Files

.github
_false_positives
_utils
elk
images
release_notes
tools
.gitignore
C2_category_detection.csv
Collection_category_detection.csv
Credential_Access_category_detection.csv
DFIR_hunt_in_file.ps1
Data_Exfiltration_category_detection.csv
Discovery_category_detection.csv
FileHosting_Services_tag_detection.csv
GUIDproject_tag_detection.csv
Lateral_Movement_category_detection.csv
PastebinLike_tag_detection.csv
Persistence_category_detection.csv
Phishing_category_detection.csv
Privilege_Escalation_category_detection.csv
README.md
RMM_category_detection.csv
RMM_detection.csv
VPN_Services_tag_detection.csv
base64_tag_detection.csv
deviceid_tag_detection.csv
email_tag_detection.csv
file_hashes_tag_detection.csv
greyware_tool_keyword.csv
greyware_tool_keyword_endpoint_detection.csv
greyware_tool_keyword_network_detection.csv
index.html
linux_tag_detection.csv
offensive_tool_keyword.csv
offensive_tool_keyword_endpoint_detection.csv
offensive_tool_keyword_network_detection.csv
only_keywords.txt
only_keywords_regex.txt
only_keywords_regex_better_perf.txt
productname_tag_detection.csv
script_or_binary_content_tag_detection.csv
signature_keyword.csv
threathunting-keywords.csv
threathunting-keywords_base64_format.csv
threathunting-keywords_without_hashes.csv

PastebinLike_tag_detection.csv

1	keyword	metadata_keyword_regex	metadata_keyword_type	metadata_tool	metadata_description	metadata_tool_techniques	metadata_tool_tactics	metadata_malwares_name	metadata_groups_name	metadata_category	metadata_link	metadata_enable_endpoint_detection	metadata_enable_proxy_detection	metadata_tags	metadata_comment	metadata_severity_score	metadata_popularity_score	metadata_github_stars	metadata_github_forks	metadata_github_updated_at	metadata_github_created_at
2	* \| clbin*	.{0,1000}\s\\|\sclbin.{0,1000}	greyware_tool_keyword	clbin.com	clbin.com be used for C&C purposes. The attacker will place commands on a textbin paste and have the malware fetch the commands.	T1567.002	TA0010 - TA0009	N/A	N/A	Data Exfiltration	https://clbin.com/	1	0	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
3	* nc termbin.com *	.{0,1000}\snc\stermbin\.com\s.{0,1000}	greyware_tool_keyword	termbin.com	sending data to a pastebin	T1567.002	TA0010	N/A	N/A	Data Exfiltration	termbin.com	1	0	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
4	* netcat termbin.com *	.{0,1000}\snetcat\stermbin\.com\s.{0,1000}	greyware_tool_keyword	termbin.com	sending data to a pastebin	T1567.002	TA0010	N/A	N/A	Data Exfiltration	termbin.com	1	0	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
5	* termbin.com 9999*	.{0,1000}\stermbin\.com\s9999.{0,1000}	greyware_tool_keyword	termbin.com	sending data to a pastebin	T1567.002	TA0010	N/A	N/A	Data Exfiltration	termbin.com	1	0	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
6	0bin - encrypted pastebin	.{0,1000}0bin\s\-\sencrypted\spastebin.{0,1000}	greyware_tool_keyword	0bin.net	Accessing a paste on 0bin.net	T1213 - T1190	TA0001 - TA0009 - TA0010	N/A	N/A	Collection	https://0bin.net	1	0	#PastebinLike	N/A	5	10	N/A	N/A	N/A	N/A
7	A client side encrypted PasteBin	.{0,1000}A\sclient\sside\sencrypted\sPasteBin.{0,1000}	greyware_tool_keyword	0bin.net	Accessing a paste on 0bin.net	T1213 - T1190	TA0001 - TA0009 - TA0010	N/A	N/A	Collection	https://0bin.net	1	0	#content #PastebinLike	N/A	5	10	N/A	N/A	N/A	N/A
