S1200: StealBit
Analyst context for executives and security teams
StealBit matters because ATT&CK describes it as a Windows data exfiltration tool associated with the LockBit Ransomware-as-a-Service ecosystem and used for double-extortion data theft. For leaders, the practical issue is not only ransomware encryption; it is whether the organization can detect and contain pre-extortion collection, staging, transfer, and cleanup activity before sensitive data leaves the environment.
Executive priority
Treat this as a resilience and evidence-readiness concern: executives should ask whether ransomware playbooks, legal/compliance notification processes, and incident response retainers are prepared for data-theft scenarios, not just system restoration. Control investment should prioritize visibility into Windows endpoint activity, sensitive-data access, unusual outbound transfer patterns, and evidence preservation when tools delete files or impair monitoring.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around the related behaviors ATT&CK links to StealBit: local data collection, file and directory discovery, system and language discovery, encoded or decoded artifacts, execution via native APIs or IPC, guardrails/evasion, file deletion, web or non-application-layer communications, transfer size limiting, and possible security-tool impairment. Because ATT&CK provides no official detection text for S1200, detections should be behavior-led and tested against local Windows telemetry rather than based only on tool names or static indicators.
Likely telemetry
- Windows endpoint process execution and parent/child process context
- File system enumeration, access, creation, modification, and deletion events
- Sensitive file, local database, configuration, and share access logs where available
- Endpoint security, EDR, antivirus, and logging-agent health or tamper events
- Network flow, proxy, DNS, and firewall records for outbound web-protocol traffic
Detection direction
- Prioritize behavior chains over single indicators: discovery of files and system details followed by bulk file access, encoded artifacts, outbound transfer, and cleanup is more meaningful than any one event alone.
- Tune for exfiltration patterns that avoid simple volume thresholds, including repeated fixed-size transfers or sustained outbound sessions that may appear below alert thresholds.
- Validate visibility gaps caused by file deletion, debugger or sandbox evasion, execution guardrails, and security-tool impairment; absence of telemetry during a suspected event should be investigated as a possible signal.
- Correlate endpoint and network telemetry because ATT&CK relationships include both host behaviors and command-and-control/exfiltration-related communications.
- Account for false positives from legitimate backup, synchronization, administration, compression, and data-migration tools by baselining approved business processes and service accounts.
Mitigation priorities
- Confirm Windows endpoint monitoring is deployed, healthy, and resistant to tampering where feasible.
- Limit unnecessary access to sensitive local data and shares so a compromised host or account has less data available for collection.
- Implement and test egress monitoring controls for unusual outbound web and non-application-layer communications without relying only on high-volume thresholds.
- Maintain IR procedures for rapid host isolation, evidence preservation, and assessment of data access/exfiltration during ransomware-related incidents.
- Ensure compliance and legal teams have evidence requirements defined in advance for data-theft investigations and notification decisions.
Analyst notes and limits
The supplied ATT&CK object identifies StealBit as a data exfiltration tool developed and maintained by LockBit RaaS operators and offered to affiliates for double extortion. The most useful defensive lens is the related technique set: discovery, collection, stealth/evasion, C2, exfiltration, and defense impairment behaviors that can be validated in Windows monitoring and IR workflows.
ATT&CK provides no official detection guidance, no aliases, and no object-level tactics for S1200 in the supplied fields. The object platform is Windows; some related techniques list broader platforms, but that does not by itself establish StealBit activity on those platforms. Local telemetry, approved software baselines, and incident context are required to determine exposure or detection coverage.
StealBit
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1622 | Debugger Evasion | StealBit can detect it is being run in the context of a debugger.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1559 | Inter-Process Communication | StealBit can use interprocess communication (IPC) to enable the designation of multiple files for exfiltration in a scalable manner.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1070.004 | File Deletion Sub-technique | StealBit can self-delete its executable file from the compromised system.CitationCybereason StealBit Exfiltration ToolCitationFBI Lockbit 2.0 FEB 2022 |
| Enterprise | T1030 | Data Transfer Size Limits | StealBit can be configured to exfiltrate files at a specified rate to evade network detection mechanisms.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | StealBit stores obfuscated DLL file names in its executable.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1106 | Native API | StealBit can use native APIs including `LoadLibraryExA` for execution and `NtSetInformationProcess` for defense evasion purposes.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1082 | System Information Discovery | StealBit can enumerate the computer name and domain membership of the compromised system.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1480 | Execution Guardrails | StealBit will execute an empty infinite loop if it detects it is being run in the context of a debugger.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1005 | Data from Local System | StealBit can upload data and files to the LockBit victim-shaming site.CitationFBI Lockbit 2.0 FEB 2022CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | StealBit can determine system location based on the default language setting and will not execute on systems located in former Soviet countries.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1095 | Non-Application Layer Protocol | StealBit can use the Windows Socket networking library to communicate with attacker-controlled endpoints.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1685 | Disable or Modify Tools | StealBit can configure processes to not display certain Windows error messages by through use of the `NtSetInformationProcess`.CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1071.001 | Web Protocols Sub-technique | StealBit can use HTTP to exfiltrate files to actor-controlled infrastructure.CitationFBI Lockbit 2.0 FEB 2022CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | StealBit can deobfuscate loaded modules prior to execution.CitationFBI Lockbit 2.0 FEB 2022CitationCybereason StealBit Exfiltration Tool |
| Enterprise | T1083 | File and Directory Discovery | StealBit can be configured to exfiltrate specific file types.CitationFBI Lockbit 2.0 FEB 2022CitationCybereason StealBit Exfiltration Tool |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b55a6e61c73e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason StealBit Exfiltration Tool
Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
Open source URL -
[2]
FBI Lockbit 2.0 FEB 2022
FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
Open source URL -
[3]
mitre-attack S1200Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.