https://feed.craftedsignal.io/tags/collection/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 01 May 2026 22:46:51 +0000https://feed.craftedsignal.io/briefs/2024-12-15-genai-sensitive-file-access/Fri, 01 May 2026 22:46:51 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-12-15-genai-sensitive-file-access/This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.Attackers are increasingly leveraging GenAI agents to automate the discovery and exfiltration of sensitive information, including credentials, API keys, and tokens stored within files on compromised systems. The observed activity involves GenAI tools accessing critical files such as cloud credentials, SSH keys, browser password databases, and shell configuration files. Successful exploitation allows attackers to harvest credentials, gain unauthorized access to systems, and establish persistence mechanisms for continued access. The GenAI tools mentioned include ollama, textgen, lmstudio, claude, cursor, copilot, codex, jan, gpt4all, gemini-cli, genaiscript, grok, qwen, koboldcpp, llama-server, windsurf, zed, opencode, and goose. This activity highlights the emerging threat landscape of AI-assisted attacks and the need for robust detection and mitigation strategies.

Attack Chain

1. Initial compromise of a system through an unrelated vulnerability or social engineering.
2. Installation or execution of a GenAI tool (e.g., ollama, lmstudio) on the compromised system.
3. The GenAI tool is configured or instructed to scan the file system for sensitive files.
4. The GenAI tool accesses files containing credentials, such as .aws/credentials, browser password databases (Login Data, key3.db), or SSH keys (.ssh/id_*).
5. The GenAI tool exfiltrates the harvested credentials and API keys to a remote server controlled by the attacker.
6. The attacker uses the stolen credentials to gain unauthorized access to cloud resources, internal systems, or other sensitive accounts.
7. The GenAI tool attempts to modify shell configuration files (e.g., .bashrc, .zshrc) to establish persistence.
8. Upon system restart or user login, the modified shell configuration executes malicious commands, granting the attacker persistent access.

Impact

Successful exploitation of this threat can lead to significant data breaches, unauthorized access to critical systems, and persistent compromise of affected environments. Attackers can leverage stolen credentials to escalate privileges, move laterally within the network, and exfiltrate sensitive data. The number of victims and sectors targeted are currently unknown, but the potential impact is widespread given the increasing adoption of GenAI tools in various industries. Credential theft leads to financial loss, intellectual property theft, and reputational damage.

Recommendation

• Deploy the Sigma rule “GenAI Process Accessing Sensitive Files” to your SIEM to detect GenAI tools accessing sensitive files on endpoints.
• Enable file access monitoring on systems where GenAI tools are used to capture access events for analysis.
• Review and restrict the use of GenAI tools within the environment, especially concerning access to sensitive file paths.
• Monitor for modifications to shell configuration files (e.g., .bashrc, .zshrc, .profile) as an indicator of persistence attempts.
• Implement regular credential rotation policies to minimize the impact of stolen credentials.

]]>highadvisorygenaicredential-accesspersistencecollectionhttps://feed.craftedsignal.io/briefs/2024-01-ldap-attribute-access/Fri, 19 Jan 2024 16:23:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-ldap-attribute-access/This rule detects unauthorized access to sensitive Active Directory object attributes such as unixUserPassword, ms-PKI-AccountCredentials, and msPKI-CredentialRoamingTokens, potentially leading to credential theft and privilege escalation.This detection rule identifies attempts to access sensitive attributes within Active Directory via the Lightweight Directory Access Protocol (LDAP). These attributes, including unixUserPassword, ms-PKI-AccountCredentials, and msPKI-CredentialRoamingTokens, are valuable targets for adversaries aiming to steal credentials or escalate privileges. The rule focuses on Windows Security Event Logs, specifically monitoring event code 4662 which indicates an attempt to access an object. By filtering out common benign access patterns, such as those originating from the SYSTEM account or using specific access masks, the rule aims to highlight potentially malicious activity that warrants further investigation. The original rule was created in November 2022 and updated in May 2026.

Attack Chain

1. An attacker gains initial access to a system within the target domain (e.g., through phishing or exploiting a public-facing application).
2. The attacker uses valid credentials or exploits a vulnerability to authenticate to the domain.
3. The attacker uses LDAP queries to enumerate Active Directory objects.
4. The attacker crafts specific LDAP queries to target sensitive attributes like unixUserPassword, ms-PKI-AccountCredentials, or msPKI-CredentialRoamingTokens.
5. Windows Security Event 4662 is generated, logging the access attempt with details about the user, accessed object, and properties.
6. The attacker exfiltrates the accessed attribute data, potentially containing password hashes, certificates, or other sensitive information.
7. The attacker uses the stolen credentials or certificates to impersonate other users or gain elevated privileges within the domain.

