TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Looking Through a Pinhole at a Qilin Ransomware Attack

2025-10-22 · Read original ↗

ATT&CK techniques detected

11 predictions
T1219Remote Access Tools
99%
“with a specific subset of the windows event logs ( wel ). from those logs, analysts could see that on 8 oct 2025, the threat actor accessed the endpoint and installed the total software deployment service, as well as a rogue instance of the screenconnect rmm, one that pointed to …”
T1486Data Encrypted for Impact
97%
“the threat actor disabled windows defender at 2025 - 10 - 11 01 : 34 : 21 utc, resulting in the windows defender status being reported as security _ product _ state _ snoozed. at 2025 - 10 - 11 03 : 34 : 56 utc, the threat actor accessed the endpoint remotely, and then at 2025 - …”
T1486Data Encrypted for Impact
97%
“huntress analysts were able to derive a great deal of information regarding the incident. the qilin incident : what we started with the huntress agent was installed on a single endpoint following a qilin ransomware infection. what does that mean from the perspective of an analyst…”
T1486Data Encrypted for Impact
88%
“, meaning that while the ransomware logistics is managed from a central location, each affiliate likely follows a different attack pattern, leaving behind different traces and artifacts. for example, a number of qilin incidents observed by huntress analysts have started with the …”
T1021.001Remote Desktop Protocol
75%
“, meaning that while the ransomware logistics is managed from a central location, each affiliate likely follows a different attack pattern, leaving behind different traces and artifacts. for example, a number of qilin incidents observed by huntress analysts have started with the …”
T1486Data Encrypted for Impact
71%
“looking through a pinhole at a qilin ransomware attack a big part of a security analyst ’ s everyday role is figuring out what actually happened during an incident. we can do that by piecing together breadcrumbs – whether that ’ s through logs, antivirus detections, and other clu…”
T1021.001Remote Desktop Protocol
56%
“windows defender for review, and no other action was taken after that event. pivoting from the screenconnect installation to screenconnect activity events within the timeline of activity, analysts saw that on 11 oct, three files were transferred to the endpoint via the screenconn…”
T1080Taint Shared Content
52%
“huntress analysts were able to derive a great deal of information regarding the incident. the qilin incident : what we started with the huntress agent was installed on a single endpoint following a qilin ransomware infection. what does that mean from the perspective of an analyst…”
T1204.002Malicious File
40%
“defender had entered a security _ product _ state _ snoozed state. the threat actor then attempted to launch s. exe, which was almost immediately followed by the message “ installer failed ” in the pca logs. based on the identified virustotal detections shown in figure 3, and the…”
T1059.001PowerShell
35%
“event in $ xml. event ) { # create custom object for event data new - object psobject - property @ { timecreated = ( get - date ( $ event. system. timecreated. systemtime ) - format ' yyyy - mm - dd hh : mm : ss k ' ) user = $ event. userdata. eventxml. param1 domain = $ event. u…”
T1218System Binary Proxy Execution
32%
“defender had entered a security _ product _ state _ snoozed state. the threat actor then attempted to launch s. exe, which was almost immediately followed by the message “ installer failed ” in the pca logs. based on the identified virustotal detections shown in figure 3, and the…”

Summary

Incident analysis is critical, but for newcomers, it can be daunting. Learn how to confirm commands, validate findings, and spot real impact during a Qilin ransomware event.