Hunting off the Red Banner

Hunting Qilin Ransomware
Detection Beyond Traditional IOCs


Executive Summary

While many ransomware operations announce themselves within hours of compromise, Qilin ransomware has elevated operational stealth to an art form, often dwelling within victim networks for extended periods before striking. Operating under a Ransomware-as-a-Service model since 2022, Qilin has emerged as one of the most prolific and sophisticated threats in 2025, publishing details of more than 40 victims per month with sustained operational tempo that shows no signs of slowing.


Think of Qilin affiliates as methodical safe crackers rather than smash-and-grab thieves. Just as in Ocean's Eleven where the real work happened long before the vault was breached, Qilin operators spend days conducting reconnaissance, harvesting credentials, and establishing persistence mechanisms before deploying encryption payloads. This patience, combined with abuse of legitimate administrative tools that security teams trust implicitly, makes detection extraordinarily challenging.


The business impact extends far beyond immediate ransom demands. Organizations targeted by Qilin face complete Active Directory domain rebuilds, enterprise-wide password resets, extended operational downtime, and the double-extortion threat of public data exposure on their leak site. Manufacturing remains the most heavily impacted sector at 23% of all cases, followed by professional and scientific services at 18%, and wholesale trade at 10%. Critical infrastructure sectors including healthcare, construction, retail, education, and finance each account for approximately 5% of incidents. The financial toll encompasses not only ransom payments but also incident response costs, regulatory fines under frameworks like GDPR and HIPAA, business interruption losses, and long-term reputation damage as victim details remain publicly posted on Qilin's leak site indefinitely.


What makes Qilin particularly concerning from a detection perspective is the group's innovative abuse of mundane Windows utilities that security teams rarely monitor as threats. Recent Cisco Talos incident response investigations revealed Qilin affiliates leveraging mspaint.exe and notepad.exe to manually review sensitive files during reconnaissance phases, combined with the open-source Cyberduck file transfer utility to exfiltrate data to legitimate cloud storage providers like Backblaze. This technique effectively camouflages malicious data movement within trusted application traffic that many security controls are configured to allow.


Organizations must shift detection strategies from signature-based approaches toward behavioral analytics that identify anomalous patterns across identity, endpoint, and network telemetry domains. Given the complexity of Qilin's multi-stage attack chain and the sophisticated evasion techniques employed, organizations lacking mature threat hunting capabilities may benefit from engaging specialized threat hunting services to establish behavioral detection baselines and validate existing security control effectiveness before a compromise occurs.


Hunting Controls & Observations

Defensive teams should pivot from endpoint telemetry to correlate identity and network signals across the entire attack chain. Qilin operators demonstrate sophisticated understanding of security monitoring blind spots, requiring defenders to establish visibility across multiple control planes simultaneously.

  • Endpoint (EDR/AV): Monitor process execution chains showing scripting interpreters spawned from unexpected parent processes, particularly PowerShell version 1.0 which lacks modern logging capabilities and is frequently abused by Qilin affiliates to evade script block logging and AMSI protections.
  • Identity/IAM: Track authentication patterns indicating lateral movement across multiple systems using compromised VPN credentials or RDP connections to domain controllers, especially where multi-factor authentication is not enforced or has been disabled through Group Policy modifications.
  • Email Security & Proxy Logs: Examine outbound connections to cloud storage providers including Backblaze, particularly from non-standard user accounts or during off-hours timeframes when legitimate business operations are unlikely.
  • Firewall / NetFlow: Analyze egress traffic patterns showing large data transfers to external cloud endpoints, combined with unusual RDP port usage across internal network segments that may indicate lateral movement between compromised systems.
  • Cloud Audit Logs: Review authentication logs for access to cloud storage buckets or file transfer services from corporate IP ranges, particularly when upload patterns show multipart transfers of large archive files that may contain exfiltrated sensitive data.
  • Operating System Logs: Focus on Windows Security Event IDs 4624 (account logon), 4672 (special privileges assigned), 4698 (scheduled task creation), and 4688 (process creation) to identify privilege escalation attempts and persistence mechanism establishment.
  • Registry Audit Logs: Monitor for modifications to the WDigest registry key setting UseLogonCredential to value 1, which forces Windows to store plaintext credentials in memory that can be extracted by tools like Mimikatz.
  • Remote Access Logs: Track installation and usage of multiple Remote Monitoring and Management tools including AnyDesk, Chrome Remote Desktop, Distant Desktop, GoToDesk, QuickAssist, ScreenConnect, and TeamViewer that Qilin operators deploy for redundant access channels.