Impact

Successful exploitation can lead to the compromise of domain accounts, including privileged accounts. Attackers can use stolen credentials to move laterally within the network, access sensitive data, and disrupt business operations. Depending on the attributes accessed, this could also expose private keys and authentication certificates leading to further attacks.

Recommendation

• Deploy the Sigma rule “Access to Sensitive LDAP Attributes” to your SIEM to detect access attempts to critical AD attributes (rule.name).
• Enable “Audit Directory Service Access” to ensure that necessary Windows Security Event Logs (event code 4662) are generated for the Sigma rule to function (setup).
• Review and tune the “Access to Sensitive LDAP Attributes” Sigma rule, creating exceptions for legitimate administrative accounts and scheduled system processes to minimize false positives (rule.note).
• Implement stricter access controls and permissions for sensitive LDAP attributes within Active Directory to restrict access to only necessary personnel (rule.note).
• Investigate any triggered alerts from the Sigma rule, focusing on identifying the user/process attempting access (winlog.event_data.SubjectUserSid) and the specific sensitive attribute accessed (winlog.event_data.Properties) (rule.note).

]]>mediumadvisorycredential-accessprivilege-escalationcollectionwindowshttps://feed.craftedsignal.io/briefs/2024-01-exchange-mailbox-export/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-exchange-mailbox-export/Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.Attackers may target user email to collect sensitive information. The New-MailBoxExportRequest cmdlet is used to export the contents of a primary mailbox or archive to a .pst file. Note that this is done on a per-mailbox basis and this cmdlet is available only in on-premises Exchange. Attackers can abuse this functionality in preparation for exfiltrating contents, which is likely to contain sensitive and strategic data. This activity is typically performed using PowerShell or similar scripting tools and can be difficult to detect without specific monitoring in place. The activity may be part of a larger attack campaign targeting sensitive information.

Attack Chain

1. An attacker gains initial access to a compromised system with sufficient privileges to access Exchange PowerShell.
2. The attacker authenticates to the Exchange server using PowerShell.
3. The attacker uses the New-MailboxExportRequest cmdlet to initiate the export of a target mailbox to a .pst file. The command may include parameters to filter specific content.
4. The Exchange server processes the export request, creating a .pst file containing the mailbox data.
5. The attacker retrieves the exported .pst file from the designated file path.
6. The attacker may compress and archive the .pst file to reduce its size for exfiltration.
7. The attacker exfiltrates the .pst file to an external location controlled by the attacker.
8. The attacker analyzes the .pst file to extract sensitive information such as credentials, financial data, or intellectual property.

Impact

Successful exploitation allows the attacker to gain access to sensitive information contained within the exported mailboxes. This could lead to financial loss, reputational damage, or compromise of intellectual property. Depending on the scope of the export requests, multiple mailboxes may be compromised, impacting a large number of users. The impact is significant because email often contains highly sensitive business communications and data.

Recommendation

• Enable Sysmon process creation logging to monitor PowerShell execution with command-line arguments (Data Source: Sysmon).
• Implement the provided Sigma rule to detect the use of New-MailboxExportRequest cmdlet in PowerShell commands.
• Review the privileges of users with the “Mailbox Import Export” privilege to ensure that the least privilege principle is being followed.
• Monitor Windows Security Event Logs for PowerShell activity related to mailbox export requests (Data Source: Windows Security Event Logs).
• Investigate any alerts generated by the Sigma rules to identify potential malicious activity.

]]>mediumadvisorycollectionexecutionpowershellexchangemailboxhttps://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.Attackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.

Attack Chain

1. Initial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.
2. Credential Access: The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.
3. Discovery: The attacker performs reconnaissance to identify sensitive data and systems of interest.
4. Data Collection: The attacker gathers sensitive data from various locations on the compromised system or network.
5. Archive Creation: The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like -hp, -p, /hp, or /p with rar.exe or WinRAR.exe or -p* with 7z.exe or 7za.exe.
6. Data Staging: The encrypted archive is moved to a staging location, such as a temporary directory or removable media.
7. Exfiltration: The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.
8. Covering Tracks: The attacker deletes the archive from the staging location to remove evidence of the activity.

Impact

A successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker’s objectives and the nature of the compromised data.

Recommendation

• Deploy the Sigma rule “Detect Encrypting Files with WinRar or 7z - CommandLine” to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
• Enable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).
• Investigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).
• Monitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.

]]>mediumadvisorycollectionarchiveexfiltrationwindows