Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Ransomware-AffiliateExfilTooling.

Upgrade to Pro
THREAT-Ransomware-AffiliateExfilTooling

Ransomware-Affiliate Custom Exfiltration Tooling (StealBit & Exmatter)

Exfiltration Last updated:

Ransomware affiliates increasingly deploy purpose-built exfiltration utilities instead of general-purpose tools like rclone, separating the data-theft channel from the encryption payload's C2 infrastructure. StealBit, distributed by LockBit affiliates, is a standalone binary (originally HTTP/HTTPS-based, later versions moved to a raw multi-threaded TCP protocol) that is dropped with a randomized hex/GUID filename into ProgramData, AppData\Local\Temp, or Users\Public, then run with no command-line arguments. It enumerates local and mapped drives, filters for high-value file types (databases, documents, spreadsheets, credential stores), and spawns dozens of concurrent upload threads to a single hardcoded external host to maximize throughput before the encryptor executes. Exmatter, used by BlackMatter/Noberus, BlackCat/ALPHV, and BlackByte affiliates, is a .NET utility that prioritizes specific extensions (.sql, .mdf, .bak, .pdf, .doc/x, .xls/x, .rdp, .kdbx) and exfiltrates over SFTP, FTPS, or WebDAV to attacker-controlled infrastructure using credentials embedded in its configuration; several observed samples overwrite or truncate a subset of already-uploaded source files with random data immediately after a successful transfer, an anti-recovery and extra-leverage behavior distinct from the ransomware's own encryption routine. Both tools are typically staged and executed in the hours immediately preceding encryption, making the exfiltration phase a high-value, narrow detection window before impact.

What is THREAT-Ransomware-AffiliateExfilTooling Ransomware-Affiliate Custom Exfiltration Tooling (StealBit & Exmatter)?

Ransomware-Affiliate Custom Exfiltration Tooling (StealBit & Exmatter) (THREAT-Ransomware-AffiliateExfilTooling) maps to the Exfiltration tactic — the adversary is trying to steal data in MITRE ATT&CK.

This page provides production-ready detection logic for Ransomware-Affiliate Custom Exfiltration Tooling (StealBit & Exmatter), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents), Sysmon Event ID 1, 3, 11. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Exfiltration
Microsoft Sentinel / Defender
kusto
let TargetExtensions = dynamic([".sql", ".mdf", ".ndf", ".bak", ".pst", ".ost", ".doc", ".docx", ".xls", ".xlsx", ".pdf", ".rdp", ".kdbx"]);
let StagingDirs = dynamic(["\\ProgramData\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\"]);
// Signal 1: GUID/hex-named executable launched from a staging directory with no command-line arguments (StealBit / Exmatter drop pattern)
let SuspiciousLoader = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (StagingDirs)
| where FileName matches regex @"^[0-9a-fA-F]{8}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{4}-?[0-9a-fA-F]{12}\.exe$"
    or FileName matches regex @"^[0-9a-fA-F]{16,32}\.exe$"
| where isempty(ProcessCommandLine) or ProcessCommandLine =~ strcat(FileName)
| extend Signal = "SuspiciousLoaderExec", RiskScore = 75
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, Signal, RiskScore;
// Signal 2: mass staging/enumeration of high-value file types by a single process in a short window
let MassFileStaging = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName has_any (TargetExtensions)
| summarize DistinctFiles = dcount(FileName), Paths = make_set(FolderPath, 5) by DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, bin(Timestamp, 10m)
| where DistinctFiles > 50
| extend Signal = "MassFileStaging", RiskScore = 65
| project Timestamp, DeviceName, AccountName, FileName = "(multiple)", FolderPath = "(multiple)", ProcessCommandLine = "", InitiatingProcessFileName, Signal, RiskScore;
// Signal 3: high fan-out outbound connections — StealBit's multi-threaded upload workers or Exmatter's FTPS/SFTP session bursts to one external host
let HighFanoutExfil = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType =~ "ConnectionSuccess"
| where RemoteIPType == "Public"
| where RemotePort in (443, 21, 990, 22)
| summarize ConnectionCount = count(), BytesSent = sum(SentBytes) by DeviceName, AccountName = InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemotePort, bin(Timestamp, 10m)
| where ConnectionCount >= 20
| extend Signal = "HighFanoutExfilConnections", RiskScore = 85
| project Timestamp, DeviceName, AccountName, FileName = InitiatingProcessFileName, FolderPath = strcat(tostring(RemoteIP), ":", tostring(RemotePort)), ProcessCommandLine = strcat("Connections=", tostring(ConnectionCount), " BytesSent=", tostring(BytesSent)), InitiatingProcessFileName, Signal, RiskScore;
// Signal 4: file truncated/modified within minutes of an outbound transfer from the same process (Exmatter's post-upload self-corruption of source files)
let PostExfilCorruption = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileModified"
| where FileName has_any (TargetExtensions)
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
    | where RemotePort in (21, 990, 22, 443)
    | where RemoteIPType == "Public"
    | project NetTime = Timestamp, DeviceName, NetProcess = InitiatingProcessFileName
  ) on DeviceName
| where (Timestamp - NetTime) between (0min .. 5min)
| where InitiatingProcessFileName =~ NetProcess
| extend Signal = "PostExfilFileCorruption", RiskScore = 90
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName, FileName, FolderPath = FolderPath, ProcessCommandLine = "", InitiatingProcessFileName, Signal, RiskScore;
union SuspiciousLoader, MassFileStaging, HighFanoutExfil, PostExfilCorruption
| sort by RiskScore desc, Timestamp desc