Behavioral Indicators of Attack

Behavioral indicators of the attack include the following observations:

  • PowerShell version 1.0 processes executing from unexpected parent processes, particularly when combined with encoded command-line parameters or AMSI bypass techniques that disable security monitoring capabilities.
  • Legitimate Windows utilities including mspaint.exe, notepad.exe, and iexplore.exe opening files containing sensitive data patterns such as financial records, intellectual property, or personally identifiable information during reconnaissance phases.
  • Scheduled tasks or AutoRun registry entries created referencing temporary directories or user profile paths, configured to execute ransomware payloads upon system reboot to ensure persistence until encryption completes.
  • Multiple Remote Monitoring and Management applications installed simultaneously on endpoints that previously had no remote access tools, providing attackers with redundant command and control channels.
  • Credential harvesting tools including Mimikatz, NirSoft password recovery utilities, and custom scripts deployed from password-protected archive files to extract authentication credentials from browsers, RDP sessions, and Windows memory.
  • Registry modifications enabling WDigest plaintext credential storage combined with SeDebugPrivilege escalation and LSASS memory access patterns characteristic of credential dumping operations.
  • Cyberduck file transfer utility history files showing connections to Backblaze or other cloud storage providers with multipart upload configurations enabled for transferring large compressed archives of stolen data.
  • Group Policy changes enabling Remote Desktop Protocol across domain-joined systems combined with Restricted Admin mode activation that facilitates lateral movement without leaving credentials on target systems.
  • EDR or antivirus processes terminated through tools like dark-kill or HRSword, followed by PowerShell commands disabling AMSI and turning off TLS certificate validation to evade security controls.
  • Windows Event Logs cleared and Volume Shadow Copy Service snapshots deleted immediately before ransomware execution to prevent recovery and forensic analysis of the attack chain.
  • PsExec or similar lateral movement tools distributing ransomware executables to multiple hosts simultaneously, combined with separate encryptors targeting network shares and Cluster Shared Volumes.

MITRE Enterprise ATT&CK Tactics and Techniques

The Qilin ransomware attack chain aligns with multiple tactics and techniques within the MITRE ATT&CK Enterprise Matrix. Understanding these mappings enables security teams to prioritize detection engineering efforts and validate control coverage across the attack lifecycle.

  • Initial Access (T1133 – External Remote Services): Adversaries leverage compromised VPN credentials obtained from dark web credential marketplaces or previous breaches to establish initial network access, particularly targeting organizations without multi-factor authentication enforcement.
  • Execution (T1059.001 – PowerShell): Attackers abuse PowerShell version 1.0, a deprecated interpreter from 2006 that lacks script block logging, transcription capabilities, and AMSI integration, enabling execution of malicious commands while evading modern security telemetry.
  • Persistence (T1053.005 – Scheduled Task/Job): Operators create scheduled tasks and AutoRun registry entries that trigger ransomware payloads upon system reboot, ensuring encryption completes even if initial execution is interrupted or systems are restarted during response operations.
  • Privilege Escalation (T1134 – Access Token Manipulation): Adversaries manipulate access tokens and enable SeDebugPrivilege to gain elevated permissions necessary for credential dumping, process injection, and system-level modifications required for successful ransomware deployment.
  • Defense Evasion (T1562.001 – Impair Defenses: Disable or Modify Tools): Attackers terminate EDR processes, disable Windows Defender, clear event logs, and modify registry keys to impair security monitoring throughout the attack chain, using tools like dark-kill and HRSword combined with PowerShell-based AMSI bypass techniques.
  • Credential Access (T1003.001 – OS Credential Dumping: LSASS Memory): Operators deploy Mimikatz and similar tools to extract credentials from LSASS memory after modifying WDigest registry settings to force plaintext credential storage, enabling collection of authentication material for lateral movement.
  • Discovery (T1082 – System Information Discovery): Adversaries enumerate hostnames, domain users, groups, privileges, and network topology using built-in Windows utilities and custom scripts to map the target environment and identify high-value systems for encryption.
  • Lateral Movement (T1021.001 – Remote Desktop Protocol): Attackers leverage stolen credentials combined with Group Policy modifications enabling RDP across domain systems to move laterally throughout the environment, installing remote access tools and staging ransomware payloads.
  • Collection (T1005 – Data from Local System): Operators manually review files using legitimate Windows applications including mspaint.exe and notepad.exe to identify sensitive information worth exfiltrating before encryption, focusing on financial data, intellectual property, and confidential business records.
  • Exfiltration (T1567.002 – Exfiltration to Cloud Storage): Adversaries abuse the legitimate Cyberduck file transfer utility to upload compressed archives of stolen data to cloud storage providers like Backblaze, disguising malicious exfiltration as normal business traffic to cloud services.
  • Impact (T1486 – Data Encrypted for Impact): Attackers deploy dual ransomware encryptors using PsExec for lateral deployment across endpoints while targeting network shares and Cluster Shared Volumes, maximizing encryption scope while deleting shadow copies to prevent recovery.

