SQL Brute Force Opens the Door to BlueSky Ransomware
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A threat actor used SEO poisoning to distribute BumbleBee malware through a trojanized ManageEngine OpManager installer. After gaining initial access, the attacker deployed AdaptixC2 for command-and-control, moved laterally through RDP and SSH tunneling, and exfiltrated more than 75 GB of sensitive data. The intrusion ended with deployment of Akira ransomware to encrypt domain infrastructure.
Investigation
Forensic analysis identified the initial infection vector as a lookalike domain, opmanager.pro, which served a malicious MSI installer. Investigators traced the execution chain from DLL sideloading of msimg32.dll to injection of AdaptixC2 shellcode into the Windows Address Book utility. Review of network telemetry and file system artifacts also revealed large-scale data exfiltration through FileZilla and use of reverse SSH tunnels to proxy RDP access.
Mitigation
Organizations should enforce strict web filtering to block newly registered or lookalike domains and monitor for suspicious DLL sideloading behavior. Limiting administrative privileges and detecting unauthorized creation of domain accounts or services is also critical. In addition, strong egress filtering and monitoring for unauthorized SSH or RDP tunneling can help prevent both lateral movement and data exfiltration.
Response
If this activity is detected, immediately isolate affected systems, especially domain controllers and backup servers, to stop further ransomware propagation. Terminate all unauthorized remote access sessions, including SSH tunnels and RustDesk instances. Perform a full credential reset for all domain accounts, with special attention to Enterprise Admins, and begin recovery using offline, immutable backups.
Attack Flow
Detections
Suspicious WMIC Usage (via cmdline)
View
Suspicious Powershell Shadowcopy Refererence (via cmdline)
View
Possible Shadow Copies Deletion via WMI (via powershell)
View
Suspicious Outbound Connection by Uncommon Process (via network_connection)
View
DNS Request Perfomed By Uncommon Process (via dns_query)
View
Suspicious SSH Port Forwarding [Windows] (via cmdline)
View
Possible System Enumeration (via cmdline)
View
Suspicious Domain Trusts Discovery (via cmdline)
View
Possible Credential Dumping Using Comsvcs.dll (via cmdline)
View
Suspicious PSQL Execution (via cmdline)
View
Suspicious Wbadmin Tool Activity (via cmdline)
View
Possible BYOVD – Bring Your Own Vulnerable Driver Attack (via audit)
View
Possible Bits Transfer Activity (via powershell)
View
Possible Execution by Use of Short Script Name (via cmdline)
View
Possible Powershell Script Containing Lolbin (via powershell)
View
Remote Access / Management Software Service Creation (via system)
View
Alternative Remote Access / Management Software (via process_creation)
View
Possible Account or Group Enumeration / Manipulation (via cmdline)
View
System Processes Execution from Untypical Paths (via process_creation)
View
Possible Msiexec Executing Files In Uncommon Directory (via cmdline)
View
Detect RustDesk and Akira Ransomware Activity [Windows System]
View
BumbleBee and AdaptixC2 Execution and Injection Detection [Windows Process Creation]
View
Executive Summary
- Test Case ID: TC-20250522-K9L2P
- TTPs: T1003.001, T1003.003, T1018, T1021.001, T1021.003, T1027.010, T1033, T1036, T1039, T1041, T1046, T1047, T1048.001, T1055, T1059.001, T1059.003, T1069.001, T1069.002, T1070.004, T1071.001, T1082, T1083, T1087.001, T1087.002, T1090, T1135, T1136, T1189, T1204.002, T1219, T1482, T1486, T1490, T1543.003, T1555, T1568.002, T1569.002, T1574.001
- Detection Rule Logic Summary: The rule triggers if
rustdesk.exeis spawned byservices.exeor iflocker.exeis executed with the command line containing “Volume Shadow Copies”. - Detection Rule Language/Format: yaml
- Target Security Environment: Windows OS with Sysmon enabled, targeting a SIEM capable of processing Sysmon Event ID 1 (Process Creation) telemetry.
- Resilience Score (1-5): 2
- Justification: The rule relies heavily on specific, hardcoded filenames (
rustdesk.exeandlocker.exe). An adversary can easily bypass this by renaming their binaries. Furthermore, the Akira detection is limited to a specific string in the command line, which can be obfuscated. - Key Findings: The rule effectively detects “out-of-the-box” use of these tools but fails against any basic evasion technique such as binary renaming or command-line argument manipulation.
