{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/smb-network-shares/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows","SMB network shares"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","windows","file-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe GhostLock tool, developed by Kim Dvash of Israel Aerospace Industries, is a proof-of-concept demonstrating how the Windows \u003ccode\u003eCreateFileW\u003c/code\u003e API can be abused to create a denial-of-service condition. The technique exploits the \u003ccode\u003edwShareMode\u003c/code\u003e parameter of the \u003ccode\u003eCreateFileW\u003c/code\u003e function to open files in exclusive mode, preventing other users and applications from accessing them. The GhostLock tool automates this by recursively opening a large number of files on SMB shares. While GhostLock is active, attempts to access those files result in a sharing violation error. This attack can be launched by standard domain users without elevated privileges. While primarily a disruption technique, GhostLock could be used as a decoy during intrusions to distract IT staff during data theft or lateral movement.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a system on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the GhostLock tool.\u003c/li\u003e\n\u003cli\u003eGhostLock uses the \u003ccode\u003eCreateFileW\u003c/code\u003e API to recursively open files on local or SMB network shares.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003edwShareMode\u003c/code\u003e parameter is set to 0, granting exclusive access to the opened files.\u003c/li\u003e\n\u003cli\u003eWindows grants the GhostLock process exclusive access, preventing other users or applications from opening the same files.\u003c/li\u003e\n\u003cli\u003eLegitimate users attempting to access the files receive a \u0026ldquo;STATUS_SHARING_VIOLATION\u0026rdquo; error.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains the open file handles to sustain the denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe disruption hinders normal business operations, potentially masking other malicious activities like data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe GhostLock tool causes a denial-of-service condition by preventing legitimate users and applications from accessing files stored locally or on SMB network shares. Although not destructive like ransomware, the attack can lead to significant operational downtime. The attack could also be used as a diversionary tactic to mask other malicious activities, such as data theft or lateral movement within the network. The impact is primarily disruption-based.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor per-session open-file counts with \u003ccode\u003eShareAccess = 0\u003c/code\u003e at the file server layer, as recommended by the researcher. This metric is found in storage platform management interfaces, not Windows event logs or EDR telemetry.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect processes making a large number of file open requests with \u003ccode\u003eShareAccess = 0\u003c/code\u003e. Tune the threshold for your environment.\u003c/li\u003e\n\u003cli\u003eImplement the NDR detection rule outlined in the GhostLock whitepaper, available from the researcher, to identify anomalous file access patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T22:03:46Z","date_published":"2026-05-11T22:03:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-ghostlock-file-access-abuse/","summary":"GhostLock is a proof-of-concept tool that abuses the Windows CreateFileW API to block access to files on local and SMB network shares, causing a denial-of-service condition.","title":"GhostLock Tool Abuses Windows API to Block File Access","url":"https://feed.craftedsignal.io/briefs/2026-05-ghostlock-file-access-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed — SMB Network Shares","version":"https://jsonfeed.org/version/1.1"}