T1567.003: Exfiltration to Text Storage Sites
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.[1]
**Note:** This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.
Analyst context for executives and security teams
Exfiltration to text storage sites matters because it can turn a common, legitimate web destination into a data-loss path. Services such as paste-style text sharing sites may already be allowed for business or developer workflows, and encrypted or paid features can make casual inspection harder. For leaders, the issue is not the site itself; it is whether the organization can distinguish authorized use of public text-sharing services from suspicious bulk, automated, or sensitive-data transfer activity.
Executive priority
Prioritize this technique where internet egress is broadly allowed from endpoints, servers, or ESXi-adjacent management environments, or where developers and administrators legitimately use public text-sharing services. Ask whether web filtering policy, proxy logging, data-loss monitoring, and incident response playbooks can prove what data left, from which identity or host, and whether access to text storage sites is business-justified. This is especially relevant for audit evidence around egress control, acceptable use, and sensitive-data handling.
Technical view
SOC and detection teams should validate coverage for outbound web activity from Linux, macOS, Windows, and ESXi environments to text storage services. Because MITRE provides no technique-specific detection text here, rely on the related detection strategy DET0284 as a starting point and tune with local web proxy, DNS, endpoint, and network telemetry. Detection should focus on unusual access patterns, uploads or POST-like behavior to text storage domains, first-time or rare destinations, access from servers or privileged administration systems, and activity near other collection or exfiltration signals. Treat this as a web-service exfiltration sub-technique under T1567, so normal allowed HTTPS traffic is a key blind spot.
Likely telemetry
- Web proxy and secure web gateway logs for text storage site access, uploads, URL categories, user, host, and volume
- DNS logs for lookups to known or newly observed text storage domains
- Firewall and network flow records showing outbound connections, timing, byte counts, and destination reputation/category
- Endpoint telemetry showing browser or command-line processes initiating outbound web connections
- Authentication and device context tying web activity to user accounts, service accounts, servers, or administrative systems
Detection direction
- Inventory which text storage sites are permitted and whether access is expected for each business unit or system role.
- Tune for rare or anomalous text storage access, especially from servers, administrative hosts, ESXi-related environments, or non-developer endpoints.
- Correlate web activity with endpoint process context and data staging indicators when available; web logs alone may not show whether the content was sensitive.
- Account for encrypted HTTPS and paid or private paste features as inspection blind spots; absence of content visibility is not evidence of no exfiltration.
- Reduce false positives by separating approved developer workflows from unusual upload timing, volume, automation, or access by unexpected identities.
Mitigation priorities
- Apply M1021 Restrict Web-Based Content by reviewing whether public text storage sites should be blocked, category-filtered, or allowed only for approved users and workflows.
- Enforce web proxy or secure web gateway controls for outbound access, with policy exceptions documented and monitored.
- Limit unauthorized browser behaviors, unsafe downloads, scripts, or extensions where these controls support broader web-risk reduction.
- Ensure sensitive systems and servers do not have unrestricted internet egress unless there is a documented operational need.
- Pair content restriction with logging retention and incident response procedures so teams can reconstruct user, host, destination, and approximate data-transfer scope.
Analyst notes and limits
This object is a sub-technique of Exfiltration Over Web Service, so its business significance comes from adversaries using legitimate external web services as a permitted path for data movement. The supplied relationship to M1021 supports web-content restriction as the primary mitigation direction. The supplied relationship to DET0284 supports referencing a detection strategy, but no official detection text is provided in the ATT&CK object.
This take is based only on the supplied ATT&CK fields, external reference, and relationships. It does not establish active exploitation, actor use, customer exposure, or guaranteed detectability. Specific text storage domains, allowed-use exceptions, data sensitivity, and telemetry quality must be validated in the local environment.
Exfiltration to Text Storage Sites
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com, are commonly used by developers to share code and other information.
Text storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.[1]
**Note:** This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567 | Exfiltration Over Web Service | This object subtechnique of Exfiltration Over Web Service. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ace91e994d9c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Pastebin EchoSec
Ciarniello, A. (2019, September 24). What is Pastebin and Why Do Hackers Love It?. Retrieved April 11, 2023.
Open source URL -
[2]
mitre-attack T1567.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.