PasteHunter v1.4.2 releases: Scanning pastebin with yara rules

by do son · Published June 16, 2019 · Updated October 10, 2021

Image: techanarchy

PasteHunter is a python3 application that is designed to query a collection of sites that host publicly posted data. For all the pasts it finds it scans the raw contents against a series of yara rules looking for information that can be used by an org or a researcher.

Image: techanarchy

Supported Inputs

Pastehunter currently has support for the following sites:

pastebin.com
gist.github.com
slexy.org
StackExchange # There are about 176!

Supported Outputs

Pastehunter supports several output modules:

dump to ElasticSearch DB (default).
Email alerts (SMTP).
Slack Channel notifications.
Dump to JSON file.
Dump to CSV file.

PostProcess

There are a handful of post-process modules that can run additional checks on the raw paste data.

There are a few generic options for each input.

enabled: This turns the input on and off.
module: This is used internally by pastehunter.

Email

This postprocess module extracts additional information from data that includes email addresses. It will extract counts for:

Total Emails
Unique Email addresses
Unique Email domains

These 3 values are then added to the metadata for storage.

rule_list: List of rules that will trigger the postprocess module.

Base64

This postprocess will attempt to decode base64 data and then apply further processing on the new file data. At the moment this module only operates when the full paste is a base64 blob, i.e. it will not extract the base64 code that is embedded in other data.