8	curl https://termbin.com/	.{0,1000}curl\shttps\:\/\/termbin\.com\/.{0,1000}	greyware_tool_keyword	termbin.com	accessing paste raw content	T1119	TA0009	N/A	N/A	Collection	termbin.com	1	0	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
9	curlnopaste.net*	.{0,1000}curl.{0,1000}nopaste\.net.{0,1000}	greyware_tool_keyword	nopaste.net	nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration	T1567.002 - T1036.005 - T1102 - T1071.001	TA0005 - TA0009 - TA0010	N/A	N/A	Collection	https://www.shellhub.io/	1	0	#Pastebinlike #filehostingservice #linux	N/A	8	10	N/A	N/A	N/A	N/A
10	docker run /.config/pcopy*	.{0,1000}docker\srun\s.{0,1000}\/\.config\/pcopy.{0,1000}	greyware_tool_keyword	nopaste.net	nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration	T1567.002 - T1036.005 - T1102 - T1071.001	TA0005 - TA0009 - TA0010	N/A	N/A	Collection	https://www.shellhub.io/	1	0	#Pastebinlike #filehostingservice #linux	N/A	8	10	N/A	N/A	N/A	N/A
11	http://pastie.org/p//raw*	.{0,1000}http\:\/\/pastie\.org\/p\/.{0,1000}\/raw.{0,1000}	greyware_tool_keyword	pastie.org	accessing paste raw content	T1119	TA0009	N/A	N/A	Collection	http://pastie.org/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
12	http://pastie.org/pastes/create	.{0,1000}http\:\/\/pastie\.org\/pastes\/create.{0,1000}	greyware_tool_keyword	pastie.org	sending data to a pastebin	T1567.002	TA0010	N/A	N/A	Data Exfiltration	http://pastie.org/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
13	http://zerobinftagjpeeebbvyzjcqyjpmjvynj5qlexwyxe7l3vqejxnqv5qd.onion	.{0,1000}http\:\/\/zerobinftagjpeeebbvyzjcqyjpmjvynj5qlexwyxe7l3vqejxnqv5qd\.onion.{0,1000}	greyware_tool_keyword	zerobin.net	accessing paste raw content	T1119	TA0009	N/A	N/A	Collection	https://zerobin.net/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
14	https://0bin.net/paste/+*	.{0,1000}https\:\/\/0bin\.net\/paste\/.{0,1000}\+.{0,1000}	greyware_tool_keyword	0bin.net	Accessing a paste on 0bin.net	T1213 - T1190	TA0001 - TA0009 - TA0010	N/A	N/A	Collection	https://0bin.net	1	1	#PastebinLike	N/A	5	10	N/A	N/A	N/A	N/A
15	https://0bin.net/paste/create	.{0,1000}https\:\/\/0bin\.net\/paste\/create.{0,1000}	greyware_tool_keyword	0bin.net	Creating a paste on 0bin.net	T1213 - T1190	TA0001 - TA0009 - TA0010	N/A	N/A	Data Exfiltration	https://0bin.net	1	1	#PastebinLike	N/A	9	10	N/A	N/A	N/A	N/A
16	https://1ty.me/	.{0,1000}https\:\/\/1ty\.me\/.{0,1000}	greyware_tool_keyword	1ty.me	temporary notes service - abused by attackers to share informations with their victims	T1105 - T1071	TA0010 - TA0009	N/A	N/A	Collection	https://1ty.me	1	1	#PastebinLike	downloading or uploading data	10	10	N/A	N/A	N/A	N/A
17	https://1ty.me/?mode=ajax&cmd=create_note	.{0,1000}https\:\/\/1ty\.me\/\?mode\=ajax\&cmd\=create_note.{0,1000}	greyware_tool_keyword	1ty.me	temporary notes service - abused by attackers to share informations with their victims	T1105 - T1071	TA0010 - TA0009	N/A	N/A	Data Exfiltration	https://1ty.me	1	1	#PastebinLike	creating note	10	10	N/A	N/A	N/A	N/A
18	https://apaste.info/p/new	.{0,1000}https\:\/\/apaste\.info\/p\/new.{0,1000}	greyware_tool_keyword	apaste.info	Creating a paste on apaste.info/	T1213 - T1190	TA0001 - TA0009 - TA0010	N/A	N/A	Data Exfiltration	https://apaste.info/	1	1	#PastebinLike	N/A	9	10	N/A	N/A	N/A	N/A
