Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Ransomware-AffiliateExfilTooling.

Upgrade to Pro
THREAT-Ransomware-AffiliateExfilTooling Splunk · SPL

Detect Ransomware-Affiliate Custom Exfiltration Tooling (StealBit & Exmatter) in Splunk

Ransomware affiliates increasingly deploy purpose-built exfiltration utilities instead of general-purpose tools like rclone, separating the data-theft channel from the encryption payload's C2 infrastructure. StealBit, distributed by LockBit affiliates, is a standalone binary (originally HTTP/HTTPS-based, later versions moved to a raw multi-threaded TCP protocol) that is dropped with a randomized hex/GUID filename into ProgramData, AppData\Local\Temp, or Users\Public, then run with no command-line arguments. It enumerates local and mapped drives, filters for high-value file types (databases, documents, spreadsheets, credential stores), and spawns dozens of concurrent upload threads to a single hardcoded external host to maximize throughput before the encryptor executes. Exmatter, used by BlackMatter/Noberus, BlackCat/ALPHV, and BlackByte affiliates, is a .NET utility that prioritizes specific extensions (.sql, .mdf, .bak, .pdf, .doc/x, .xls/x, .rdp, .kdbx) and exfiltrates over SFTP, FTPS, or WebDAV to attacker-controlled infrastructure using credentials embedded in its configuration; several observed samples overwrite or truncate a subset of already-uploaded source files with random data immediately after a successful transfer, an anti-recovery and extra-leverage behavior distinct from the ransomware's own encryption routine. Both tools are typically staged and executed in the hours immediately preceding encryption, making the exfiltration phase a high-value, narrow detection window before impact.

MITRE ATT&CK

Tactic
Exfiltration

SPL Detection Query

Splunk (SPL)
spl
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\ProgramData\\*" OR Image="*\\AppData\\Local\\Temp\\*" OR Image="*\\Users\\Public\\*")
  CommandLine="")
| regex Image="(?i)\\\\([0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}|[0-9a-f]{16,32})\.exe$"
| eval Signal="SuspiciousLoaderExec", RiskScore=75
| table _time host User Image CommandLine Signal RiskScore
| append
    [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 DestinationPort IN (443,21,990,22)
      | stats count AS ConnectionCount BY host, User, Image, DestinationIp, DestinationPort, _time span=10m
      | where ConnectionCount>=20
      | eval Signal="HighFanoutExfilConnections", RiskScore=85
      | table _time host User Image DestinationIp DestinationPort ConnectionCount Signal RiskScore ]
| append
    [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*.sql" OR TargetFilename="*.mdf" OR TargetFilename="*.bak" OR TargetFilename="*.pst" OR TargetFilename="*.pdf" OR TargetFilename="*.docx" OR TargetFilename="*.xlsx" OR TargetFilename="*.rdp" OR TargetFilename="*.kdbx")
      | stats dc(TargetFilename) AS DistinctFiles BY host, User, Image, _time span=10m
      | where DistinctFiles>50
      | eval Signal="MassFileStaging", RiskScore=65
      | table _time host User Image DistinctFiles Signal RiskScore ]
| sort - RiskScore - _time
critical severity high confidence

SPL detection for StealBit/Exmatter-style ransomware-affiliate exfiltration tooling. Combines Sysmon process creation (EventCode=1) for randomly-named argument-less loaders dropped in staging directories, Sysmon network connection (EventCode=3) for high fan-out FTPS/SFTP/HTTPS connections from a single process, and Sysmon file creation (EventCode=11) for mass staging of high-value file extensions within a 10-minute window.

Data Sources

Sysmon via Windows Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Backup agents opening many concurrent FTPS/SFTP sessions to a single offsite target during a scheduled window
  • Software installers dropping randomly-named temporary executables in AppData\Local\Temp with no arguments
  • SQL Server maintenance plans touching a large number of .bak/.mdf files within a short window

Other platforms for THREAT-Ransomware-AffiliateExfilTooling


Testing Methodology

Validate this detection against 2 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate StealBit-Style Multi-Threaded Exfil Fan-Out

    Expected signal: Sysmon Event ID 1 for a randomly-named executable created in ProgramData; Sysmon Event ID 3 showing 20+ outbound connections to the test endpoint on port 443 within a short window.

  2. Test 2Simulate Exmatter-Style Staging and Post-Upload File Corruption

    Expected signal: Sysmon Event ID 11 for 60 file creations matching the .pdf extension within a short window; Sysmon Event ID 3 for the outbound SFTP connection on port 22; a second Event ID 11/2 for the modification of staged_1.pdf within minutes of the SFTP connection.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Ransomware-AffiliateExfilTooling — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections