## https://sploitus.com/exploit?id=525ABF6E-6448-5819-BA34-D23560BCA54B
# **Incident Investigation Report**
**Case Title:** WSUS Exploitation and Velociraptor-Assisted LockBit Ransomware Attempt
**Analyst: Kennedy Aikohi**
**Date:** 6 January 2026
**Environment:** Enterprise Windows Active Directory Domain
**Incident Timeframe:** 17 November 2025
**Primary Impact:** Domain controller compromise, confirmed data exfiltration, and partial
ransomware deployment
## **Executive Summary**
This investigation documents a financially motivated ransomware intrusion that progressed through a complete attack lifecycle, beginning with the exploitation of a recently disclosed Windows Server Update Services (WSUS) vulnerability (CVE-2025-59287) and culminating in ransomware deployment consistent with LockBit tradecraft.
The threat actor gained initial access by exploiting a vulnerable WSUS instance hosted in the DMZ. Successful exploitation resulted in immediate SYSTEM-level remote code execution, enabling the attacker to deploy secondary tooling, establish persistent command-and-control (C2), and pivot laterally into the internal Active Directory environment.
Following internal reconnaissance and credential manipulation, sensitive data was staged and exfiltrated from the domain controller. The attacker subsequently attempted to deploy ransomware across compromised systems. Although encryption was only partially successful, the activity confirmed malicious intent and demonstrated full domain compromise capability.
Analysis was conducted using Splunk, Sysmon telemetry, Suricata network logs, and static malware analysis techniques.
## **Environment Overview**
The affected environment consisted of a segmented enterprise Windows network comprising:
- A DMZ subnet hosting externally reachable infrastructure
- An internal Active Directory domain containing user workstations and a domain controller
- WSUS configured for internal update distribution
- Centralized logging via Splunk (Windows Security, Sysmon, and network telemetry)
## **Key Network Segments**
โข **DMZ:** 10.10.3.0/24
โข **Internal Network:** 10.10.11.0/24
### **Primary Systems Impacted**
- **WSUS-SERVER-01** Initial access, staging, and persistence
- **DC01** Domain compromise and data exfiltration
- **WKSTN-01** Ransomware execution attempt
## **Attack Timeline Overview**
| Phase | Date & Time (UTC) | Activity |
|----------------------|-------------------|----------------------------------------|
| Initial Access | 17 Nov 2025 | Exploitation of CVE-2025-59287 on WSUS |
| Execution | 17 Nov 2025 | SYSTEM-level command execution |
| C2 Establishment | 17 Nov 2025 | Velociraptor deployment |
| Discovery | 17 Nov 2025 | Internal network and service scanning |
| Lateral Movement | 17 Nov 2025 22:29 | First command executed on DC01 |
| Privilege Escalation | 17 Nov 2025 22:35 | Domain password modification |
| Internal Pivot | 17 Nov 2025 22:52 | First logon to WKSTN-01 |
| Exfiltration | 17 Nov 2025 | 262 files exfiltrated |
| Impact | 17 Nov 2025 | LockBit ransomware deployment |
## **Investigation Findings**
## **Initial Access via WSUS Vulnerability**
### **MITRE ATT&CK Techniques:**
- T1190 Exploit Public-Facing Application
- T1068 Exploitation for Privilege Escalation
The attacker gained initial access to **WSUS-SERVER-01** by exploiting CVE-2025-59287, a critical WSUS vulnerability disclosed in November 2025. Successful exploitation enabled remote code execution on the server.
As part of post-exploitation validation, one of the first commands executed by the attacker was **whoami**, a common reconnaissance step used to determine the current security context. Process execution telemetry confirms that whoami.exe was launched by powershell.exe and executed under the **NT AUTHORITY\SYSTEM** account. This confirms that the attacker achieved SYSTEM-level privileges immediately upon exploitation.

This level of access represents a full compromise of the WSUS server and significantly elevated organizational risk. The compromised update infrastructure subsequently facilitated lateral movement toward the domain controller, underscoring the broader impact of the vulnerability.
### **Command and Control via Velociraptor**
### **MITRE ATT&CK Techniques:**
- T1105 Ingress Tool Transfer
- T1219 Remote Access Software
Following exploitation, the attacker installed **Velociraptor** using setup\_velo\_client.exe, registering it as a Windows service running under the **NT AUTHORITY\SYSTEM** context. Once active, Velociraptor functioned as a command-andcontrol (C2) agent, issuing Base64-encoded PowerShell commands to conduct system reconnaissance, domain discovery, network scanning, and payload retrieval.

Analysis confirmed this activity by decoding one of the encoded PowerShell payloads, which explicitly demonstrated Velociraptor being used to receive tasking and execute commands. The use of a legitimate DFIR framework allowed the attacker to blend malicious activity into routine administrative operations, significantly reducing the likelihood of detection.
## **Internal Discovery and Network Scanning**
#### **MITRE ATT&CK Techniques:**
- T1018 Remote System Discovery
- T1046 Network Service Discovery
Following initial access, the attacker conducted internal network reconnaissance using encoded PowerShell commands executed via the Velociraptor service. Initial discovery activity performed ICMP-based host enumeration across two /24 subnets by iterating thirdoctet values (10 and 11), dynamically constructing IP addresses in the 10.10.X.0/24 address space.

This confirmed scanning of the following network segments:
- 10.10.10.0/24
- 10.10.11.0/24

Subsequent reconnaissance expanded to targeted TCP port scanning against identified hosts. The attacker explicitly enumerated common Active Directory service ports (88, 389, 445, 3389) and additionally probed port **8530**, the default WSUS HTTP port. The inclusion of port 8530 demonstrates WSUS-aware reconnaissance and indicates deliberate identification of patch management infrastructure in preparation for follow-on exploitation and lateral movement.