- Recommendation: Pivot from filename-based detection to behavioral indicators, such as monitoring for unauthorized service installations, unexpected network connections from remote desktop tools, and the deletion of shadow copies via
vssadminorwmicregardless of the parent process name.
## Simulation Environment & Context
- TTPs Under Test:
- T1003.001: OS Credential Dumping: LSASS Memory
- T1059.001: Command and Scripting Interpreter: PowerShell
- T1490: Inhibit System Recovery (Shadow Copy Deletion)
- T1543.003: Create or Modify System Process: Windows Service
- TTP Context & Relevance: The simulation aims to replicate the dual-threat profile: the use of RustDesk for persistent remote access (installed as a service) and the execution of Akira ransomware-style commands to inhibit system recovery by targeting Volume Shadow Copies.
- Target Environment:
- OS: Windows 10/11 or Windows Server
- Logging: Sysmon (specifically Event ID 1: Process Creation)
- Security Stack: SIEM (e.g., Splunk, Sentinel, or ELK)
## Telemetry & Baseline Pre-flight Check
Rationale: Before simulating the attack, we must confirm that the target host is configured to generate the necessary logs, that these logs are ingested by the SIEM, and that the detection rule does not fire on benign activity. Without this validation, any test outcome is unreliable.
-
1. Telemetry Configuration Instructions:
-
- Install Sysmon on the target Windows machine.
-
- Apply a configuration file (e.g., SwiftOnSecurity’s config) that ensures Process Creation (Event ID 1) is captured with full Command Line arguments.
-
- Ensure the Sysmon event log is being forwarded to your SIEM via Winlogbeat, Splunk Universal Forwarder, or similar agent.
-
-
2. Ingestion & Baseline Validation:
-
Action (Benign Telemetry): Run a standard PowerShell command to check system information, which generates process creation telemetry without triggering ransomware-related patterns.
Get-ComputerInfo | Select-Object CsName, OsArchitecture -
Validation Query (Ingestion):
// KQL Query to verify Sysmon Event ID 1 ingestion Sysmon | where EventID == 1 and Image contains "powershell.exe" | take 10
-
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary begins by establishing persistence and remote access using RustDesk. To mimic a service installation, the adversary will simulate the behavior where a service manager (
services.exe) spawns the remote access binary. Following this, the adversary executes the Akira ransomware payload. The goal of this payload is to destroy system backups to prevent recovery; it does this by calling a binary namedlocker.exewith a specific command-line instruction to delete ‘Volume Shadow Copies’. This mimics the high-impact phase of an extortion attack. -
Regression Test Script:
# --- SIMULATION START --- # Part 1: Simulate RustDesk Service Execution # We simulate the behavior where services.exe spawns rustdesk.exe. # Since we cannot easily spoof the ParentProcessID of services.exe without kernel drivers, # we will simulate the artifact creation and then use a tool like 'Process Hacker' # or a script to simulate the specific telemetry if possible, # but for this script, we will create the file and trigger a process. $rustdeskPath = "$env:TEMPrustdesk.exe" New-Item -Path $rustdeskPath -ItemType File -Force # Note: To trigger the EXACT 'ParentImage|endswith: services.exe' rule, # a real service installation is required. Write-Host "[+] Creating simulated RustDesk binary at $rustdeskPath" # Part 2: Simulate Akira Ransomware Activity $lockerPath = "$env:TEMPlocker.exe" New-Item -Path $lockerPath -ItemType File -Force Write-Host "[+] Creating simulated Akira 'locker.exe' at $lockerPath" # Triggering the Akira detection logic via CommandLine contains 'Volume Shadow Copies' # We use start-process to ensure the command line is captured by Sysmon Start-Process -FilePath $lockerPath -ArgumentList "/delete Volume Shadow Copies" -NoNewWindow Write-Host "[!] Simulation commands executed. Check SIEM for 'locker.exe' alerts." # --- SIMULATION END --- -
Cleanup Commands:
# --- CLEANUP START --- Remove-Item -Path "$env:TEMPrustdesk.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPlocker.exe" -Force -ErrorAction SilentlyContinue Write-Host "[+] Cleanup complete." # --- CLEANUP END ---