Controls' Observables

Organizations can observe these attack behaviors across multiple control points in their security architecture. Understanding where each phase of the Qilin attack chain generates telemetry enables security teams to validate detection coverage and identify gaps requiring remediation.

Endpoint Controls

  • Endpoint Detection and Response platforms capture process execution chains revealing PowerShell version 1.0 invocation from unusual parent processes, combined with command-line parameters indicating encoded payloads or AMSI bypass attempts.
  • Sysmon Event ID 1 (Process Creation) logs show mspaint.exe and notepad.exe opening files with sensitive data classifications, providing visibility into manual reconnaissance activities that traditional security tools may not flag as malicious.
  • Sysmon Event ID 7 (Image Load) events track DLL loading patterns associated with credential theft tools like Mimikatz, particularly when non-standard processes load security-related libraries such as lsasrv.dll or wdigest.dll.
  • Sysmon Event ID 10 (Process Access) captures LSASS memory access attempts following registry modifications enabling WDigest plaintext credential storage, indicating credential dumping operations in progress.
  • Sysmon Event ID 13 (Registry Value Set) monitors modifications to AutoRun keys and WDigest settings that enable persistence mechanisms and credential extraction capabilities required for sustained compromise.
  • Application Control logs from AppLocker or Windows Defender Application Control reveal unauthorized execution of remote access tools including AnyDesk, ScreenConnect, and Chrome Remote Desktop that Qilin operators deploy for redundant command channels.
  • PowerShell operational logs show invocation of deprecated PowerShell version 1.0 which circumvents modern logging features including script block logging, module logging, and transcription that defenders rely upon for PowerShell visibility.

Network Controls

  • Firewall logs capture outbound connections to cloud storage providers including Backblaze during unusual timeframes, particularly when connection volumes suggest large data transfers inconsistent with normal business operations.
  • Network IDS/IPS signatures detect lateral RDP connections between internal systems that lack business justification, especially when preceded by authentication events indicating compromised credential usage.
  • NetFlow data from network switches reveals traffic volume anomalies showing large outbound transfers to external cloud endpoints, combined with connection patterns suggesting multipart file uploads characteristic of Cyberduck exfiltration.
  • SSL/TLS inspection logs identify certificate validation errors or disabled certificate checks that attackers configure to facilitate command and control communications and data exfiltration to attacker-controlled infrastructure.
  • DNS query logs show resolution requests for cloud storage provider domains including Backblaze from internal endpoints that typically do not access these services, potentially indicating compromise and data exfiltration preparation.
  • Proxy server logs record HTTP/HTTPS connections to file transfer and cloud storage services, providing visibility into upload operations that may represent data exfiltration disguised within legitimate web traffic.

Identity & Access Controls

  • Windows Security Event ID 4624 (successful logon) combined with Event ID 4672 (special privileges assigned) indicates privilege escalation attempts where attackers leverage stolen credentials to obtain administrative access required for ransomware deployment.
  • Windows Security Event ID 4698 (scheduled task created) reveals persistence mechanisms established by Qilin operators to ensure ransomware execution continues even after system reboots during the encryption phase.
  • Windows Security Event ID 4657 (registry value modified) captures changes to WDigest UseLogonCredential settings and AutoRun registry keys that enable credential theft and persistence capabilities.
  • Windows Security Event ID 4688 (process creation) logs with command-line auditing enabled expose PowerShell version 1.0 execution, encoded commands, and credential harvesting tool invocation throughout the attack chain.
  • Active Directory audit logs track Group Policy modifications enabling RDP across domain systems and disabling security features, providing early warning of environment-wide changes that facilitate lateral movement.
  • VPN authentication logs reveal successful authentications using compromised credentials from unusual geographic locations or at atypical times, particularly when multi-factor authentication prompts were not completed or have been bypassed.
  • Privileged Access Management system logs show suspicious usage patterns of administrative accounts, including simultaneous logons from multiple systems or access to sensitive resources inconsistent with normal administrative duties.