Four-signal detection for purpose-built ransomware-affiliate exfiltration tooling using Microsoft Defender for Endpoint telemetry: (1) a randomly-named executable launched with no arguments from ProgramData, AppData\Local\Temp, or Users\Public — the drop pattern shared by StealBit and Exmatter; (2) mass creation/modification/renaming of high-value file types (databases, documents, credential stores) by one process, indicating pre-exfiltration staging; (3) an unusually high count of outbound connections from a single process to one external host on FTPS/SFTP/HTTPS ports within a 10-minute window, matching StealBit's multi-threaded upload workers; (4) a file matching a target extension being modified within five minutes of an outbound transfer from the same process — Exmatter's documented post-upload source-file corruption behavior.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents) Sysmon Event ID 1, 3, 11

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceNetworkEvents

False Positives

  • Legitimate backup or DR replication software that batches file writes and connects to a single cloud/offsite target with many parallel streams — verify against known backup service account names and scheduled maintenance windows
  • Software installers and self-extracting archives that drop randomly-named temporary executables into AppData\Local\Temp — correlate with a code-signing check and absence of subsequent network fan-out
  • Database maintenance jobs (backup, index rebuild, log shipping) that touch many .bak/.mdf files in a short window on a database server — exclude known DBA service accounts and SQL Server Agent job hosts
  • File synchronization clients (OneDrive, SharePoint sync) that both upload and subsequently update local file metadata, which can superficially resemble the post-transfer modification pattern

Sigma rule & cross-platform mapping

The detection logic for Ransomware-Affiliate Custom Exfiltration Tooling (StealBit & Exmatter) (THREAT-Ransomware-AffiliateExfilTooling) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate StealBit-Style Multi-Threaded Exfil Fan-Out

    Expected signal: Sysmon Event ID 1 for a randomly-named executable created in ProgramData; Sysmon Event ID 3 showing 20+ outbound connections to the test endpoint on port 443 within a short window.

  2. Test 2Simulate Exmatter-Style Staging and Post-Upload File Corruption

    Expected signal: Sysmon Event ID 11 for 60 file creations matching the .pdf extension within a short window; Sysmon Event ID 3 for the outbound SFTP connection on port 22; a second Event ID 11/2 for the modification of staged_1.pdf within minutes of the SFTP connection.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Ransomware-AffiliateExfilTooling — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections