npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
Paste sites (Pastebin, GitHub Gists, Ghostbin, Dpaste, Hastebin) are frequently used as staging areas for leaked credentials, database dumps, API keys, and sensitive data before wider distribution on dark web forums and Telegram channels. Monitoring these sites provides early breach detection, enabling organizations to respond before stolen data is weaponized. This skill covers building automated paste site monitors using the Pastebin Scraping API, keyword-based alerting, credential pattern matching, and integration with incident response workflows.
When to Use
- When conducting security assessments that involve performing paste site monitoring for credentials
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Python 3.9+ with
requests,beautifulsoup4,regex,pymisplibraries - Pastebin PRO account with Scraping API access ($49.95/month for programmatic access)
- GitHub API token for Gist monitoring
- Keyword lists specific to your organization (domains, project names, internal terms)
- Elasticsearch or database for paste storage and search
Key Concepts
Paste Site Threat Landscape
Over 300,000 user credentials are posted on Pastebin annually, averaging 1,000 username/password pairs per leak. Paste sites serve three primary threat intelligence purposes: early breach detection (credentials appear on paste sites before dark web), threat actor profiling (actors use paste sites for C2 configuration, data staging, tool sharing), and malware discovery (encoded payloads, configuration files, C2 addresses).
Monitoring Approaches
Active monitoring queries paste site APIs or scraping endpoints at regular intervals. The Pastebin Scraping API provides real-time access to new public pastes. For GitHub, the search API allows monitoring Gists and repository commits for exposed secrets. Passive monitoring uses services like IntelX, Dehashed, or Have I Been Pwned that aggregate paste site data.
Credential Pattern Detection
Effective monitoring uses regex patterns for email:password combinations, API keys (AWS, Azure, GCP, Stripe, Twilio), database connection strings, private keys (SSH, PGP), JWT tokens, and internal hostnames/URLs. Organization-specific keywords (domain names, product names, employee names) reduce false positives.
Workflow
Step 1: Pastebin Scraping API Monitor
import requests
import re
import json
import time
from datetime import datetime
class PastebinMonitor:
SCRAPING_URL = "https://scrape.pastebin.com/api_scraping.php"
RAW_URL = "https://scrape.pastebin.com/api_scrape_item.php"
def __init__(self, keywords, output_dir="paste_alerts"):
self.keywords = [k.lower() for k in keywords]
self.output_dir = output_dir
self.seen_keys = set()
self.credential_patterns = {
"email_password": re.compile(
r'[\w.+-]+@[\w-]+\.[\w.]+[\s:;|,]+[\S]{6,}', re.IGNORECASE),
"aws_key": re.compile(
r'AKIA[0-9A-Z]{16}'),
"aws_secret": re.compile(
r'[0-9a-zA-Z/+=]{40}'),
"github_token": re.compile(
r'ghp_[0-9a-zA-Z]{36}'),
"slack_token": re.compile(
r'xox[baprs]-[0-9a-zA-Z-]+'),
"private_key": re.compile(
r'-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----'),
"jwt_token": re.compile(
r'eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+'),
"connection_string": re.compile(
r'(?:mongodb|postgres|mysql|redis)://[^\s]+'),
"api_key_generic": re.compile(
r'(?:api[_-]?key|apikey|access[_-]?token)[\s]*[=:]\s*["\']?[\w-]{20,}',
re.IGNORECASE),
}
def fetch_recent_pastes(self, limit=100):
"""Fetch recent public pastes from Pastebin Scraping API."""
params = {"limit": limit}
try:
resp = requests.get(self.SCRAPING_URL, params=params, timeout=30)
if resp.status_code == 200:
pastes = resp.json()
print(f"[+] Fetched {len(pastes)} recent pastes")
return pastes
else:
print(f"[-] API error: {resp.status_code}")
return []
except Exception as e:
print(f"[-] Fetch error: {e}")
return []
def get_paste_content(self, paste_key):
"""Get the raw content of a paste."""
params = {"i": paste_key}
try:
resp = requests.get(self.RAW_URL, params=params, timeout=15)
if resp.status_code == 200:
return resp.text
return ""
except Exception:
return ""
def analyze_paste(self, content, paste_metadata):
"""Analyze paste content for credentials and keywords."""
findings = {
"keyword_matches": [],
"credential_matches": {},
"severity": "low",
}
content_lower = content.lower()
# Check keywords
for keyword in self.keywords:
if keyword in content_lower:
count = content_lower.count(keyword)
findings["keyword_matches"].append({
"keyword": keyword,
"count": count,
})
# Check credential patterns
for pattern_name, pattern in self.credential_patterns.items():
matches = pattern.findall(content)
if matches:
findings["credential_matches"][pattern_name] = {
"count": len(matches),
"samples": matches[:3],
}
# Calculate severity
cred_count = sum(
m["count"] for m in findings["credential_matches"].values()
)
if findings["keyword_matches"] and cred_count > 0:
findings["severity"] = "critical"
elif findings["keyword_matches"]:
findings["severity"] = "high"
elif cred_count > 10:
findings["severity"] = "high"
elif cred_count > 0:
findings["severity"] = "medium"
return findings
def monitor_loop(self, interval=120, iterations=None):
"""Continuous monitoring loop."""
count = 0
while iterations is None or count < iterations:
pastes = self.fetch_recent_pastes()
alerts = []
for paste in pastes:
paste_key = paste.get("key", "")
if paste_key in self.seen_keys:
continue
self.seen_keys.add(paste_key)
content = self.get_paste_content(paste_key)
if not content:
continue
findings = self.analyze_paste(content, paste)
if findings["severity"] != "low":
alert = {
"paste_key": paste_key,
"title": paste.get("title", "Untitled"),
"user": paste.get("user", "Anonymous"),
"date": paste.get("date", ""),
"size": paste.get("size", 0),
"url": f"https://pastebin.com/{paste_key}",
"findings": findings,
"detected_at": datetime.now().isoformat(),
}
alerts.append(alert)
print(f" [ALERT-{findings['severity'].upper()}] "
f"{paste_key}: {findings['keyword_matches']}")
if alerts:
self._save_alerts(alerts)
count += 1
if iterations is None or count < iterations:
time.sleep(interval)
return alerts
def _save_alerts(self, alerts):
"""Save alerts to JSON file."""
filename = f"{self.output_dir}/alerts_{datetime.now().strftime('%Y%m%d_%H%M%S')}.json"
import os
os.makedirs(self.output_dir, exist_ok=True)
with open(filename, "w") as f:
json.dump(alerts, f, indent=2)
print(f"[+] Saved {len(alerts)} alerts to {filename}")
monitor = PastebinMonitor(
keywords=["mycompany.com", "internal-project", "employee-name"],
)
alerts = monitor.monitor_loop(interval=120, iterations=5)Step 2: GitHub Gist and Code Search Monitoring
class GitHubSecretMonitor:
def __init__(self, github_token, org_keywords):
self.token = github_token
self.keywords = org_keywords
self.headers = {
"Authorization": f"token {github_token}",
"Accept": "application/vnd.github.v3+json",
}
def search_code(self, query, per_page=30):
"""Search GitHub code for leaked secrets."""
url = "https://api.github.com/search/code"
params = {"q": query, "per_page": per_page}
resp = requests.get(url, headers=self.headers, params=params)
if resp.status_code == 200:
results = resp.json().get("items", [])
print(f"[+] GitHub code search: {len(results)} results for '{query}'")
return results
return []
def search_gists(self, keyword):
"""Search public Gists for sensitive data."""
url = "https://api.github.com/gists/public"
params = {"per_page": 100}
resp = requests.get(url, headers=self.headers, params=params)
matches = []
if resp.status_code == 200:
gists = resp.json()
for gist in gists:
description = (gist.get("description") or "").lower()
files = gist.get("files", {})
for filename, file_info in files.items():
if keyword.lower() in description or keyword.lower() in filename.lower():
matches.append({
"gist_id": gist["id"],
"description": gist.get("description", ""),
"filename": filename,
"url": gist["html_url"],
"created_at": gist["created_at"],
})
return matches
def monitor_org_secrets(self, org_domain):
"""Monitor for organization secrets leaked on GitHub."""
queries = [
f'"{org_domain}" password',
f'"{org_domain}" api_key',
f'"{org_domain}" secret',
f'"{org_domain}" token',
f'"{org_domain}" credentials',
]
all_findings = []
for query in queries:
results = self.search_code(query)
for result in results:
all_findings.append({
"query": query,
"repo": result.get("repository", {}).get("full_name", ""),
"path": result.get("path", ""),
"url": result.get("html_url", ""),
"score": result.get("score", 0),
})
time.sleep(10) # GitHub rate limiting
return all_findings
gh_monitor = GitHubSecretMonitor("YOUR_GITHUB_TOKEN", ["mycompany.com"])
findings = gh_monitor.monitor_org_secrets("mycompany.com")Step 3: Alert and Incident Response Integration
def generate_credential_leak_alert(alert_data):
"""Generate incident alert for credential leak detection."""
