TIARAS - T1567.003: Exfiltration to Text Storage Sites

MITRE ATT&CK Technique

Exfiltration T1567.003

Description

Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin[.]com</code>, are commonly used by developers to share code and other information. Text storage sites are often used to host malicious code for C2 communication (e.g., [Stage Capabilities](https://attack.mitre.org/techniques/T1608)), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.(Citation: Pastebin EchoSec) **Note:** This is distinct from [Exfiltration to Code Repository](https://attack.mitre.org/techniques/T1567/001), which highlight access to code repositories via APIs.

Supported Platforms

Linux macOS Windows ESXi

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2023-02-27T22:51:27.101Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may exfiltrate data to text storage sites instead '
                'of their primary command and control channel. Text storage '
                'sites, such as <code>pastebin[.]com</code>, are commonly used '
                'by developers to share code and other information.  \n'
                '\n'
                'Text storage sites are often used to host malicious code for '
                'C2 communication (e.g., [Stage '
                'Capabilities](https://attack.mitre.org/techniques/T1608)), '
                'but adversaries may also use these sites to exfiltrate '
                'collected data. Furthermore, paid features and encryption '
                'options may allow adversaries to conceal and store data more '
                'securely.(Citation: Pastebin EchoSec)\n'
                '\n'
                '**Note:** This is distinct from [Exfiltration to Code '
                'Repository](https://attack.mitre.org/techniques/T1567/001), '
                'which highlight access to code repositories via APIs.',
 'external_references': [{'external_id': 'T1567.003',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1567/003'},
                         {'description': 'Ciarniello, A. (2019, September 24). '
                                         'What is Pastebin and Why Do Hackers '
                                         'Love It?. Retrieved April 11, 2023.',
                          'source_name': 'Pastebin EchoSec',
                          'url': 'https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it'}],
 'id': 'attack-pattern--ba04e672-da86-4e69-aa15-0eca5db25f43',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'exfiltration'}],
 'modified': '2025-04-15T19:59:01.716Z',
 'name': 'Exfiltration to Text Storage Sites',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Harun Küßner'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'ESXi'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Back to TTPs

Dashboard About