{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/utility/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["data-exfiltration","utility","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on the post-compromise activity of data exfiltration using the legitimate \u003ccode\u003ecurl.exe\u003c/code\u003e utility to upload files to public file-sharing websites. While \u003ccode\u003ecurl\u003c/code\u003e is a standard utility, its use in conjunction with specific command-line arguments and known file-sharing domains (such as \u003ccode\u003ewetransfer.com\u003c/code\u003e, \u003ccode\u003etransfer.sh\u003c/code\u003e, \u003ccode\u003efile.io\u003c/code\u003e, and \u003ccode\u003epastebin\u003c/code\u003e) is a strong indicator of malicious intent. Threat actors frequently leverage such methods to bypass traditional network defenses and move stolen data out of compromised environments. This activity is critical for defenders to detect as it signifies a successful breach that has progressed to the data exfiltration stage, potentially leading to significant data loss, intellectual property theft, and severe reputational and financial damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eFollowing initial compromise and potentially internal reconnaissance, the attacker identifies sensitive data on the Windows host.\u003c/li\u003e\n\u003cli\u003eThe attacker prepares the target data for exfiltration, which may involve compression or encryption, and stages it for transfer.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ecurl.exe\u003c/code\u003e from a command prompt or script on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecurl.exe\u003c/code\u003e command includes specific flags such as \u003ccode\u003e--form\u003c/code\u003e, \u003ccode\u003e--upload-file\u003c/code\u003e, \u003ccode\u003e--data\u003c/code\u003e, \u003ccode\u003e-X POST\u003c/code\u003e, \u003ccode\u003e-sT\u003c/code\u003e, or \u003ccode\u003e-d\u003c/code\u003e to initiate a file upload.\u003c/li\u003e\n\u003cli\u003eThe command specifies a known public file-sharing domain (e.g., \u003ccode\u003e0x0.st\u003c/code\u003e, \u003ccode\u003ebashupload.com\u003c/code\u003e, \u003ccode\u003ewetransfer.com\u003c/code\u003e) as the destination for the uploaded file.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecurl.exe\u003c/code\u003e establishes an outbound network connection to the file-sharing service and transmits the specified sensitive data from the compromised system.\u003c/li\u003e\n\u003cli\u003eUpon successful upload, the attacker retrieves the exfiltrated data from the public file-sharing service using the provided download link, completing the data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exfiltration of data using this method can have severe consequences for an organization. This typically results in significant data loss, including sensitive intellectual property, customer data, or regulated personal identifiable information (PII). Such incidents can lead to substantial financial penalties due to regulatory non-compliance (e.g., GDPR, CCPA), loss of customer trust, and long-term reputational damage. Depending on the data's sensitivity, the breach could also empower competitors, disrupt business operations, or facilitate further attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Curl File Upload To File Sharing Websites\u0026quot; provided in this brief to your SIEM/EDR to detect suspicious \u003ccode\u003ecurl.exe\u003c/code\u003e activity targeting public file-sharing sites.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process-creation logging is enabled on all Windows endpoints to capture command-line arguments of executed processes, which is crucial for activating the rule.\u003c/li\u003e\n\u003cli\u003eReview network egress logs for connections to the domains listed in the \u003ccode\u003eselection_cli_domain\u003c/code\u003e of the Sigma rule to identify unapproved data transfers.\u003c/li\u003e\n\u003cli\u003eImplement data loss prevention (DLP) solutions to monitor and block uploads of sensitive information to unapproved cloud storage or file-sharing services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T15:11:48Z","date_published":"2026-07-03T15:11:48Z","id":"https://feed.craftedsignal.io/briefs/2026-07-curl-file-upload-exfiltration/","summary":"This brief details the use of `curl.exe` by an attacker on a compromised Windows host to exfiltrate sensitive data to public file-sharing services, leading to potential data loss and regulatory non-compliance.","title":"Data Exfiltration via Curl to File-Sharing Websites","url":"https://feed.craftedsignal.io/briefs/2026-07-curl-file-upload-exfiltration/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Sysinternals PsSuspend"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","utility","sysinternals","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThreat actors are increasingly misusing legitimate system utilities, like Microsoft's Sysinternals PsSuspend, to hinder security defenses. PsSuspend is a powerful tool designed for administrators to pause and resume processes on local or remote systems. However, its capability to suspend any running process, including critical antivirus (AV) and endpoint detection and response (EDR) agents, makes it an attractive target for adversaries seeking to operate undetected. This brief highlights the detection of PsSuspend being executed with command-line arguments targeting security processes such as \u003ccode\u003emsmpeng.exe\u003c/code\u003e (Microsoft Defender Antivirus service). Such activity indicates an attempt to temporarily disable or bypass security controls, allowing subsequent malicious activity to proceed without interference. While the exact campaigns are not specified in the source, this technique is broadly adopted by various sophisticated threat groups for defense evasion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003e[Insufficient information in the provided source to construct a detailed 6-8 step attack chain covering initial access through impact. The source describes a single defense impairment action rather than a full campaign lifecycle.]\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of PsSuspend against security processes can lead to a critical blind spot in an organization's defense posture. When AV/EDR agents are suspended, they cease to monitor, detect, and prevent malicious activities, effectively disarming endpoint protection. This allows threat actors to perform actions such as executing malware, establishing persistence, exfiltrating data, or deploying ransomware without being detected. The immediate consequence is a loss of visibility and control, significantly increasing the risk of a successful breach and subsequent data compromise or system disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026quot;Sysinternals PsSuspend Suspicious Execution\u0026quot; to your SIEM and tune for your environment to detect attempts to suspend security products.\u003c/li\u003e\n\u003cli\u003eEnsure process creation logging, especially for command-line arguments, is enabled on all Windows endpoints to support the detection rules.\u003c/li\u003e\n\u003cli\u003eRestrict the execution of unauthorized or unapproved system utilities, including Sysinternals tools, on critical endpoints.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and principle of least privilege to prevent unauthorized users or processes from running tools like PsSuspend.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T14:29:07Z","date_published":"2026-07-03T14:29:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/","summary":"Adversaries are leveraging the legitimate Sysinternals PsSuspend utility to suspend critical security processes, such as Microsoft Defender Antivirus (`msmpeng.exe`), as a defense impairment technique to bypass endpoint detection and response (EDR) solutions.","title":"Sysinternals PsSuspend Suspicious Execution to Impair Defenses","url":"https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Utility","version":"https://jsonfeed.org/version/1.1"}