Cloud & SaaS

  • Cloud storage provider access logs from services like Backblaze reveal upload activity from corporate IP ranges during timeframes inconsistent with normal business operations, particularly when transfer patterns show multipart uploads of large archive files.
  • Cloud-native security tools including AWS GuardDuty, Azure Defender, and GCP Security Command Center detect anomalous API calls or data exfiltration patterns targeting cloud storage buckets from compromised on-premises systems.
  • SaaS application audit logs from platforms like Microsoft 365 or Google Workspace identify unauthorized access to sensitive documents or bulk download operations that may indicate reconnaissance and data collection phases.
  • Identity Provider logs from systems like Okta or Azure AD show authentication patterns suggesting compromised credentials being used to access cloud resources, particularly when combined with impossible travel scenarios or unusual user agent strings.

Application & Service Logs

  • File server audit logs track access to network shares and Cluster Shared Volumes immediately before encryption operations, revealing which systems and data repositories attackers prioritized for ransomware deployment.
  • Database audit logs from SQL Server, Oracle, or PostgreSQL show unauthorized access attempts or bulk data queries that may represent reconnaissance of sensitive information stored in structured data repositories.
  • Email gateway logs identify suspicious outbound email patterns that could indicate data exfiltration or lateral phishing attempts using compromised internal accounts to expand access within the organization.
  • Remote access solution logs from TeamViewer, AnyDesk, and similar RMM tools reveal installation and usage patterns inconsistent with authorized remote support activities, indicating attacker-deployed command and control channels.
  • Backup system logs show deletion or modification of backup files and shadow copies immediately before ransomware execution, a common precursor activity that prevents recovery operations and increases pressure for ransom payment.

Insights and Recommendations

The Qilin ransomware campaign demonstrates a critical evolution in adversary tradecraft where attackers increasingly abuse legitimate administrative tools and deprecated system components to evade detection. The innovative use of mspaint.exe and notepad.exe for reconnaissance combined with PowerShell version 1.0 to bypass modern logging capabilities reveals a sophisticated understanding of security monitoring blind spots. Most concerning is the abuse of Cyberduck for data exfiltration, which disguises malicious activity within trusted cloud storage traffic that security controls typically allow without scrutiny.


Organizations must prioritize behavioral analytics that correlate identity, endpoint, and network telemetry to detect this multi-stage attack chain. Critical defensive priorities include enforcing multi-factor authentication across all remote access points including VPN concentrators, implementing application control policies that block deprecated PowerShell versions and unauthorized remote access tools, and establishing baseline monitoring for legitimate utilities like mspaint.exe and notepad.exe accessing sensitive data. Security teams should deploy detection logic that identifies anomalous outbound cloud storage connections, particularly multipart uploads to providers like Backblaze from endpoints that do not typically interact with these services. Network segmentation limiting lateral RDP movement and privileged access management restricting administrative credential usage provide essential containment capabilities when initial compromise occurs.


Without improved detection coverage for identity-based attacks and legitimate tool abuse, organizations face extended dwell times potentially measured in weeks rather than days, significantly increasing the scope of data exfiltration and the complexity of remediation efforts. The requirement for complete Active Directory rebuilds and enterprise-wide password resets following Qilin incidents underscores the catastrophic operational impact when attackers achieve domain-level persistence before detection occurs.


Sources and Credits

This summary is based on threat intelligence from multiple sources:

Additional context was synthesized from Darktrace's analysis of Qilin Ransomware-as-a-Service operations and various cybersecurity news sources reporting on the group's activities throughout 2025.


Threat Hunting IOCs & Queries

This section contains known Indicators of Compromise and threat hunting queries for both Splunk (SPL) and Microsoft Log Analytics/Sentinel (KQL). These queries translate the behavioral indicators described above into actionable detection logic.


Known Indicators of Compromise

The following IOCs have been identified from the threat intelligence and can be used for threat hunting:

  • File Paths:
    %TEMP%\password-protected archive folders containing credential theft tools
    Registry path: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest (UseLogonCredential = 1)
    AutoRun registry entries in Software\Microsoft\Windows\CurrentVersion\Run
    Cyberduck configuration and history files in user AppData directories
  • Process Names:
    powershell.exe (specifically version 1.0)
    mspaint.exe (when accessing sensitive file types)
    notepad.exe (when accessing sensitive file types)
    Cyberduck.exe or CyberDuck-Cli.exe
    dark-kill.exe (EDR termination tool)
    HRSword.exe (security software disabling tool)
    Mimikatz or variations (credential dumping)
    NirSoft utilities (WebBrowserPassView.exe, etc.)
  • Scheduled Task Names:
    Tasks created referencing temporary directories or user profile paths
    Tasks configured to execute at system startup or user logon
    Tasks with silent execution flags and hidden windows
  • Cloud Storage Indicators:
    Connections to Backblaze API endpoints (api.backblazeb2.com)
    Multipart upload operations configured in Cyberduck history files
    Large archive file uploads (compressed .zip, .7z, .rar formats)
  • Network Indicators:
    RDP connections on non-standard ports
    Lateral SMB connections followed by LSASS memory access
    Outbound connections to cloud storage providers from non-standard endpoints

Threat Hunting Queries

The following queries translate behavioral indicators into detection logic for common SIEM platforms. Each query includes context, tuning guidance, and expected false positive rates.

Query 1: PowerShell 1.0 Execution with Encoded Commands

  • Behavior Targeted: PowerShell version 1.0 executing encoded commands to evade script block logging and AMSI protections
  • MITRE ATT&CK: T1059.001 – PowerShell
  • Expected Results: Process creation events where PowerShell version 1.0 was invoked with encoded command parameters, potentially indicating obfuscated malicious payloads
  • False Positive Likelihood: Low – PowerShell 1.0 is deprecated since 2006 and legitimate use cases are extremely rare in modern environments
  • Tuning Guidance: Investigate all matches as high priority. Legitimate PowerShell automation should use modern versions (5.1 or 7.x). If false positives occur from legacy management scripts, whitelist by file hash rather than path. Pay special attention to PowerShell 1.0 spawned from unexpected parent processes like WMI, scheduled tasks, or Office applications.

Splunk (SPL)

// Detect PowerShell version 1.0 execution with encoded commands
// Tuning: Extremely rare false positives - investigate all matches
// Time Range: Last 24 hours (extend to 7 days for historical hunting)

index=windows sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(EventCode=4688 OR EventCode=1)
| rex field=CommandLine "(?i)powershell.*-version\s+1"
| search CommandLine="*-enc*" OR CommandLine="*-encodedcommand*" OR CommandLine="*-e *"
| eval ps_version=if(match(CommandLine,"(?i)-version\s+1"),"1.0","Other")
| where ps_version="1.0"
| stats count, 
        earliest(_time) as first_seen, 
        latest(_time) as last_seen,
        values(ParentProcessName) as parent_processes,
        values(User) as users
    by ComputerName, ProcessName, CommandLine
| convert ctime(first_seen) ctime(last_seen)
| eval dwell_time=tostring(last_seen-first_seen,"duration")
| sort -count
| table first_seen, last_seen, ComputerName, User, ProcessName, parent_processes, CommandLine, count, dwell_time

Microsoft Defender/Sentinel (KQL)

// Detect PowerShell version 1.0 execution with encoded commands
// Data Tables: DeviceProcessEvents
// Tuning: All matches warrant investigation - PS 1.0 should not exist in modern environments
// Time Range: Last 24 hours (extend to 7 days for retrospective hunting)

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("-version 1", "/version 1")
| where ProcessCommandLine has_any ("-enc", "-encodedcommand", "-e ")
| extend PSVersion = iff(ProcessCommandLine has_cs "-version 1" or ProcessCommandLine has_cs "/version 1", "1.0", "Other")
| where PSVersion == "1.0"
| summarize Count=count(),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp),
            Devices=make_set(DeviceName),
            Users=make_set(AccountName),
            ParentProcesses=make_set(InitiatingProcessFileName)
    by ProcessCommandLine, FileName
| extend DwellTimeDays = datetime_diff('day', LastSeen, FirstSeen)
| project-reorder FirstSeen, LastSeen, DwellTimeDays, ProcessCommandLine, Count, Devices, Users, ParentProcesses
| order by Count desc

Query 2: Legitimate Windows Utilities Accessing Sensitive Files

  • Behavior Targeted: MSPaint, Notepad, or Internet Explorer opening files containing sensitive data patterns during reconnaissance activities
  • MITRE ATT&CK: T1005 – Data from Local System
  • Expected Results: File access events showing mspaint.exe, notepad.exe, or iexplore.exe opening documents with sensitive data classifications or containing keywords like "financial", "confidential", "salary", "credentials"
  • False Positive Likelihood: Medium – Legitimate users may occasionally open sensitive files with these tools, but patterns showing systematic access to multiple sensitive files warrant investigation
  • Tuning Guidance: Adjust sensitive keyword list based on your organization's data classification policies. Exclude known administrative accounts that legitimately review sensitive files. Focus on volume-based anomalies where these utilities access an unusually high number of sensitive files within short timeframes. Correlate with other suspicious behaviors like credential access or unusual process execution.

Splunk (SPL)

// Detect legitimate Windows utilities accessing sensitive files
// Tuning: Customize sensitive_keywords based on data classification policies
// Time Range: Last 7 days for pattern analysis

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(Image="*\\mspaint.exe" OR Image="*\\notepad.exe" OR Image="*\\iexplore.exe")
| rex field=TargetFilename "(?[^\\\\]+)$"
| eval sensitive_keywords="financial|confidential|salary|ssn|credit|password|credential|secret|private|proprietary|intellectual"
| where match(filename, sensitive_keywords) OR match(TargetFilename, sensitive_keywords)
| stats count,
        values(TargetFilename) as files_accessed,
        dc(TargetFilename) as unique_files,
        earliest(_time) as first_access,
        latest(_time) as last_access
    by ComputerName, User, Image
| where unique_files > 3
| convert ctime(first_access) ctime(last_access)
| eval suspicious_score=case(
    unique_files>10, "High",
    unique_files>5, "Medium",
    1=1, "Low")
| sort -unique_files
| table first_access, last_access, ComputerName, User, Image, unique_files, count, suspicious_score

Microsoft Defender/Sentinel (KQL)

// Detect legitimate Windows utilities accessing sensitive files
// Data Tables: DeviceFileEvents
// Tuning: Exclude known-good admin accounts; adjust sensitive pattern matching
// Time Range: Last 7 days for behavioral pattern detection

let SensitivePatterns = dynamic(["financial", "confidential", "salary", "ssn", "credit", 
                                  "password", "credential", "secret", "private", "proprietary"]);
let TargetProcesses = dynamic(["mspaint.exe", "notepad.exe", "iexplore.exe"]);
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified", "FileOpened")
| where InitiatingProcessFileName in~ (TargetProcesses)
| where FileName has_any (SensitivePatterns) or FolderPath has_any (SensitivePatterns)
| summarize FileCount=count(),
            UniqueFiles=dcount(FileName),
            FirstAccess=min(Timestamp),
            LastAccess=max(Timestamp),
            FilesAccessed=make_set(FileName, 10)
    by DeviceName, AccountName, InitiatingProcessFileName
| where UniqueFiles > 3  // Threshold: accessing more than 3 sensitive files
| extend SuspiciousScore = case(
    UniqueFiles > 10, "High",
    UniqueFiles > 5, "Medium",
    "Low")
| extend TimeSpanHours = datetime_diff('hour', LastAccess, FirstAccess)
| project-reorder FirstAccess, LastAccess, TimeSpanHours, DeviceName, AccountName, 
                   InitiatingProcessFileName, UniqueFiles, FileCount, SuspiciousScore
| order by UniqueFiles desc

Query 3: WDigest Registry Modification for Plaintext Credential Storage

  • Behavior Targeted: Registry modifications enabling WDigest plaintext credential storage to facilitate Mimikatz credential dumping
  • MITRE ATT&CK: T1003.001 – OS Credential Dumping: LSASS Memory
  • Expected Results: Registry modification events setting UseLogonCredential to value 1 in the WDigest security provider configuration, which forces Windows to store plaintext passwords in memory
  • False Positive Likelihood: Very Low – This configuration should never be enabled in modern secure environments and represents a clear indicator of credential theft preparation
  • Tuning Guidance: Investigate all matches immediately as critical security incidents. This modification has no legitimate use case in modern Windows environments and directly precedes credential dumping operations. Correlate with subsequent LSASS process access attempts and Mimikatz execution. Consider implementing Group Policy to enforce UseLogonCredential=0 across all systems to prevent this modification.

Splunk (SPL)

// Detect WDigest registry modification enabling plaintext credential storage
// Tuning: All matches are critical - no legitimate use case exists
// Time Range: Last 30 days (this is rare but critical when it occurs)

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
TargetObject="*\\WDigest\\UseLogonCredential"
Details="DWORD (0x00000001)"
| eval severity="CRITICAL"
| eval description="WDigest plaintext credential storage enabled - precursor to credential dumping"
| stats count,
        earliest(_time) as first_seen,
        latest(_time) as last_seen,
        values(ProcessId) as process_ids,
        values(Image) as modifying_processes
    by ComputerName, User, TargetObject, Details
| convert ctime(first_seen) ctime(last_seen)
| table first_seen, last_seen, ComputerName, User, modifying_processes, TargetObject, Details, count, severity, description
| sort first_seen

Microsoft Defender/Sentinel (KQL)

// Detect WDigest registry modification enabling plaintext credential storage
// Data Tables: DeviceRegistryEvents
// Tuning: Zero tolerance - all matches require immediate incident response
// Time Range: Last 30 days

