SOC Prime Bias: Critical

01 Jul 2026 09:43 UTC

SQL Brute Force Opens the Door to BlueSky Ransomware

Author Photo
SOC Prime Team linkedin icon Follow
SQL Brute Force Opens the Door to BlueSky Ransomware
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A threat actor used SEO poisoning to distribute BumbleBee malware through a trojanized ManageEngine OpManager installer. After gaining initial access, the attacker deployed AdaptixC2 for command-and-control, moved laterally through RDP and SSH tunneling, and exfiltrated more than 75 GB of sensitive data. The intrusion ended with deployment of Akira ransomware to encrypt domain infrastructure.

Investigation

Forensic analysis identified the initial infection vector as a lookalike domain, opmanager.pro, which served a malicious MSI installer. Investigators traced the execution chain from DLL sideloading of msimg32.dll to injection of AdaptixC2 shellcode into the Windows Address Book utility. Review of network telemetry and file system artifacts also revealed large-scale data exfiltration through FileZilla and use of reverse SSH tunnels to proxy RDP access.

Mitigation

Organizations should enforce strict web filtering to block newly registered or lookalike domains and monitor for suspicious DLL sideloading behavior. Limiting administrative privileges and detecting unauthorized creation of domain accounts or services is also critical. In addition, strong egress filtering and monitoring for unauthorized SSH or RDP tunneling can help prevent both lateral movement and data exfiltration.

Response

If this activity is detected, immediately isolate affected systems, especially domain controllers and backup servers, to stop further ransomware propagation. Terminate all unauthorized remote access sessions, including SSH tunnels and RustDesk instances. Perform a full credential reset for all domain accounts, with special attention to Enterprise Admins, and begin recovery using offline, immutable backups.

Attack Flow

Detections

Suspicious WMIC Usage (via cmdline)

SOC Prime Team
01 Jul 2026

Suspicious Powershell Shadowcopy Refererence (via cmdline)

SOC Prime Team
01 Jul 2026

Possible Shadow Copies Deletion via WMI (via powershell)

SOC Prime Team
01 Jul 2026

Suspicious Outbound Connection by Uncommon Process (via network_connection)

SOC Prime Team
01 Jul 2026

DNS Request Perfomed By Uncommon Process (via dns_query)

SOC Prime Team
01 Jul 2026

Suspicious SSH Port Forwarding [Windows] (via cmdline)

SOC Prime Team
01 Jul 2026

Possible System Enumeration (via cmdline)

SOC Prime Team
01 Jul 2026

Suspicious Domain Trusts Discovery (via cmdline)

SOC Prime Team
01 Jul 2026

Possible Credential Dumping Using Comsvcs.dll (via cmdline)

SOC Prime Team
01 Jul 2026

Suspicious PSQL Execution (via cmdline)

SOC Prime Team
01 Jul 2026

Suspicious Wbadmin Tool Activity (via cmdline)

SOC Prime Team
01 Jul 2026

Possible BYOVD – Bring Your Own Vulnerable Driver Attack (via audit)

SOC Prime Team
01 Jul 2026

Possible Bits Transfer Activity (via powershell)

SOC Prime Team
01 Jul 2026

Possible Execution by Use of Short Script Name (via cmdline)

SOC Prime Team
01 Jul 2026

Possible Powershell Script Containing Lolbin (via powershell)

SOC Prime Team
01 Jul 2026

Remote Access / Management Software Service Creation (via system)

SOC Prime Team
01 Jul 2026

Alternative Remote Access / Management Software (via process_creation)

SOC Prime Team
01 Jul 2026

Possible Account or Group Enumeration / Manipulation (via cmdline)

SOC Prime Team
01 Jul 2026

System Processes Execution from Untypical Paths (via process_creation)

SOC Prime Team
01 Jul 2026

Possible Msiexec Executing Files In Uncommon Directory (via cmdline)

SOC Prime Team
01 Jul 2026

Detect RustDesk and Akira Ransomware Activity [Windows System]

SOC Prime AI Rules
01 Jul 2026

BumbleBee and AdaptixC2 Execution and Injection Detection [Windows Process Creation]

SOC Prime AI Rules
01 Jul 2026

Executive Summary

  • Test Case ID: TC-20250522-K9L2P
  • TTPs: T1003.001, T1003.003, T1018, T1021.001, T1021.003, T1027.010, T1033, T1036, T1039, T1041, T1046, T1047, T1048.001, T1055, T1059.001, T1059.003, T1069.001, T1069.002, T1070.004, T1071.001, T1082, T1083, T1087.001, T1087.002, T1090, T1135, T1136, T1189, T1204.002, T1219, T1482, T1486, T1490, T1543.003, T1555, T1568.002, T1569.002, T1574.001
  • Detection Rule Logic Summary: The rule triggers if rustdesk.exe is spawned by services.exe or if locker.exe is executed with the command line containing “Volume Shadow Copies”.
  • Detection Rule Language/Format: yaml
  • Target Security Environment: Windows OS with Sysmon enabled, targeting a SIEM capable of processing Sysmon Event ID 1 (Process Creation) telemetry.
  • Resilience Score (1-5): 2
  • Justification: The rule relies heavily on specific, hardcoded filenames (rustdesk.exe and locker.exe). An adversary can easily bypass this by renaming their binaries. Furthermore, the Akira detection is limited to a specific string in the command line, which can be obfuscated.
  • Key Findings: The rule effectively detects “out-of-the-box” use of these tools but fails against any basic evasion technique such as binary renaming or command-line argument manipulation.
  • Recommendation: Pivot from filename-based detection to behavioral indicators, such as monitoring for unauthorized service installations, unexpected network connections from remote desktop tools, and the deletion of shadow copies via vssadmin or wmic regardless of the parent process name.

## Simulation Environment & Context

  • TTPs Under Test:
    • T1003.001: OS Credential Dumping: LSASS Memory
    • T1059.001: Command and Scripting Interpreter: PowerShell
    • T1490: Inhibit System Recovery (Shadow Copy Deletion)
    • T1543.003: Create or Modify System Process: Windows Service
  • TTP Context & Relevance: The simulation aims to replicate the dual-threat profile: the use of RustDesk for persistent remote access (installed as a service) and the execution of Akira ransomware-style commands to inhibit system recovery by targeting Volume Shadow Copies.
  • Target Environment:
    • OS: Windows 10/11 or Windows Server
    • Logging: Sysmon (specifically Event ID 1: Process Creation)
    • Security Stack: SIEM (e.g., Splunk, Sentinel, or ELK)

## Telemetry & Baseline Pre-flight Check

Rationale: Before simulating the attack, we must confirm that the target host is configured to generate the necessary logs, that these logs are ingested by the SIEM, and that the detection rule does not fire on benign activity. Without this validation, any test outcome is unreliable.

  • 1. Telemetry Configuration Instructions:

      1. Install Sysmon on the target Windows machine.
      1. Apply a configuration file (e.g., SwiftOnSecurity’s config) that ensures Process Creation (Event ID 1) is captured with full Command Line arguments.
      1. Ensure the Sysmon event log is being forwarded to your SIEM via Winlogbeat, Splunk Universal Forwarder, or similar agent.
  • 2. Ingestion & Baseline Validation:

    • Action (Benign Telemetry): Run a standard PowerShell command to check system information, which generates process creation telemetry without triggering ransomware-related patterns.

      Get-ComputerInfo | Select-Object CsName, OsArchitecture
    • Validation Query (Ingestion):

      // KQL Query to verify Sysmon Event ID 1 ingestion
      Sysmon | where EventID == 1 and Image contains "powershell.exe" | take 10

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary begins by establishing persistence and remote access using RustDesk. To mimic a service installation, the adversary will simulate the behavior where a service manager (services.exe) spawns the remote access binary. Following this, the adversary executes the Akira ransomware payload. The goal of this payload is to destroy system backups to prevent recovery; it does this by calling a binary named locker.exe with a specific command-line instruction to delete ‘Volume Shadow Copies’. This mimics the high-impact phase of an extortion attack.

  • Regression Test Script:

    # --- SIMULATION START ---
    # Part 1: Simulate RustDesk Service Execution
    # We simulate the behavior where services.exe spawns rustdesk.exe. 
    # Since we cannot easily spoof the ParentProcessID of services.exe without kernel drivers, 
    # we will simulate the artifact creation and then use a tool like 'Process Hacker' 
    # or a script to simulate the specific telemetry if possible, 
    # but for this script, we will create the file and trigger a process.
    
    $rustdeskPath = "$env:TEMPrustdesk.exe"
    New-Item -Path $rustdeskPath -ItemType File -Force
    
    # Note: To trigger the EXACT 'ParentImage|endswith: services.exe' rule, 
    # a real service installation is required.
    Write-Host "[+] Creating simulated RustDesk binary at $rustdeskPath"
    
    # Part 2: Simulate Akira Ransomware Activity
    $lockerPath = "$env:TEMPlocker.exe"
    New-Item -Path $lockerPath -ItemType File -Force
    Write-Host "[+] Creating simulated Akira 'locker.exe' at $lockerPath"
    
    # Triggering the Akira detection logic via CommandLine contains 'Volume Shadow Copies'
    # We use start-process to ensure the command line is captured by Sysmon
    Start-Process -FilePath $lockerPath -ArgumentList "/delete Volume Shadow Copies" -NoNewWindow
    
    Write-Host "[!] Simulation commands executed. Check SIEM for 'locker.exe' alerts."
    # --- SIMULATION END ---
  • Cleanup Commands:

    # --- CLEANUP START ---
    Remove-Item -Path "$env:TEMPrustdesk.exe" -Force -ErrorAction SilentlyContinue
    Remove-Item -Path "$env:TEMPlocker.exe" -Force -ErrorAction SilentlyContinue
    Write-Host "[+] Cleanup complete."
    # --- CLEANUP END ---