags:
    - attack.command_and_control
    - attack.t1071.001
    - attack.t1043  # an old one
    - attack.t1102.001
    - attack.t1102.003
    - attack.defense_evasion
    - attack.t1102  # an old one
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 
          - '.paste.ee/r/'
          - '.pastebin.com/raw/'
          - '.hastebin.com/raw/'
          - '.ghostbin.co/paste/*/raw/'
    condition: selection
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high
rule: raw paste service access 2019-12-05 07:54:42 +00:00			`title: Raw Paste Service Access`
			`id: 5468045b-4fcc-4d1a-973c-c9c9578edacb`
			`status: experimental`
			`description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form`
			`references:`
			`- https://www.virustotal.com/gui/domain/paste.ee/relations`
			`author: Florian Roth`
			`date: 2019/12/05`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`modified: 2020/09/03`
rule: raw paste service access 2019-12-05 07:54:42 +00:00			`tags:`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`- attack.command_and_control`
			`- attack.t1071.001`
			`- attack.t1043 # an old one`
			`- attack.t1102.001`
			`- attack.t1102.003`
			`- attack.defense_evasion`
			`- attack.t1102 # an old one`
rule: raw paste service access 2019-12-05 07:54:42 +00:00			`logsource:`
			`category: proxy`
			`detection:`
			`selection:`
			`c-uri\|contains:`
			`- '.paste.ee/r/'`
			`- '.pastebin.com/raw/'`
Add hastebin raw URI to contains selection 2019-12-05 20:16:20 +00:00			`- '.hastebin.com/raw/'`
fixed regex syntax to wildcard syntax 2020-02-26 08:43:29 +00:00			`- '.ghostbin.co/paste/*/raw/'`
rule: raw paste service access 2019-12-05 07:54:42 +00:00			`condition: selection`
			`fields:`
			`- ClientIP`
Fixed proxy rule field names 2019-12-06 23:11:33 +00:00			`- c-uri`
			`- c-useragent`
rule: raw paste service access 2019-12-05 07:54:42 +00:00			`falsepositives:`
			`- User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)`
			`level: high`