alert = {
"title": f"Credential Leak Detected - {alert_data.get('severity', 'unknown').upper()}",
"source": alert_data.get("url", ""),
"detected_at": alert_data.get("detected_at", ""),
"severity": alert_data.get("severity", "medium"),
"summary": f"Paste containing organization keywords and credentials found",
"keyword_matches": alert_data.get("findings", {}).get("keyword_matches", []),
"credential_types": list(alert_data.get("findings", {}).get("credential_matches", {}).keys()),
"recommended_actions": [
"Verify if leaked credentials are valid",
"Force password reset for affected accounts",
"Rotate exposed API keys and tokens",
"Check access logs for unauthorized usage",
"Report paste for takedown",
"Update monitoring keywords if new patterns found",
],
}
return alertValidation Criteria
- Pastebin Scraping API queried successfully with rate limiting
- Credential patterns detected (email:password, API keys, private keys)
- Organization-specific keywords matched with context
- GitHub code search identifies exposed secrets
- Alerts generated with severity classification
- Integration with incident response workflow
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md1.4 KB
API Reference — Performing Paste Site Monitoring for Credentials
Libraries Used
- requests: HIBP API v3 for breach and paste lookup
- re: Credential pattern matching (email:pass, API keys, AWS keys, JWTs)
- time: Rate limiting for HIBP API (1.6s between requests)
CLI Interface
python agent.py [--api-key <hibp_key>] check --email user@example.com
python agent.py [--api-key <hibp_key>] pastes --email user@example.com
python agent.py [--api-key <hibp_key>] bulk --domain example.com --emails employee_list.txt
python agent.py scan --file paste_dump.txt
python agent.py [--api-key <hibp_key>] report --domain example.com --emails employees.txtCore Functions
check_haveibeenpwned(email, api_key) — Breach database lookup
Endpoint: GET /api/v3/breachedaccount/{email}
check_paste_dumps(email, api_key) — Paste site exposure check
Endpoint: GET /api/v3/pasteaccount/{email}
bulk_check_domain(domain, email_list_file, api_key) — Organization-wide scan
Rate-limited to 1.6s between requests. Max 50 emails per run.
scan_text_for_credentials(text_file) — Pattern-based credential detection
Patterns: email:password, username:password, API keys, AWS keys (AKIA*), private keys, JWTs.
generate_exposure_report(...) — Executive exposure summary
Rate Limiting
HIBP free tier: ~1 request/1.6 seconds. Agent auto-sleeps between requests.
Dependencies
pip install requestsScripts 1
agent.py7.0 KB
#!/usr/bin/env python3
"""Agent for performing paste site monitoring for leaked credentials."""
import json
import argparse
import re
import time
from datetime import datetime
try:
import requests
except ImportError:
requests = None
def check_haveibeenpwned(email, api_key=None):
"""Check if an email appears in Have I Been Pwned breaches."""
headers = {"User-Agent": "PasteMonitor-Agent"}
if api_key:
headers["hibp-api-key"] = api_key
try:
resp = requests.get(f"https://haveibeenpwned.com/api/v3/breachedaccount/{email}",
headers=headers, timeout=15)
if resp.status_code == 200:
breaches = resp.json()
return {
"email": email, "breached": True,
"breach_count": len(breaches),
"breaches": [{"name": b["Name"], "date": b["BreachDate"],
"data_classes": b["DataClasses"]} for b in breaches[:10]],
}
elif resp.status_code == 404:
return {"email": email, "breached": False}
else:
return {"email": email, "error": f"HTTP {resp.status_code}"}
except Exception as e:
return {"email": email, "error": str(e)}
def check_paste_dumps(email, api_key=None):
"""Check for email in paste site dumps via HIBP paste API."""
headers = {"User-Agent": "PasteMonitor-Agent"}
if api_key:
headers["hibp-api-key"] = api_key
try:
resp = requests.get(f"https://haveibeenpwned.com/api/v3/pasteaccount/{email}",
headers=headers, timeout=15)
if resp.status_code == 200:
pastes = resp.json()
return {
"email": email, "found_in_pastes": True,
"paste_count": len(pastes),
"pastes": [{"source": p.get("Source"), "title": p.get("Title", "")[:100],
"date": p.get("Date"), "email_count": p.get("EmailCount")}
for p in pastes[:15]],
}
elif resp.status_code == 404:
return {"email": email, "found_in_pastes": False}
else:
return {"email": email, "error": f"HTTP {resp.status_code}"}
except Exception as e:
return {"email": email, "error": str(e)}
def bulk_check_domain(domain, email_list_file, api_key=None):
"""Check all emails from a domain for breach exposure."""
