Intelligence Briefing | Classification: TLP:CLEAR | Date: 2026-06-30 Source: ransomware.live .onion monitoring — Security Arsenal "From The Dark Side"
Threat Actor Profile — QILIN
Aliases: Agenda ransomware (original branding prior to mid-2022 rebrand). Occasionally referenced in underground forums as "Agenda Team" by legacy affiliates.
Operational Model: Ransomware-as-a-Service (RaaS). QILIN operates an affiliate-driven model where core developers maintain the encryptor payload, .onion leak site infrastructure, and negotiation framework. Recruited affiliates conduct intrusions and receive 70–80% of paid ransoms. The operation has demonstrated increasing sophistication since late 2023, with cross-platform Rust-based variants capable of VMware ESXi deployment alongside Windows encryptors. QILIN affiliates are vetted and provided customized builds per target environment.
Typical Ransom Demands: $200,000–$5,000,000 USD, calibrated to victim revenue and insurance coverage. Negotiations typically open 50–100% above the final acceptable price. QILIN operators have shown willingness to extend deadlines and stage reductions, but will publish stolen data incrementally if negotiations stall beyond 14 days.
Known Initial Access Methods:
- Phishing — macro-laden Office attachments and credential harvesting links targeting helpdesk and finance staff
- VPN/Edge Appliance Exploitation — unpatched SSL VPNs (Fortinet, Citrix, Pulse Secure, Check Point) and remote support tools (ConnectWise ScreenConnect)
- Compromised RDP Credentials — purchased from initial access brokers (IABs) or obtained via brute-force against exposed RDP
- Supply Chain Compromise — leveraging MSP/RMM tools and trusted vendor relationships for lateral entry
- Internet-Facing Application Exploitation — Microsoft Exchange Server, Cisco FMC, and vulnerable developer tooling (Nx Console supply chain compromise)
Double Extortion Approach: Data is exfiltrated before encryption using rclone, WinSCP, MEGAsync, and FileZilla. Stolen data is published incrementally on the QILIN .onion leak site with escalating pressure: initial "proof" dumps → structured database releases → full data exposure. The group has contacted victims' customers and partners directly to amplify pressure.
Average Dwell Time: 5–14 days from initial access to encryption detonation. Some affiliates maintain persistence for up to 30 days during extended reconnaissance and data staging.
Current Campaign Analysis
Sector Targeting
| Sector | Victim Count | Percentage |
|---|---|---|
| Manufacturing | 3 | 20% |
| Business Services | 3 | 20% |
| Agriculture & Food Production | 2 | 13% |
| Technology | 1 | 7% |
| Telecommunication | 1 | 7% |
| Education | 1 | 7% |
| Consumer Services | 1 | 7% |
| Transportation/Logistics | 1 | 7% |
| Financial Services | 1 | 7% |
| Unidentified | 1 | 7% |
Manufacturing and Business Services dominate at 40% combined, consistent with QILIN's historical preference for organizations with moderate cybersecurity maturity but high operational downtime sensitivity. The agricultural sector presence (Lam Soon, NASCO) indicates affiliate diversification into supply-chain-critical industries where ransom payment is incentivized by perishable inventory risk.
Geographic Concentration
| Country | Victim Count |
|---|---|
| United States | 4 |
| Germany | 3 |
| Great Britain | 2 |
| Japan | 1 |
| France | 1 |
| Argentina | 1 |
| Thailand | 1 |
| Czech Republic | 1 |
| Greece | 1 |
| Canada | 1 |
The spread across 10 countries spanning North America, Europe, Asia, and South America confirms a globally distributed affiliate base with no single regional focus. The US and Germany concentration aligns with the largest manufacturing and business services economies — these affiliates appear to target by sector, not geography.
Victim Profile
Victim organizations range from mid-market ($10M–$500M revenue) to enterprise-scale entities. The targeting of GSMA (global telecommunications standards body), Musashino University (Japanese higher education), and Cash Canada (Canadian financial services) demonstrates affiliate flexibility across organizational types. The presence of logistics (Transcore) and agricultural (Lam Soon, NASCO) targets suggests supply chain disruption as a secondary impact vector — encrypting a logistics provider cascades to their manufacturing clients.
Posting Frequency & Escalation Pattern
Between June 24–30, 2026, QILIN posted 15 victims — an average of 2.1 per day:
- June 24: 1 victim (Cash Canada)
- June 25: 1 victim (ISOPLUS)
- June 28: 2 victims (1-800-Dentist, Transcore)
- June 29: 9 victims (mass posting event)
- June 30: 2 victims (Chamco, Hemmersbach)
The June 29 mass-posting of 9 victims in a single day is a signature QILIN psychological pressure tactic — simultaneous publication generates industry-wide media coverage and pressures multiple victim organizations concurrently. This pattern suggests a coordinated affiliate push, potentially tied to a shared initial access campaign or tool update.
