{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/collection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint Security"],"_cs_severities":["high"],"_cs_tags":["genai","credential-access","persistence","collection"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers are increasingly leveraging GenAI agents to automate the discovery and exfiltration of sensitive information, including credentials, API keys, and tokens stored within files on compromised systems. The observed activity involves GenAI tools accessing critical files such as cloud credentials, SSH keys, browser password databases, and shell configuration files. Successful exploitation allows attackers to harvest credentials, gain unauthorized access to systems, and establish persistence mechanisms for continued access. The GenAI tools mentioned include ollama, textgen, lmstudio, claude, cursor, copilot, codex, jan, gpt4all, gemini-cli, genaiscript, grok, qwen, koboldcpp, llama-server, windsurf, zed, opencode, and goose. This activity highlights the emerging threat landscape of AI-assisted attacks and the need for robust detection and mitigation strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of a system through an unrelated vulnerability or social engineering.\u003c/li\u003e\n\u003cli\u003eInstallation or execution of a GenAI tool (e.g., ollama, lmstudio) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool is configured or instructed to scan the file system for sensitive files.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool accesses files containing credentials, such as \u003ccode\u003e.aws/credentials\u003c/code\u003e, browser password databases (\u003ccode\u003eLogin Data\u003c/code\u003e, \u003ccode\u003ekey3.db\u003c/code\u003e), or SSH keys (\u003ccode\u003e.ssh/id_*\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe GenAI tool exfiltrates the harvested credentials and API keys to a remote server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to cloud resources, internal systems, or other sensitive accounts.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool attempts to modify shell configuration files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e) to establish persistence.\u003c/li\u003e\n\u003cli\u003eUpon system restart or user login, the modified shell configuration executes malicious commands, granting the attacker persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this threat can lead to significant data breaches, unauthorized access to critical systems, and persistent compromise of affected environments. Attackers can leverage stolen credentials to escalate privileges, move laterally within the network, and exfiltrate sensitive data. The number of victims and sectors targeted are currently unknown, but the potential impact is widespread given the increasing adoption of GenAI tools in various industries. Credential theft leads to financial loss, intellectual property theft, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GenAI Process Accessing Sensitive Files\u0026rdquo; to your SIEM to detect GenAI tools accessing sensitive files on endpoints.\u003c/li\u003e\n\u003cli\u003eEnable file access monitoring on systems where GenAI tools are used to capture access events for analysis.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of GenAI tools within the environment, especially concerning access to sensitive file paths.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to shell configuration files (e.g., \u003ccode\u003e.bashrc\u003c/code\u003e, \u003ccode\u003e.zshrc\u003c/code\u003e, \u003ccode\u003e.profile\u003c/code\u003e) as an indicator of persistence attempts.\u003c/li\u003e\n\u003cli\u003eImplement regular credential rotation policies to minimize the impact of stolen credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T22:46:51Z","date_published":"2026-05-01T22:46:51Z","id":"/briefs/2024-12-15-genai-sensitive-file-access/","summary":"This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.","title":"GenAI Tools Accessing Sensitive Files for Credential Access and Persistence","url":"https://feed.craftedsignal.io/briefs/2024-12-15-genai-sensitive-file-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["credential-access","privilege-escalation","collection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies attempts to access sensitive attributes within Active Directory via the Lightweight Directory Access Protocol (LDAP). These attributes, including \u003ccode\u003eunixUserPassword\u003c/code\u003e, \u003ccode\u003ems-PKI-AccountCredentials\u003c/code\u003e, and \u003ccode\u003emsPKI-CredentialRoamingTokens\u003c/code\u003e, are valuable targets for adversaries aiming to steal credentials or escalate privileges. The rule focuses on Windows Security Event Logs, specifically monitoring event code 4662 which indicates an attempt to access an object. By filtering out common benign access patterns, such as those originating from the SYSTEM account or using specific access masks, the rule aims to highlight potentially malicious activity that warrants further investigation. The original rule was created in November 2022 and updated in May 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target domain (e.g., through phishing or exploiting a public-facing application).\u003c/li\u003e\n\u003cli\u003eThe attacker uses valid credentials or exploits a vulnerability to authenticate to the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses LDAP queries to enumerate Active Directory objects.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts specific LDAP queries to target sensitive attributes like \u003ccode\u003eunixUserPassword\u003c/code\u003e, \u003ccode\u003ems-PKI-AccountCredentials\u003c/code\u003e, or \u003ccode\u003emsPKI-CredentialRoamingTokens\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWindows Security Event 4662 is generated, logging the access attempt with details about the user, accessed object, and properties.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the accessed attribute data, potentially containing password hashes, certificates, or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials or certificates to impersonate other users or gain elevated privileges within the domain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the compromise of domain accounts, including privileged accounts. Attackers can use stolen credentials to move laterally within the network, access sensitive data, and disrupt business operations. Depending on the attributes accessed, this could also expose private keys and authentication certificates leading to further attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Access to Sensitive LDAP Attributes\u0026rdquo; to your SIEM to detect access attempts to critical AD attributes (rule.name).