from pathlib import Path
emails = [e.strip() for e in Path(email_list_file).read_text().splitlines() if e.strip() and domain in e]
results = []
for email in emails[:50]:
result = check_haveibeenpwned(email, api_key)
results.append(result)
time.sleep(1.6)
breached = [r for r in results if r.get("breached")]
return {
"domain": domain,
"emails_checked": len(results),
"breached_accounts": len(breached),
"exposure_rate": round(len(breached) / max(len(results), 1) * 100, 1),
"results": results,
}
def scan_text_for_credentials(text_file):
"""Scan a text file (paste dump) for credential patterns."""
from pathlib import Path
content = Path(text_file).read_text(encoding="utf-8", errors="replace")
patterns = {
"email_password": re.compile(r"([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})\s*[:|;]\s*(\S+)"),
"username_password": re.compile(r"(?:user(?:name)?|login)\s*[:|=]\s*(\S+)\s+(?:pass(?:word)?)\s*[:|=]\s*(\S+)", re.I),
"api_key": re.compile(r"(?:api[_-]?key|apikey|access[_-]?token)\s*[:|=]\s*['\"]?([a-zA-Z0-9_\-]{20,})['\"]?", re.I),
"aws_key": re.compile(r"AKIA[0-9A-Z]{16}"),
"private_key": re.compile(r"-----BEGIN (?:RSA |EC )?PRIVATE KEY-----"),
"jwt_token": re.compile(r"eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+"),
}
findings = {}
for name, pattern in patterns.items():
matches = pattern.findall(content)
if matches:
if isinstance(matches[0], tuple):
findings[name] = [{"match": m[0][:50]} for m in matches[:20]]
else:
findings[name] = [{"match": m[:50]} for m in matches[:20]]
domains = re.findall(r"@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})", content)
domain_counts = {}
for d in domains:
domain_counts[d] = domain_counts.get(d, 0) + 1
return {
"file": text_file,
"credential_types_found": list(findings.keys()),
"total_matches": sum(len(v) for v in findings.values()),
"findings": findings,
"affected_domains": dict(sorted(domain_counts.items(), key=lambda x: -x[1])[:15]),
}
def generate_exposure_report(domain, email_list_file, api_key=None):
"""Generate credential exposure report for an organization."""
bulk = bulk_check_domain(domain, email_list_file, api_key)
return {
"generated": datetime.utcnow().isoformat(),
"domain": domain,
"summary": {
"emails_checked": bulk["emails_checked"],
"breached": bulk["breached_accounts"],
"exposure_rate": bulk["exposure_rate"],
},
"recommendations": [
"Force password reset for all breached accounts",
"Enable MFA for all accounts",
"Monitor for credential stuffing attacks",
"Implement password breach detection (e.g., Azure AD Password Protection)",
],
"details": bulk["results"][:20],
}
def main():
if not requests:
print(json.dumps({"error": "requests not installed"}))
return
parser = argparse.ArgumentParser(description="Paste Site Credential Monitoring Agent")
parser.add_argument("--api-key", help="HIBP API key")
sub = parser.add_subparsers(dest="command")
c = sub.add_parser("check", help="Check single email")
c.add_argument("--email", required=True)
p = sub.add_parser("pastes", help="Check paste dumps")
p.add_argument("--email", required=True)
b = sub.add_parser("bulk", help="Bulk domain check")
b.add_argument("--domain", required=True)
b.add_argument("--emails", required=True, help="Email list file")
s = sub.add_parser("scan", help="Scan text for credentials")
s.add_argument("--file", required=True)
r = sub.add_parser("report", help="Exposure report")
r.add_argument("--domain", required=True)
r.add_argument("--emails", required=True)
args = parser.parse_args()
api_key = args.api_key if hasattr(args, "api_key") else None
if args.command == "check":
result = check_haveibeenpwned(args.email, api_key)
elif args.command == "pastes":
result = check_paste_dumps(args.email, api_key)
elif args.command == "bulk":
result = bulk_check_domain(args.domain, args.emails, api_key)
elif args.command == "scan":
result = scan_text_for_credentials(args.file)
elif args.command == "report":
result = generate_exposure_report(args.domain, args.emails, api_key)
else:
parser.print_help()
return
print(json.dumps(result, indent=2, default=str))
if __name__ == "__main__":
main()