### **Persistence Mechanisms**
#### **MITRE ATT&CK Techniques:**
- T1136.001 Create Account: Local Account
- T1543.003 Create or Modify System Process: Windows Service
The attacker established persistence by decoding and executing Velociraptor-delivered PowerShell payloads. One decoded payload created a local account named **guestuser** and added it to the **Remote Desktop Users** group, enabling continued interactive access.

Persistence was further reinforced through abuse of a legitimate Windows service configured to repeatedly download and execute the attacker's payload at a fixed **600 second (10-minute)** interval. This execution frequency was empirically derived by calculating time deltas between successive Velociraptor-related PowerShell executions.

Subsequent RDP activity to WSUS-SERVER-01 occurred within the same execution window. Time-based correlation confirmed that the session originated from **3.120.140.221**, indicating direct operator interaction following persistence establishment.

### **Lateral Movement via WSUS Trust Abuse**
### **MITRE ATT&CK Technique:**
โข T1210 โ Exploitation of Remote Services
The attacker deployed a custom lateral movement tool on WSUS-SERVER-01 with the argument:
hxxp[://]10[.]10[.]11[.]61:8530

This abused WSUS trust relationships to pivot into the internal network. Upon gaining access to **DC01**, the attacker executed the whoami command, confirming successful control and precisely marking the moment lateral movement was achieved. The first confirmed command execution on DC01 occurred on **17 November 2025 at 22:29 UTC**.

## **Privilege Escalation and Credential Abuse**
### **MITRE ATT&CK Technique:**
โข T1098 โ Account Manipulation
Using native Windows account management functionality, the attacker reset a domain user's password on **17 November 2025 at 22:35 UTC**, as evidenced by Security Event ID **4724**. This allowed the attacker to assume control of a legitimate domain account.

The compromised credentials were subsequently used to pivot from the DMZ into the internal network. The first successful logon to **WKSTN-01** occurred at **22:52 UTC**, confirmed by Security Event ID **4624**, marking successful lateral movement into an internal workstation.

### **Data Exfiltration**
#### **MITRE ATT&CK Technique:**
โข T1048.003 โ Exfiltration Over Unencrypted Non-C2 Protocol
Suricata network logs revealed that **DC01** successfully transferred **262 files** to an attackercontrolled server. The traffic primarily used **HTTP PUT** requests to non-standard ports (e.g., port 4000), indicating deliberate data exfiltration over an unencrypted protocol outside the primary C2 channel.

This behavior aligns with T1048.003, where adversaries exfiltrate data using unencrypted protocols such as HTTP or FTP. The use of HTTP PUT to a remote IP demonstrates a deliberate attempt to bypass standard monitoring controls and steal sensitive data from the internal network.

## **Impact Analysis โ Ransomware Deployment**
### **MITRE ATT&CK Technique:**
โข T1486 โ Data Encrypted for Impact
In the final stage of the intrusion, Velociraptor delivered and executed a LockBit ransomware payload across compromised systems. The ransomware used **AES-256** for file encryption and **RSA-2048** for key protection. Encrypted files were appended with the extension:
#### .xlockxlock

Encryption was partially unsuccessful. On **WKSTN-01**, the first file that failed encryption was auxbase.xml, suggesting execution instability or partial defensive interference.
According to Cisco Talos, ransomware using the .xlockxlock extension corresponds to **LockBit 3.0**, confirming the variant involved. This confirms that Velociraptor served as the primary execution vector for ransomware and most post-exploitation activity, consistent with "hands-off" tradecraft observed in Gold/Salem campaigns.

## **MITRE ATT&CK Summary**
| Tactic | Technique | Description |
|----------------------|-----------|---------------------------------------|
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059.001 | PowerShell |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation |
| Persistence | T1136.001 | Local Account Creation |
| Persistence | T1543.003 | Windows Service |
| Command & Control | T1219 | Remote Access Software |
| Discovery | T1018 | Remote System Discovery |
| Lateral Movement | T1210 | Exploitation of Remote Services |
| Credential Access | T1098 | Account Manipulation |
| Exfiltration | T1048.003 | Unencrypted Exfiltration |
| Impact | T1486 | Data Encrypted for Impact |
## **Alignment with Real-World Threat Activity**
This intrusion closely aligns with ransomware campaigns observed between 2024 and 2025, including:
โข WSUS abuse for trusted code execution and lateral movement
- Weaponization of Velociraptor for stealthy C2
- Living-off-the-land techniques using native Windows tooling
- LockBit-style double-extortion tactics (exfiltration prior to encryption)
## **Conclusion**
This incident represents a mature, hands-on-keyboard ransomware intrusion leveraging a newly disclosed infrastructure vulnerability and trusted administrative tooling. The attacker demonstrated strong operational discipline, effective privilege escalation, and full domain compromise capability.
The exploitation of WSUS and abuse of Velociraptor underscore the evolving threat landscape, where legitimate enterprise tools are increasingly weaponized to evade detection and maximize impact.
## **Recommendations**
- Patch and monitor WSUS infrastructure immediately upon CVE disclosure
- Restrict WSUS network exposure and enforce strict access controls
- Monitor for unauthorized Velociraptor deployments
- Detect abnormal service creation and scheduled execution patterns
- Enhance lateral movement detection between DMZ and internal networks
- Monitor outbound traffic originating from domain controllers
- Deploy behavior-based ransomware detection and response mechanisms