Uncovering Qilin attack methods exposed through multiple cases

MITRE Techniques

• [T1078 ] Valid Accounts – Attackers abused leaked administrative/VPN credentials to gain access: “…credentials had been exposed on the dark web… numerous NTLM authentication attempts were made against the VPN…”
• [T1133 ] External Remote Services – RDP and VPN access used for initial access and later lateral movement: “…RDP connections to the domain controller and the initially breached host.”
• [T1110 ] Brute Force / Password Spraying – Multiple NTLM authentication attempts against many VPN accounts suggest credential stuffing or spraying: “…numerous NTLM authentication attempts were made against the VPN, possibly using the leaked credentials.”
• [T1003 ] Credential Dumping – Use of Mimikatz and other utilities to extract credentials and saved passwords: “…launched Mimikatz… extracting saved passwords from Chrome’s SQLite database… harvesting credentials…”.
• [T1482 ] Domain Trust Discovery – Enumeration of domain controllers and domain users with nltest.exe and net.exe: “nltest /dclist: … net user /domain”.
• [T1018 ] Remote System Discovery – Use of netscan and tasklist to enumerate systems and processes: “…utilized the netscan tool for further reconnaissance… tasklist /FI ‘IMAGENAME eq explorer.exe’”.
• [T1087.002 ] Account Discovery – AD enumeration via PowerShell and Get-ADComputer/Get-ADUser to list computers and users: “Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName”.
• [T1033 ] System Owner/User Discovery – Execution of whoami to assess privileges: “C:WINDOWSsystem32whoami.exe /priv”.
• [T1057 ] Process Discovery – Enumerating active processes to identify targets: “tasklist /FI ‘IMAGENAME eq explorer.exe’ /FO CSV /NH”.
• [T1222.001 ] File and Directory Permissions Modification – Creation of wide-open shares and adding accounts to local admins: “net share c=c: /grant : everyone,full” and “net1 localgroup administrators /add”.
• [T1046 ] Network Service Discovery – Scanning and discovery of network services and hosts referenced by netscan and other reconnaissance commands: “…utilized the netscan tool for further reconnaissance.”‘
• [T1082 ] System Information Discovery – Use of Get-WinEvent -ListLog * and other commands to enumerate system logs and state: “Get-WinEvent -ListLog *”.
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Extensive PowerShell usage for AD enumeration, event log clearing, vCenter manipulation, and payload execution: “Powershell -Command ServerManagerCmd.exe -i RSAT-AD-PowerShell …”.
• [T1048 ] Exfiltration Over C2 Channel – Stolen credentials and result.txt were exfiltrated to attacker-controlled SMTP and other C2 channels: “pars.vbs… sending stolen data to an external SMTP server”.
• [T1537 ] Transfer Data to Cloud Account – Abuse of Cyberduck to transfer archives to cloud storage (Backblaze): “Cyberduck history file indicates that a Backblaze host was specified as the destination”.
• [T1484.001 ] Group Policy Modification – Observed Group Policy changes enabling RDP in some incidents to facilitate access: “may have also used Group Policy (AD GPO) changes enabling RDP”.
• [T1021.001 ] Remote Desktop Protocol (RDP) – Use of RDP for remote interactions after VPN access: “RDP connections to the domain controller…”.
• [T1021.002 ] SMB/Windows Admin Shares – Lateral movement and spreading via SMB/admin shares and PsExec: “encryptor_1.exe spreads via PsExec across hosts”.
• [T1105 ] Ingress Tool Transfer – Tools like Mimikatz, SharpDecryptPwd, Cyberduck, and open-source utilities transferred to victim hosts: “a password-protected folder containing… mimikatz… and custom script files.”
• [T1562.001 ] Disable or Modify Tools – Attempts to disable AMSI, TLS validation and EDR to evade detection: “…disabling AMSI… disabling TLS certificate validation… traces of attempts to disable EDR…”.
• [T1070.001 ] Clear Windows Event Logs – Use of PowerShell to enumerate and clear event logs: “EventLogSession.GlobalSession.ClearLog() … to wipe them entirely.”‘
• [T1490 ] Inhibit System Recovery – Deletion of VSS snapshots and disabling VSS to prevent recovery: “vssadmin.exe Delete Shadows /all /quiet” and changing VSS to Manual/Disabled.
• [T1489 ] Service Stop – Stopping or targeting backup and related services to inhibit recovery: process and win_services_black_list includes many backup/database services to terminate before encryption.
• [T1486 ] Data Encrypted for Impact – Execution of Qilin encryptors to encrypt files and change wallpapers with ransom notes: “data has been compromised… Qilin ransomware creates a JPG… ransom note in each encrypted folder.”‘
• [TA0011 ] Command and Control – Use of Cobalt Strike Beacon and Malleable C2 over HTTPS to communicate with Team Server: “Cobalt Strike Beacon… using HTTPS over TCP port 443 to the Team Server (C2).”
• [T1112 ] Modify Registry – Registry modifications for persistence and configuration changes (WDigest, RDP, Run keys): “reg add HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /f /d 1”.
• [T1053 ] Scheduled Task/Job – Creating a scheduled task “TVInstallRestore” to run at logon for persistence: “schtasks /Create /TN TVInstallRestore /TR … /SC ONLOGON”.
• [T1547.001 ] Registry Run Keys / Startup Folder – Adding ransomware executable to RUN key to persist across reboots: “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun … .exe –password…”.