TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The Commented Kill Chain: Why Old Ransomware Playbooks Never Die

2025-07-31 · Read original ↗

ATT&CK techniques detected

22 predictions
T1059.001PowerShell
99%
“to defend against. key takeaways : - effective playbooks are recycled. the core script, first seen years ago, is still being used today, proving that adversaries will not abandon a tool that works. - playbooks evolve. the base script was augmented with newer powershell commands, …”
T1486Data Encrypted for Impact
99%
“the commented kill chain : why old ransomware playbooks never die during a ransomware intrusion, we encountered a script that was filled with clear comments for what each command and function did. it was immediately, jarringly out of place, as at huntress we typically observe mal…”
T1112Modify Registry
96%
“to prevent any early launch anti - malware ( elam ) drivers from loading. this preemptively neuters a critical layer of protection before the main operating system even starts. this is complemented by disabling other low - level drivers like the microsoft security filter driver (…”
T1112Modify Registry
96%
“time protection, the script launches a volley of registry edits. these commands are not subtle ; they directly target the policy settings for defender ' s core engines, setting values like disableantispyware and disableantivirus to effectively turn off the primary scanning and pr…”
T1486Data Encrypted for Impact
94%
“defences and removing volume shadow copies ( which benefits ransomware by eradicating local ‘ copies ’ of files ). then they moved laterally to the domain controller. - the attacker ’ s intended finale was to detonate c : \ temp \ file. exe - n = 15 - p = f — an executable with c…”
T1080Taint Shared Content
92%
“the commented kill chain : why old ransomware playbooks never die during a ransomware intrusion, we encountered a script that was filled with clear comments for what each command and function did. it was immediately, jarringly out of place, as at huntress we typically observe mal…”
T1112Modify Registry
85%
“next, with the section labeled rem disable wd tasks, the attacker cripples defender ' s ability to maintain itself. by using schtasks to disable tasks for scheduled scans, cache maintenance, and cleanups, the script ensures that even if defender wasn ' t fully disabled, it could …”
T1112Modify Registry
85%
“tactics focus on removing the visible traces of microsoft defender to maintain an illusion of normalcy. the first three commands are designed to remove the " scan with microsoft defender " option that appears when a user right - clicks on a file, folder, or drive. this prevents a…”
T1486Data Encrypted for Impact
82%
“policies, is an enduring defense. then it doesn ’ t matter how this attack is carried out ( by a script, binary, interactive shell, etc. ) — you can always detect it. by strengthening defenses against these common techniques, you ’ ll be able to prevent ransomware as we did in th…”
T1070Indicator Removal
82%
“tactics focus on removing the visible traces of microsoft defender to maintain an illusion of normalcy. the first three commands are designed to remove the " scan with microsoft defender " option that appears when a user right - clicks on a file, folder, or drive. this prevents a…”
T1053.005Scheduled Task
78%
“next, with the section labeled rem disable wd tasks, the attacker cripples defender ' s ability to maintain itself. by using schtasks to disable tasks for scheduled scans, cache maintenance, and cleanups, the script ensures that even if defender wasn ' t fully disabled, it could …”
T1686.003Windows Host Firewall
72%
“will rarely set them specifically to “ allow ” ( 6 ) or to “ noaction ” ( 9 ) — both of which mean that defender will not try to contain any detected threat. this is an excellent indicator that is easy to monitor in several different data sources. sigma rules : powershell defende…”
T1546.003Windows Management Instrumentation Event Subscription
64%
“\ control \ wmi \ autologger \ defenderapilogger " / v " start " / t reg _ dword / d " 0 " / f reg add " hklm \ system \ currentcontrolset \ control \ wmi \ autologger \ defenderauditlogger " / v " start " / t reg _ dword / d " 0 " / f if microsoft defender is disabled legitimate…”
T1490Inhibit System Recovery
59%
“defences and removing volume shadow copies ( which benefits ransomware by eradicating local ‘ copies ’ of files ). then they moved laterally to the domain controller. - the attacker ’ s intended finale was to detonate c : \ temp \ file. exe - n = 15 - p = f — an executable with c…”
T1564.006Run Virtual Instance
46%
“defences and removing volume shadow copies ( which benefits ransomware by eradicating local ‘ copies ’ of files ). then they moved laterally to the domain controller. - the attacker ’ s intended finale was to detonate c : \ temp \ file. exe - n = 15 - p = f — an executable with c…”
T1685Disable or Modify Tools
45%
“malice. the most critical additions are : - subversion of security controls. where the old script simply turned defender off, the new playbook uses set - mppreference to reprogram its logic. setting the default action for high - severity threats to ‘ 6 ’ ( allow ) tells the secur…”
T1053.005Scheduled Task
43%
“malice. the most critical additions are : - subversion of security controls. where the old script simply turned defender off, the new playbook uses set - mppreference to reprogram its logic. setting the default action for high - severity threats to ‘ 6 ’ ( allow ) tells the secur…”
T1564.006Run Virtual Instance
40%
“the commented kill chain : why old ransomware playbooks never die during a ransomware intrusion, we encountered a script that was filled with clear comments for what each command and function did. it was immediately, jarringly out of place, as at huntress we typically observe mal…”
T1685Disable or Modify Tools
40%
“time protection, the script launches a volley of registry edits. these commands are not subtle ; they directly target the policy settings for defender ' s core engines, setting values like disableantispyware and disableantivirus to effectively turn off the primary scanning and pr…”
T1679Selective Exclusion
35%
“the commented kill chain : why old ransomware playbooks never die during a ransomware intrusion, we encountered a script that was filled with clear comments for what each command and function did. it was immediately, jarringly out of place, as at huntress we typically observe mal…”
T1112Modify Registry
33%
“will rarely set them specifically to “ allow ” ( 6 ) or to “ noaction ” ( 9 ) — both of which mean that defender will not try to contain any detected threat. this is an excellent indicator that is easy to monitor in several different data sources. sigma rules : powershell defende…”
T1685Disable or Modify Tools
33%
“time protections and edr telemetry. a primary evolution is the direct assault on microsoft defender for endpoint ( mde ). while the original script focused on the standard defender antivirus, newer attacks use commands like reg add "... services \ sense " / v " start " / d " 4 " …”

Summary

When a clearly commented script revealed an attacker's tactics, Huntress prevented encryption. Read on to learn more about the evolution of recycled ransomware playbooks used by multiple threat actors.