Four engagement-blocking fixes from HTB Cascade smoke test + top priorities from the rule corpus audit. Net: TightVNC .reg password catch lands Red end-to-end.
Fixed
Walker ACCESS_DENIED no longer crashes the share scan
Cascade Data share crashed on the first denied subdir (Contractors/) even though IT/ (containing the VNC password) was readable. Both share/smb.py and share/smb_impacket.py walkers now catch STATUS_ACCESS_DENIED, record skipped subtree, continue.
UTF-16LE files (.reg exports) decode correctly
extract.extract_text was UTF-8-decoding everything, garbling UTF-16 into W\\x00i\\x00n\\x00 strings where content regexes couldn't match. Now BOM-aware (UTF-16 LE/BE + UTF-8 BOM detection).
Added (3 rules)
- ShareSiftKeepVncPasswordHex (Red) — TightVNC/UltraVNC
\"Password\"=hex:...in .reg. Live-validated on HTB Cascade. - ShareSiftKeepRegistryAutoLogonPassword (Red) — generalizes to DefaultPassword, AutoAdminLogon, EncMasterPassword (WinSCP), PortablePassword.
- ShareSiftKeepGitleaksHighConfidencePrefixes (Red) — Slack
xox[bpe]-, GitHubgh[psuor]_/github_pat_, Stripe live, Vaulthvs., Shopify, Twilio, SendGrid, npm. Closes the modern-SaaS gap Snaffler upstream predates.
Live-validated on HTB Cascade
sharesift hunt //10.129.13.58 -u r.thompson -p 'rY4n5eva':
- All 4 shares walked (was 2 before)
- Data\IT\Temp\s.smith\VNC Install.reg → Red with ShareSiftKeepVncPasswordHex
- SYSVOL went from crashed to 14 files, 5 tier-flagged
Tests
+19. Full suite: 1458 passed, 29 skipped, 0 failed.