DNS lookup for paste service

Classification:

attack

Tactic:

TA0011-command-and-control

Technique:

T1105-ingress-tool-transfer

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Paste sites such as pastebin.com can be used by attackers to host malicious scripts, configuration files, and other text data. The files are then downloaded to the host using a network utility such as wget or curl. These sites may also be used to exfiltrate data.

Strategy

Detect when a process performs a DNS lookup for a paste site.

Triage and response

  1. Check if the application {{@process.executable.name}} is expected to make connections to {{@dns.question.name}}.
  2. If the DNS lookup is unexpected, contain the host or container and roll back to a known good configuration.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.

Requires Agent version 7.36 or greater