\u003c/li\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; to ensure that necessary Windows Security Event Logs (event code 4662) are generated for the Sigma rule to function (setup).\u003c/li\u003e\n\u003cli\u003eReview and tune the \u0026ldquo;Access to Sensitive LDAP Attributes\u0026rdquo; Sigma rule, creating exceptions for legitimate administrative accounts and scheduled system processes to minimize false positives (rule.note).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and permissions for sensitive LDAP attributes within Active Directory to restrict access to only necessary personnel (rule.note).\u003c/li\u003e\n\u003cli\u003eInvestigate any triggered alerts from the Sigma rule, focusing on identifying the user/process attempting access (winlog.event_data.SubjectUserSid) and the specific sensitive attribute accessed (winlog.event_data.Properties) (rule.note).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-19T16:23:00Z","date_published":"2024-01-19T16:23:00Z","id":"/briefs/2024-01-ldap-attribute-access/","summary":"This rule detects unauthorized access to sensitive Active Directory object attributes such as unixUserPassword, ms-PKI-AccountCredentials, and msPKI-CredentialRoamingTokens, potentially leading to credential theft and privilege escalation.","title":"Detection of Sensitive LDAP Attribute Access","url":"https://feed.craftedsignal.io/briefs/2024-01-ldap-attribute-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Exchange","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["collection","execution","powershell","exchange","mailbox"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may target user email to collect sensitive information. The \u003ccode\u003eNew-MailBoxExportRequest\u003c/code\u003e cmdlet is used to export the contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. This activity is typically performed using PowerShell or similar scripting tools and can be difficult to detect without specific monitoring in place. The activity may be part of a larger attack campaign targeting sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system with sufficient privileges to access Exchange PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Exchange server using PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet to initiate the export of a target mailbox to a .pst file. The command may include parameters to filter specific content.\u003c/li\u003e\n\u003cli\u003eThe Exchange server processes the export request, creating a .pst file containing the mailbox data.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exported .pst file from the designated file path.\u003c/li\u003e\n\u003cli\u003eThe attacker may compress and archive the .pst file to reduce its size for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the .pst file to an external location controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the .pst file to extract sensitive information such as credentials, financial data, or intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the attacker to gain access to sensitive information contained within the exported mailboxes. This could lead to financial loss, reputational damage, or compromise of intellectual property. Depending on the scope of the export requests, multiple mailboxes may be compromised, impacting a large number of users. The impact is significant because email often contains highly sensitive business communications and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor PowerShell execution with command-line arguments (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the use of \u003ccode\u003eNew-MailboxExportRequest\u003c/code\u003e cmdlet in PowerShell commands.\u003c/li\u003e\n\u003cli\u003eReview the privileges of users with the \u0026ldquo;Mailbox Import Export\u0026rdquo; privilege to ensure that the least privilege principle is being followed.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for PowerShell activity related to mailbox export requests (Data Source: Windows Security Event Logs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to identify potential malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-exchange-mailbox-export/","summary":"Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.","title":"Exchange Mailbox Export via PowerShell","url":"https://feed.craftedsignal.io/briefs/2024-01-exchange-mailbox-export/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["collection","archive","exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify sensitive data and systems of interest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The attacker gathers sensitive data from various locations on the compromised system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArchive Creation:\u003c/strong\u003e The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like \u003ccode\u003e-hp\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/hp\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e with \u003ccode\u003erar.exe\u003c/code\u003e or \u003ccode\u003eWinRAR.exe\u003c/code\u003e or \u003ccode\u003e-p*\u003c/code\u003e with \u003ccode\u003e7z.exe\u003c/code\u003e or \u003ccode\u003e7za.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Staging:\u003c/strong\u003e The encrypted archive is moved to a staging location, such as a temporary directory or removable media.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker deletes the archive from the staging location to remove evidence of the activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker\u0026rsquo;s objectives and the nature of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Encrypting Files with WinRar or 7z - CommandLine\u0026rdquo; to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-winrar-7zip-encryption/","summary":"Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.","title":"Detection of Encrypted Archive Creation with WinRAR or 7-Zip","url":"https://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/"}],"language":"en","title":"CraftedSignal Threat Feed — Collection","version":"https://jsonfeed.org/version/1.1"}