DET0284: Detection Strategy for Exfiltration to Text Storage Sites
This detection strategy is relevant because it points to a quiet exfiltration path: sending collected data to public text storage or paste-style sites inst...
Analyst context for executives and security teams
This detection strategy is relevant because it points to a quiet exfiltration path: sending collected data to public text storage or paste-style sites instead of an obvious attacker-controlled server. For leaders, the issue is not only whether those sites are allowed, but whether the organization can prove it would notice unusual outbound data movement to them.
Executive priority
Treat this as an egress-control and evidence-quality question. If developers or administrators legitimately use text storage sites, blanket blocking may disrupt work; if they are unrestricted and unmonitored, they can become a low-friction data loss path. Leaders should ask whether SOC, IR, and compliance teams can show visibility into outbound access to these services across Linux, macOS, Windows, and ESXi environments where the related ATT&CK technique applies.
Technical view
DET0284 is a detection strategy for T1567.003, Exfiltration to Text Storage Sites, under the exfiltration tactic. Because the ATT&CK detection strategy has no official detection text and no platforms listed directly, teams should validate coverage against the related technique: outbound connections or uploads to text storage sites, especially where the volume, timing, source host, user, or destination is unusual for that environment. Detection engineering should account for legitimate developer use and for encrypted or paid text-storage features that may reduce content visibility.
Likely telemetry
- Web proxy, secure web gateway, firewall, or egress logs showing access to text storage sites
- DNS resolution logs for text storage domains
- Endpoint process and network connection telemetry from Linux, macOS, Windows, and applicable ESXi management contexts
- Browser or command-line activity where available
- DLP or data movement alerts tied to outbound uploads
Detection direction
- Inventory which text storage sites are allowed, blocked, or monitored, then compare that policy to observed traffic.
- Baseline normal users, hosts, tools, and volumes for legitimate text-storage access to reduce false positives.
- Prioritize anomalies involving sensitive hosts, unusual upload size or frequency, new destinations, off-hours activity, or non-browser processes reaching these services.
- Validate whether encrypted sessions, paid features, or limited proxy coverage create blind spots.
- Correlate with earlier collection or staging behavior when available, but avoid assuming exfiltration from a single connection alone.
Mitigation priorities
- Define an explicit business policy for public text storage sites, including approved use cases and exceptions.
- Apply least-necessary outbound access controls where business use is not required.
- Ensure egress monitoring, DNS logging, and endpoint telemetry are retained for incident response and audit evidence.
- Use DLP or content-aware controls where appropriate for sensitive data movement, recognizing that encryption may limit inspection.
- Document approved developer workflows so detections can distinguish expected sharing from suspicious outbound transfer.
Analyst notes and limits
The strongest decision value is to test whether the organization can see and govern data leaving through common web services that may look benign. This is especially important where legitimate developer use exists, because detection quality depends on context, baselines, and exception management rather than simple domain matching.
The supplied ATT&CK detection strategy has no official description, no official detection text, and no directly specified platforms or tactics. Platform and tactic context comes from the relationship to T1567.003 only. Local logs, business-approved site usage, and data sensitivity context are required before judging coverage or risk.
Detection Strategy for Exfiltration to Text Storage Sites
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567.003 | Exfiltration to Text Storage Sites Sub-technique | This object detects Exfiltration to Text Storage Sites. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 355edda3659d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0284Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.