<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Utility - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/utility/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 15:11:48 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/utility/feed.xml" rel="self" type="application/rss+xml"/><item><title>Data Exfiltration via Curl to File-Sharing Websites</title><link>https://feed.craftedsignal.io/briefs/2026-07-curl-file-upload-exfiltration/</link><pubDate>Fri, 03 Jul 2026 15:11:48 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-curl-file-upload-exfiltration/</guid><description>This brief details the use of `curl.exe` by an attacker on a compromised Windows host to exfiltrate sensitive data to public file-sharing services, leading to potential data loss and regulatory non-compliance.</description><content:encoded><![CDATA[<p>This threat brief focuses on the post-compromise activity of data exfiltration using the legitimate <code>curl.exe</code> utility to upload files to public file-sharing websites. While <code>curl</code> is a standard utility, its use in conjunction with specific command-line arguments and known file-sharing domains (such as <code>wetransfer.com</code>, <code>transfer.sh</code>, <code>file.io</code>, and <code>pastebin</code>) is a strong indicator of malicious intent. Threat actors frequently leverage such methods to bypass traditional network defenses and move stolen data out of compromised environments. This activity is critical for defenders to detect as it signifies a successful breach that has progressed to the data exfiltration stage, potentially leading to significant data loss, intellectual property theft, and severe reputational and financial damage.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Following initial compromise and potentially internal reconnaissance, the attacker identifies sensitive data on the Windows host.</li>
<li>The attacker prepares the target data for exfiltration, which may involve compression or encryption, and stages it for transfer.</li>
<li>The attacker executes <code>curl.exe</code> from a command prompt or script on the compromised host.</li>
<li>The <code>curl.exe</code> command includes specific flags such as <code>--form</code>, <code>--upload-file</code>, <code>--data</code>, <code>-X POST</code>, <code>-sT</code>, or <code>-d</code> to initiate a file upload.</li>
<li>The command specifies a known public file-sharing domain (e.g., <code>0x0.st</code>, <code>bashupload.com</code>, <code>wetransfer.com</code>) as the destination for the uploaded file.</li>
<li><code>curl.exe</code> establishes an outbound network connection to the file-sharing service and transmits the specified sensitive data from the compromised system.</li>
<li>Upon successful upload, the attacker retrieves the exfiltrated data from the public file-sharing service using the provided download link, completing the data theft.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exfiltration of data using this method can have severe consequences for an organization. This typically results in significant data loss, including sensitive intellectual property, customer data, or regulated personal identifiable information (PII). Such incidents can lead to substantial financial penalties due to regulatory non-compliance (e.g., GDPR, CCPA), loss of customer trust, and long-term reputational damage. Depending on the data's sensitivity, the breach could also empower competitors, disrupt business operations, or facilitate further attacks.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Curl File Upload To File Sharing Websites&quot; provided in this brief to your SIEM/EDR to detect suspicious <code>curl.exe</code> activity targeting public file-sharing sites.</li>
<li>Ensure Sysmon process-creation logging is enabled on all Windows endpoints to capture command-line arguments of executed processes, which is crucial for activating the rule.</li>
<li>Review network egress logs for connections to the domains listed in the <code>selection_cli_domain</code> of the Sigma rule to identify unapproved data transfers.</li>
<li>Implement data loss prevention (DLP) solutions to monitor and block uploads of sensitive information to unapproved cloud storage or file-sharing services.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>data-exfiltration</category><category>utility</category><category>windows</category></item><item><title>Sysinternals PsSuspend Suspicious Execution to Impair Defenses</title><link>https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/</link><pubDate>Fri, 03 Jul 2026 14:29:07 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-sysinternals-pssuspend-suspicious-execution/</guid><description>Adversaries are leveraging the legitimate Sysinternals PsSuspend utility to suspend critical security processes, such as Microsoft Defender Antivirus (`msmpeng.exe`), as a defense impairment technique to bypass endpoint detection and response (EDR) solutions.</description><content:encoded><![CDATA[<p>Threat actors are increasingly misusing legitimate system utilities, like Microsoft's Sysinternals PsSuspend, to hinder security defenses. PsSuspend is a powerful tool designed for administrators to pause and resume processes on local or remote systems. However, its capability to suspend any running process, including critical antivirus (AV) and endpoint detection and response (EDR) agents, makes it an attractive target for adversaries seeking to operate undetected. This brief highlights the detection of PsSuspend being executed with command-line arguments targeting security processes such as <code>msmpeng.exe</code> (Microsoft Defender Antivirus service). Such activity indicates an attempt to temporarily disable or bypass security controls, allowing subsequent malicious activity to proceed without interference. While the exact campaigns are not specified in the source, this technique is broadly adopted by various sophisticated threat groups for defense evasion.</p>
<h2 id="attack-chain">Attack Chain</h2>
<p>[Insufficient information in the provided source to construct a detailed 6-8 step attack chain covering initial access through impact. The source describes a single defense impairment action rather than a full campaign lifecycle.]</p>
<h2 id="impact">Impact</h2>
<p>Successful execution of PsSuspend against security processes can lead to a critical blind spot in an organization's defense posture. When AV/EDR agents are suspended, they cease to monitor, detect, and prevent malicious activities, effectively disarming endpoint protection. This allows threat actors to perform actions such as executing malware, establishing persistence, exfiltrating data, or deploying ransomware without being detected. The immediate consequence is a loss of visibility and control, significantly increasing the risk of a successful breach and subsequent data compromise or system disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule &quot;Sysinternals PsSuspend Suspicious Execution&quot; to your SIEM and tune for your environment to detect attempts to suspend security products.</li>
<li>Ensure process creation logging, especially for command-line arguments, is enabled on all Windows endpoints to support the detection rules.</li>
<li>Restrict the execution of unauthorized or unapproved system utilities, including Sysinternals tools, on critical endpoints.</li>
<li>Implement strong access controls and principle of least privilege to prevent unauthorized users or processes from running tools like PsSuspend.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>defense-evasion</category><category>utility</category><category>sysinternals</category><category>windows</category></item></channel></rss>