Esc
Exfiltration to Text Storage Sites - T1567.003
(ATT&CK® Technique)
Definition
Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as pastebin[.]com
, are commonly used by developers to share code and other information.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1567003["Exfiltration to Text Storage Sites"] --> |produces| OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; class T1567003 OffensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic"; click T1567003 href "/offensive-technique/attack/T1567.003/"; click OutboundInternetWebTraffic href "/dao/artifact/d3f:OutboundInternetWebTraffic";Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RelayPatternAnalysis["Relay Pattern Analysis"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; RelayPatternAnalysis["Relay Pattern Analysis"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class RelayPatternAnalysis DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | May Detect | T1567003["Exfiltration to Text Storage Sites"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | May Isolate | T1567003["Exfiltration to Text Storage Sites"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] --> | filters | OutboundInternetWebTraffic["Outbound Internet Web Traffic"]; OutboundTrafficFiltering["Outbound Traffic Filtering"] -.-> | May Isolate | T1567003["Exfiltration to Text Storage Sites"] ; class OutboundTrafficFiltering DefensiveTechniqueNode; class OutboundInternetWebTraffic ArtifactNode; click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";