19	https://clbin.com/	.{0,1000}https\:\/\/clbin\.com\/.{0,1000}	greyware_tool_keyword	clbin.com	clbin.com be used for C&C purposes. The attacker will place commands on a textbin paste and have the malware fetch the commands.	T1567.002	TA0010 - TA0009	N/A	N/A	Data Exfiltration	https://clbin.com/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
20	https://nopaste.net/	.{0,1000}https\:\/\/nopaste\.net\/.{0,1000}	greyware_tool_keyword	nopaste.net	nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration	T1567.002 - T1036.005 - T1102 - T1071.001	TA0005 - TA0009 - TA0010	N/A	N/A	Data Exfiltration	https://www.shellhub.io/	1	1	#Pastebinlike #filehostingservice	monitor PUT requests for data exfiltration	8	10	N/A	N/A	N/A	N/A
21	https://privatebin.net/	.{0,1000}https\:\/\/privatebin\.net\/.{0,1000}	greyware_tool_keyword	privatebin.net	Interesting observation on the file-sharing platform preferences derived from the negotiations chats with Black Basta victims	T1071.001 - T1567.002 - T1005	TA0010 - TA0009	N/A	Black Basta	Data Exfiltration	N/A	0	1	#PastebinLike	N/A	5	6	N/A	N/A	N/A	N/A
22	https://privnote.com/	.{0,1000}https\:\/\/privnote\.com\/.{0,1000}	greyware_tool_keyword	privnote.com	temporary notes service - abused by attackers to share informations with their victims	T1105 - T1071	TA0010 - TA0009	N/A	Akira - Black Basta	Collection	https://github.com/Casualtek/Ransomchats/blob/4a25ac6ad165a4e600aeb72718c3ad41e8f6ce3a/Akira/20240620.json#L31C27-L31C48	1	1	#PastebinLike	downloading files url	5	5	482	50	2025-01-24T16:38:39Z	2023-05-02T16:17:48Z
23	https://rentry.co/	.{0,1000}https\:\/\/rentry\.co\/.{0,1000}	greyware_tool_keyword	rentry.co	accessing a pastebinlike site - often abused by malware	T1105 - T1114 - T1083	TA0009	N/A	N/A	Collection	N/A	1	1	#PastebinLike	N/A	5	8	N/A	N/A	N/A	N/A
24	https://rentry.co//raw*	.{0,1000}https\:\/\/rentry\.co\/.{0,1000}\/raw.{0,1000}	greyware_tool_keyword	rentry.co	raw format paste access attempt - abused by attackers to store malicious payloads	T1105 - T1114 - T1083	TA0009	N/A	N/A	Collection	N/A	1	1	#PastebinLike	N/A	7	8	N/A	N/A	N/A	N/A
25	https://rentry.co/cdn-cgi/challenge-platform/	.{0,1000}https\:\/\/rentry\.co\/cdn\-cgi\/challenge\-platform\/.{0,1000}	greyware_tool_keyword	rentry.co	raw format paste access attempt - abused by attackers to store malicious payloads	T1105 - T1114 - T1083	TA0009	N/A	N/A	Collection	N/A	1	1	#PastebinLike	N/A	7	8	N/A	N/A	N/A	N/A
26	https://textbin.net/raw/	.{0,1000}https\:\/\/textbin\.net\/raw\/.{0,1000}	greyware_tool_keyword	textbin.net	textbin.net raw access content - abused by malwares to retrieve payloads	T1119	TA0009	N/A	N/A	Collection	textbin.net	1	1	#PastebinLike	greyware tool - risks of False positive !	10	10	N/A	N/A	N/A	N/A
27	https://zerobin.net/?	.{0,1000}https\:\/\/zerobin\.net\/\?.{0,1000}	greyware_tool_keyword	zerobin.net	accessing paste raw content	T1119	TA0009	N/A	N/A	Collection	https://zerobin.net/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
28	https://zerobin.net/js/privatebin.js	.{0,1000}https\:\/\/zerobin\.net\/js\/privatebin\.js.{0,1000}	greyware_tool_keyword	zerobin.net	sending data to a pastebin	T1567.002	TA0010	N/A	N/A	Data Exfiltration	https://zerobin.net/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