DeviceRegistryEvents
| where Timestamp > ago(30d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has "WDigest" and RegistryValueName == "UseLogonCredential"
| where RegistryValueData == "1" or RegistryValueData == "0x00000001"
| extend Severity = "CRITICAL"
| extend Description = "WDigest plaintext credential storage enabled - immediate credential dumping risk"
| extend RecommendedAction = "Investigate for Mimikatz or credential theft tool execution; perform emergency password resets"
| project-reorder Timestamp, DeviceName, AccountName, InitiatingProcessFileName, 
                   InitiatingProcessCommandLine, RegistryKey, RegistryValueName, 
                   RegistryValueData, Severity, Description, RecommendedAction
| order by Timestamp desc

Query 4: Cyberduck Cloud Storage Exfiltration

  • Behavior Targeted: Cyberduck file transfer utility uploading data to cloud storage providers like Backblaze, particularly with multipart upload configurations
  • MITRE ATT&CK: T1567.002 – Exfiltration to Cloud Storage
  • Expected Results: Network connections to cloud storage provider APIs from endpoints running Cyberduck, combined with large outbound data transfers suggesting exfiltration activity
  • False Positive Likelihood: Medium – Cyberduck is legitimate software but rarely deployed organization-wide; focus on unexpected installations and usage patterns
  • Tuning Guidance: Whitelist authorized users who legitimately use Cyberduck for business file transfers. Focus on new Cyberduck installations on servers or workstations that don't typically need file transfer capabilities. Monitor for Backblaze specifically as it's been prominently featured in Qilin campaigns. Correlate Cyberduck usage with other suspicious indicators like credential access, lateral movement, or reconnaissance activities. Set baseline thresholds for normal upload volumes and alert on anomalies.

Splunk (SPL)

// Detect Cyberduck file transfer utility exfiltration activity
// Tuning: Whitelist authorized Cyberduck users; focus on servers and unusual endpoints
// Time Range: Last 7 days

(index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 
    (Image="*\\Cyberduck.exe" OR CommandLine="*cyberduck*"))
OR (index=network sourcetype=firewall OR sourcetype=proxy 
    dest_domain="*backblaze*" OR dest_domain="*b2api*")
| eval event_type=case(
    EventCode=1, "Process_Start",
    sourcetype="firewall" OR sourcetype="proxy", "Network_Connection",
    1=1, "Unknown")
| stats count,
        values(event_type) as event_types,
        values(dest_domain) as destinations,
        sum(bytes_out) as total_bytes_out,
        earliest(_time) as first_seen,
        latest(_time) as last_seen
    by ComputerName, User
| where isnotnull(destinations) AND total_bytes_out > 104857600  // 100MB threshold
| convert ctime(first_seen) ctime(last_seen)
| eval data_exfil_GB=round(total_bytes_out/1073741824, 2)
| eval suspicious_score=case(
    data_exfil_GB>10, "Critical",
    data_exfil_GB>1, "High",
    1=1, "Medium")
| table first_seen, last_seen, ComputerName, User, destinations, data_exfil_GB, count, suspicious_score
| sort -data_exfil_GB

Microsoft Defender/Sentinel (KQL)

// Detect Cyberduck exfiltration to cloud storage providers
// Data Tables: DeviceProcessEvents, DeviceNetworkEvents
// Tuning: Exclude approved file transfer users; focus on volume-based anomalies
// Time Range: Last 7 days

let CyberduckProcesses = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "Cyberduck.exe" or ProcessCommandLine has "cyberduck"
| project Timestamp, DeviceName, AccountName, ProcessId, FileName, ProcessCommandLine;
let CloudConnections = DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("backblaze", "b2api", "wasabi", "s3.amazonaws")
| summarize TotalBytesSent=sum(BytesSent),
            ConnectionCount=count(),
            Destinations=make_set(RemoteUrl),
            FirstConnection=min(Timestamp),
            LastConnection=max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName
| where TotalBytesSent > 104857600  // 100MB threshold
| extend DataExfilGB=round(TotalBytesSent/1073741824.0, 2);
CyberduckProcesses
| join kind=inner (CloudConnections) on DeviceName, AccountName
| extend SuspiciousScore = case(
    DataExfilGB > 10, "Critical",
    DataExfilGB > 1, "High",
    "Medium")
| extend TimeSpanHours = datetime_diff('hour', LastConnection, FirstConnection)
| project-reorder FirstConnection, LastConnection, DeviceName, AccountName, 
                   DataExfilGB, ConnectionCount, Destinations, SuspiciousScore, TimeSpanHours
| order by DataExfilGB desc

