title: Raw Paste Service Access
id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
status: experimental
description: Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form
references:
    - https://www.virustotal.com/gui/domain/paste.ee/relations
author: Florian Roth
date: 2019/12/05
tags:
  - attack.t1102
  - attack.defense_evasion
logsource:
    category: proxy
detection:
    selection:
        c-uri|contains: 
          - '.paste.ee/r/'
          - '.pastebin.com/raw/'
          - '.hastebin.com/raw/'
    condition: selection
fields:
    - ClientIP
    - c-uri
    - c-useragent
falsepositives:
    - User activity (e.g. developer that shared and copied code snippets and used the raw link instead of just copy & paste)
level: high