29	IEXnopaste.net*	.{0,1000}IEX.{0,1000}nopaste\.net.{0,1000}	greyware_tool_keyword	nopaste.net	nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration	T1567.002 - T1036.005 - T1102 - T1071.001	TA0005 - TA0009 - TA0010	N/A	N/A	Collection	https://www.shellhub.io/	1	0	#Pastebinlike #filehostingservice	N/A	8	10	N/A	N/A	N/A	N/A
30	IWRnopaste.net*	.{0,1000}IWR.{0,1000}nopaste\.net.{0,1000}	greyware_tool_keyword	nopaste.net	nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration	T1567.002 - T1036.005 - T1102 - T1071.001	TA0005 - TA0009 - TA0010	N/A	N/A	Collection	https://www.shellhub.io/	1	0	#Pastebinlike #filehostingservice	N/A	8	10	N/A	N/A	N/A	N/A
31	nc -N nopaste.net	.{0,1000}nc\s\-N\snopaste\.net\s.{0,1000}	greyware_tool_keyword	nopaste.net	nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration	T1567.002 - T1036.005 - T1102 - T1071.001	TA0005 - TA0009 - TA0010	N/A	N/A	Data Exfiltration	https://www.shellhub.io/	1	0	#Pastebinlike #filehostingservice #linux	N/A	8	10	N/A	N/A	N/A	N/A
32	nopaste.netIWR*	.{0,1000}nopaste\.net.{0,1000}IWR.{0,1000}	greyware_tool_keyword	nopaste.net	nopaste.net is a temporary file host - nopaste and clipboard across machines. You can upload files or text and share the link with others - abused by attackers for collection and data exfiltration	T1567.002 - T1036.005 - T1102 - T1071.001	TA0005 - TA0009 - TA0010	N/A	N/A	Collection	https://www.shellhub.io/	1	0	#Pastebinlike #filehostingservice	N/A	8	10	N/A	N/A	N/A	N/A
33	paste.ee/d/	.{0,1000}paste\.ee\/d\/.{0,1000}	greyware_tool_keyword	paste.ee	fetching data from paste.ee	T1041	TA0009	N/A	N/A	Collection	paste.ee	1	1	#PastebinLike	N/A	8	10	N/A	N/A	N/A	N/A
34	paste.ee/paste	.{0,1000}paste\.ee\/paste.{0,1000}	greyware_tool_keyword	paste.ee	posting data on paste.ee	T1041	TA0010	N/A	N/A	Data Exfiltration	paste.ee	1	1	#PastebinLike	N/A	10	10	N/A	N/A	N/A	N/A
35	pastebin.com/raw/*	.{0,1000}pastebin\.com.{0,1000}\/raw\/.{0,1000}\s	greyware_tool_keyword	pastebin	pastebin raw access content - abused by malwares to retrieve payloads	T1119	TA0009	Redline Stealer	Black Basta	Collection	pastebin.com	1	1	#PastebinLike	greyware tool - risks of False positive !	8	10	N/A	N/A	N/A	N/A
36	pastebin.com/rw/*	.{0,1000}pastebin\.com.{0,1000}\/rw\/.{0,1000}	greyware_tool_keyword	pastebin	pastebin raw access content - abused by malwares to retrieve payloads	T1119	TA0009	Redline Stealer	Black Basta	Collection	pastebin.com	1	1	#PastebinLike	greyware tool - risks of False positive !	8	10	N/A	N/A	N/A	N/A
37	pastebin.comapi/api_post.php*	.{0,1000}pastebin\.com.{0,1000}api\/api_post\.php.{0,1000}	greyware_tool_keyword	pastebin	pastebin POST url - abused by malwares to exfiltrate informations	T1102 - T1048 - T1094 - T1608.001	TA0011	N/A	Black Basta	Data Exfiltration	pastebin.com	1	1	#PastebinLike	greyware tool - risks of False positive !	8	10	N/A	N/A	N/A	N/A
38	pastebin.pl/cdn-cgi/challenge-platform/	.{0,1000}pastebin\.pl\/cdn\-cgi\/challenge\-platform\/.{0,1000}	greyware_tool_keyword	pastebin.pl	sending data to a pastebin	T1567.002	TA0010	N/A	N/A	Data Exfiltration	https://pastebin.pl/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A
39	pastebin.pl/view/raw/	.{0,1000}pastebin\.pl\/view\/raw\/.{0,1000}	greyware_tool_keyword	pastebin.pl	accessing paste raw content	T1119	TA0009	N/A	N/A	Collection	https://pastebin.pl/	1	1	#PastebinLike	N/A	8	8	N/A	N/A	N/A	N/A