Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0787: Analytic 0787

Unexpected processes (e.g., powershell.exe, wscript.exe, office apps) initiating HTTP POST/PUT requests to text storage domains like pastebin.com or hastebin.com, particularly when preceded by file access in sensitive directories. Defender perspective: correlation of process lineage, large clipboard/file read operations, and outbound uploads to text storage services.

EnterpriseAN0787AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting Windows processes that do not normally upload data—such as PowerShell, Windows Script Host, or Office applications—making HTTP POST or PUT requests to public text-sharing services like pastebin.com or hastebin.com. Its practical value is helping leaders and defenders validate whether the organization can see suspicious outbound data movement from endpoints, especially when it follows access to sensitive files or directories.

Executive priority

Prioritize this as a data-loss and incident-response readiness check rather than a standalone control. The business question is whether security teams can prove they monitor unusual uploads from Windows endpoints to public text storage sites and can correlate that activity with process lineage and recent sensitive file access. This supports decisions about outbound web controls, endpoint telemetry investment, SOC triage quality, and evidence for data protection oversight.

Technical view

For Windows environments, validate whether endpoint and network telemetry can correlate three elements described by the analytic: unexpected process lineage, access to sensitive directories or large clipboard/file-read activity, and outbound HTTP POST/PUT requests to text storage domains such as pastebin.com or hastebin.com. Because no official detection logic is provided, SOC teams should treat this as a detection engineering requirement and tune locally around approved scripting, automation, developer, or administrative workflows that may legitimately interact with paste services.

Likely telemetry

  • Windows process creation and parent/child process lineage
  • Command-line and script execution metadata for powershell.exe, wscript.exe, and Office applications where collected
  • File access telemetry for sensitive directories
  • Clipboard or large file-read activity where available
  • Outbound web proxy, firewall, EDR network, or DNS telemetry showing connections to text storage domains

Detection direction

  • Confirm visibility into Windows processes initiating outbound HTTP POST/PUT requests, not just domain lookups or connection events.
  • Correlate outbound uploads with prior access to sensitive directories or unusually large clipboard/file-read operations, as described in the analytic.
  • Tune for unexpected process-to-domain combinations, especially Office applications, scripting hosts, and PowerShell reaching paste-style services.
  • Account for false positives from legitimate administrative scripts, developer workflows, troubleshooting, or approved sharing activity.
  • Identify blind spots where TLS inspection, proxy logging, EDR network telemetry, or endpoint file-access auditing is absent or incomplete.

Mitigation priorities

  • Establish policy and control expectations for access to public text storage services from corporate Windows endpoints.
  • Review whether outbound web controls can restrict or alert on uploads to paste-style domains where business use is not required.
  • Harden monitoring for scripting hosts, PowerShell, and Office applications initiating network connections inconsistent with normal business use.
  • Improve endpoint logging for process lineage and sensitive file access before relying on this analytic for incident decisions.
  • Document approved exceptions so SOC triage can distinguish sanctioned workflows from suspicious data movement.
Analyst notes and limits

The object is a detection analytic for Windows with a descriptive behavior but no supplied ATT&CK tactics, relationships, or official detection logic. Its strongest use is as a validation checklist for telemetry correlation across endpoint process activity, file access, and outbound web traffic.

No relationship context, tactic mapping, detection pseudocode, data source list, or mitigation references were supplied. The take does not establish active exploitation, attribution, impact, or guaranteed coverage. Local environment baselining is required to determine sensitivity and false-positive rates.

Official MITRE ATT&CK definition

Analytic 0787

Unexpected processes (e.g., powershell.exe, wscript.exe, office apps) initiating HTTP POST/PUT requests to text storage domains like pastebin.com or hastebin.com, particularly when preceded by file access in sensitive directories. Defender perspective: correlation of process lineage, large clipboard/file read operations, and outbound uploads to text storage services.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fd483c1740abb26e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fd483c1740ab…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0787
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use