A recent investigation into a Qilin ransomware attack demonstrated how security analysts can reconstruct an incident even with severely limited visibility. The Huntress team was brought in after the compromise, with their agent installed on only a single endpoint after the attack had already occurred. This provided no pre-compromise EDR telemetry, SIEM data, or triggered ransomware canaries, offering only a "pinhole" view of the event.
Analysts began by examining Managed Antivirus alerts and Windows Event Logs, which revealed the initial access. The threat actor had installed a rogue instance of the ScreenConnect remote management tool on October 8th, pointing to a malicious IP address. Using this access, the attacker transferred three files to the endpoint: a PowerShell script (r.ps1) and two executables (s.exe and ss.exe).
The PowerShell script was designed to harvest RDP connection data but failed to execute due to the system's script execution policy. The two executables also failed to run, a detail uncovered by analyzing Program Compatibility Assistant logs and the AmCache.hve file. Prior to these attempts, the attacker had disabled Windows Defender, though the security software was later re-enabled and detected the creation of ransom notes.
The investigation concluded that the ransomware payload itself was likely launched from a different machine on the network, targeting shared drives. This case highlights that by correlating multiple data sources—even from a single endpoint—analysts can validate findings and build an accurate attack timeline. This method prevents jumping to conclusions based on a single artifact and provides a solid foundation for incident response and remediation, despite starting with a severely restricted view.
Read more...