Query 5: Scheduled Task Persistence for Ransomware

  • Behavior Targeted: Scheduled tasks created with characteristics indicating ransomware persistence, such as startup triggers, hidden windows, and references to temporary directories
  • MITRE ATT&CK: T1053.005 – Scheduled Task/Job: Scheduled Task
  • Expected Results: Scheduled task creation events showing tasks configured to execute at system startup or user logon with executables located in temporary paths or user profile directories
  • False Positive Likelihood: Medium – Legitimate software installers may create scheduled tasks, but focus on suspicious characteristics like temporary path references and startup triggers combined with encoded parameters
  • Tuning Guidance: Whitelist known software update tasks by exact task name and hash. Focus on tasks created outside business hours or during potential incident timeframes. Pay attention to tasks with "silent" or "hidden" execution flags combined with references to %TEMP%, %APPDATA%, or user profile paths. Correlate scheduled task creation with other suspicious activities like credential access, lateral movement, or security tool disabling. Tasks that reference PowerShell with encoded commands or unknown executables require immediate investigation.

Splunk (SPL)

// Detect suspicious scheduled task creation for ransomware persistence
// Tuning: Whitelist known software update tasks; focus on suspicious path characteristics
// Time Range: Last 7 days

index=windows sourcetype="WinEventLog:Security" EventCode=4698
| rex field=TaskContent "(?(?i)%temp%|%appdata%|\\\\Users\\\\.*?\\\\AppData|\\\\Temp\\\\)"
| rex field=TaskContent "(?(?i)AtLogon|AtStartup|OnLogOn|Boot)"
| rex field=TaskContent "(?(?i)Hidden=\"true\")"
| where isnotnull(executable_path) OR isnotnull(trigger_type)
| eval risk_score=0
| eval risk_score=if(isnotnull(executable_path), risk_score+3, risk_score)
| eval risk_score=if(isnotnull(trigger_type), risk_score+2, risk_score)
| eval risk_score=if(isnotnull(hidden_flag), risk_score+2, risk_score)
| eval risk_score=if(like(TaskContent, "%powershell%"), risk_score+2, risk_score)
| where risk_score >= 3
| stats count,
        earliest(_time) as first_seen,
        latest(_time) as last_seen,
        values(TaskName) as task_names
    by ComputerName, User, risk_score
| convert ctime(first_seen) ctime(last_seen)
| eval severity=case(
    risk_score>=7, "Critical",
    risk_score>=5, "High",
    1=1, "Medium")
| sort -risk_score
| table first_seen, last_seen, ComputerName, User, task_names, risk_score, severity, count

Microsoft Defender/Sentinel (KQL)

// Detect suspicious scheduled task creation for ransomware persistence
// Data Tables: DeviceEvents (ActionType = ScheduledTaskCreated)
// Tuning: Exclude known-good software update tasks; focus on high-risk combinations
// Time Range: Last 7 days

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "ScheduledTaskCreated"
| extend TaskDetails = parse_json(AdditionalFields)
| extend TaskName = tostring(TaskDetails.TaskName)
| extend TaskContent = tostring(TaskDetails.TaskContent)
| extend TaskCommand = tostring(TaskDetails.TaskCommand)
| where TaskCommand has_any ("%temp%", "%appdata%", "\\AppData\\", "\\Temp\\", "\\Users\\")
    or TaskContent has_any ("AtLogon", "AtStartup", "OnLogOn", "Boot")
| extend RiskScore = 0
| extend RiskScore = iff(TaskCommand has_any ("%temp%", "\\Temp\\", "\\AppData\\"), RiskScore + 3, RiskScore)
| extend RiskScore = iff(TaskContent has_any ("AtLogon", "AtStartup", "Boot"), RiskScore + 2, RiskScore)
| extend RiskScore = iff(TaskContent has "Hidden=\"true\"", RiskScore + 2, RiskScore)
| extend RiskScore = iff(TaskCommand has_any ("powershell", "cmd.exe", "wscript"), RiskScore + 2, RiskScore)
| extend RiskScore = iff(TaskCommand has_any ("-enc", "-encodedcommand", "-e "), RiskScore + 3, RiskScore)
| where RiskScore >= 3
| extend Severity = case(
    RiskScore >= 7, "Critical",
    RiskScore >= 5, "High",
    "Medium")
| summarize Count=count(),
            FirstSeen=min(Timestamp),
            LastSeen=max(Timestamp),
            Tasks=make_set(TaskName, 5),
            Commands=make_set(TaskCommand, 3)
    by DeviceName, AccountName, RiskScore, Severity
| project-reorder FirstSeen, LastSeen, DeviceName, AccountName, RiskScore, 
                   Severity, Tasks, Commands, Count
| order by RiskScore desc