Raw Paste Service Access

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Rule Content

- title: Raw Paste Service Access
  id: 5468045b-4fcc-4d1a-973c-c9c9578edacb
  status: experimental
  description: Detects direct access to raw pastes in different paste services often
    used by malware in their second stages to download malicious code in encrypted
    or encoded form
  references:
  - https://www.virustotal.com/gui/domain/paste.ee/relations
  author: Florian Roth
  date: 2019/12/05
  tags:
  - attack.t1102
  - attack.defense_evasion
  logsource:
    category: proxy
    product: null
    service: null
  detection:
    selection:
      c-uri|contains:
      - .paste.ee/r/
      - .pastebin.com/raw/
      - .hastebin.com/raw/
    condition: selection
  fields:
  - ClientIP
  - c-uri
  - c-useragent
  falsepositives:
  - User activity (e.g. developer that shared and copied code snippets and used the
    raw link instead of just copy & paste)
  level: high

Querying Elasticsearch

Import Libraries



In [ ]:

    
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd

Initialize Elasticsearch client



In [ ]:

    
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-*', doc_type='doc')

Run Elasticsearch Query



In [ ]:

    
s = searchContext.query('query_string', query='c-uri.keyword:(*.paste.ee\/r\/* OR *.pastebin.com\/raw\/* OR *.hastebin.com\/raw\/*)')
response = s.execute()
if response.success():
    df = pd.DataFrame((d.to_dict() for d in s.scan()))

Show Results



In [ ]:

    
df.head()