BumbleBee Roasts Its Way to Domain Admin

In this intrusion, the threat actors operated in an environment over an 11 day dwell period.
The intrusion began with a password protected zipped ISO file that we assess with medium to high confidence due to other reports, likely arrived via an email which included a link to download said zip file.

The execution phase started with that password protected zip, which after extracting would show the user an ISO file that after the user double clicks would mount like a CD or external media device on Windows and present the user with a single file named documents in the directory.

When the user double clicks or opens the lnk file, they inadvertently starts a hidden file in the directory, a DLL (namr.dll) containing the Bumblebee malware loader.
From there, the loader reached out to the Bumblebee C2 server.
At first, things remained fairly quiet, just C2 communications; until around 3 hours later, Bumblebee dropped a Cobalt Strike beacon named wab.exe on the beachhead host.
This Cobalt Strike beacon was subsequently executed and then proceeded to inject into various other processes on the host (explorer.exe, rundll32.exe).

From these injected processes, the threat actors began discovery tasks using Windows utilities like ping and tasklist.

Four hours after initial access, the threat actor started their first lateral movement using RDP to pivot to a server using the local Administrator account.
The threat actor then deployed Anydesk, which was the only observed persistence mechanism used during the intrusion.
The threat actor then started Active Directory mapping using Adfind.

After this activity, the threat actors went silent.
Then, the next day, they accessed the server via RDP and deployed a bespoke tool, VulnRecon, designed to identify local privilege escalation paths on a Windows host.
The tool appeared to be still under development as several command options were not yet implemented.

The next check in from the threat actors, occurred on the 4th day, where the threat actors again ran VulnRecon, but from the beachhead host instead of the server.
AdFind was used again as well.
Next, the threat actor transferred Sysinternals tool Procdump over SMB, to the ProgramData folders on multiple hosts in the environment.
They then used remote services to execute Procdump, which was used to dump lsass.
At this point, the actors appeared to be searching for more access then they currently had.
While they were able to move laterally to workstations and at least one server, it seemed that they had not yet taken control of an account that provided them the access they were seeking, likely a Domain Administrator or similarly highly privileged account.

After that activity, the threat actors then disappeared until the 7th day, at which time they accessed the server via Anydesk.
Again, they executed VulnRecon and then also executed Seatbelt, a red team tool for preforming various host based discovery.

On the final day of the intrusion, the 11th day since the initial entry by the threat actor, they appeared to be preparing to act on final objectives.

The threat actors used PowerShell to download and execute a new Cobalt Strike PowerShell beacon in memory on the beachhead host.
After injecting into various processes on the host, the threat actors executed the PowerShell script Invoke-Kerberoast.
Next, they used yet another technique to dump LSASS on the beachhead host, this time using a built in Windows tool comsvcs.dll.
AdFind was run for a 3rd time in the network, and then two batch scripts were dropped and run.
These batch scripts’ purposes were to identify all online servers and workstations in the environment, often a precursor to ransomware deployment by creating the target list for that deployment.

After the scripts ran, a new Cobalt Strike executable beacon was run on the beachhead.
Next, the threat actors used a service account to execute a Cobalt Strike beacon remotely on a Domain Controller.
This service account was most likely cracked offline after being kerberoasted earlier in the intrusion.

The threat actors were then evicted from the environment before any final actions could be taken.
Based on the level of access and discovery activity from the final day the likely final actions would have been a domain wide ransom deployment.