Initial Access Vector Correlation
Five CISA KEV catalog entries are active during this campaign window, providing high-fidelity initial access candidates:
-
CVE-2026-50751 (Check Point Security Gateway — IKEv1 improper authentication, KEV added 2026-06-08) — Prime candidate for manufacturing and business services targets with perimeter VPN gateways. The 22-day window between KEV addition and the mass posting aligns with QILIN's 5–14 day dwell time.
-
CVE-2024-1708 (ConnectWise ScreenConnect — path traversal to RCE, KEV added 2026-04-28) — ScreenConnect is commonly deployed in business services and MSP environments. This vulnerability enables unauthenticated remote code execution — ideal for affiliate initial access.
-
CVE-2023-21529 (Microsoft Exchange Server — deserialization RCE, KEV added 2026-04-13) — Pre-authentication RCE in Exchange. Persistent target for ransomware affiliates. Relevant to multiple sector targets running on-premises Exchange.
-
CVE-2026-20131 (Cisco FMC — deserialization, KEV added 2026-03-19) — Firewall management compromise enabling network appliance pivot. Relevant to the telecommunications and technology sector victims.
-
CVE-2026-48027 (Nx Console — embedded malicious code, KEV added 2026-05-27) — Supply chain compromise via poisoned developer tooling. Directly relevant to the technology sector victim (Axionlog, CZ) and indicates affiliate capability to exploit CI/CD pipelines.
Detection Engineering
Sigma Detection Rules
---
title: QILIN Ransomware Volume Shadow Copy Deletion - Pre-Encryption Indicator
id: 9c1b2d3e-4f5a-6b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: >
Detects Volume Shadow Copy deletion commands consistent with QILIN ransomware
pre-encryption preparation. QILIN affiliates routinely delete VSS backups,
disable recovery options, and clear backup catalogs prior to detonating the
encryptor to eliminate recovery without paying ransom.
author: Security Arsenal Threat Intelligence
date: 2026/06/30
references:
- https://securityarsenal.com/darkside
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
product: windows
category: process_creation
detection:
selection_vssadmin:
Image|endswith: '\\vssadmin.exe'
CommandLine|contains: 'delete shadows'
selection_wmic_shadow:
Image|endswith: '\\wmic.exe'
CommandLine|contains|all:
- 'shadowcopy'
- 'delete'
selection_powershell_vss:
Image|endswith:
- '\\powershell.exe'
- '\\pwsh.exe'
CommandLine|contains:
- 'Win32_ShadowCopy'
- 'Delete()'
selection_wbadmin:
Image|endswith: '\\wbadmin.exe'
CommandLine|contains: 'delete catalog'
selection_bcdedit:
Image|endswith: '\bcdedit.exe'
CommandLine|contains:
- 'recoveryenabled no'
- 'bootstatuspolicy ignoreallfailures'
condition: selection_vssadmin or selection_wmic_shadow or selection_powershell_vss or selection_wbadmin or selection_bcdedit
falsepositives:
- Legitimate backup maintenance operations requiring change control verification
- System recovery troubleshooting by authorized administrators
level: critical
tags:
- attack.impact
- attack.t1490
- attack.t1491
- ransomware
- group.qilin
---
title: QILIN Lateral Movement via PsExec WMI and Cobalt Strike Beacon Patterns
id: a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: >
Detects lateral movement techniques consistent with QILIN affiliate tooling.
QILIN affiliates use PsExec and WMI for remote execution alongside Cobalt
Strike beacons for command and control. This rule covers common process
execution patterns observed in QILIN intrusions including beacon-spawned
shells and remote service creation.
author: Security Arsenal Threat Intelligence
date: 2026/06/30
references:
- https://securityarsenal.com/darkside
logsource:
product: windows
category: process_creation
detection:
selection_psexec:
Image|endswith:
- '\\psexec.exe'
- '\\psexec64.exe'
- '\\psexesvc.exe'
selection_wmi_remote:
Image|endswith: '\\wmic.exe'
CommandLine|contains:
- 'process call create'
- '/node:'
selection_cs_rundll32_beacon:
Image|endswith: '\
undll32.exe'
CommandLine|re: '.*#[a-zA-Z0-9]{4,}.*|.*\\.dll.*'
ParentImage|endswith:
- '\\services.exe'
- '\\svchost.exe'
selection_cs_spawned_shell:
ParentImage|endswith:
- '\
undll32.exe'
- '\\dllhost.exe'
- '\\wscript.exe'
Image|endswith:
- '\\cmd.exe'
- '\\powershell.exe'
- '\\pwsh.exe'
CommandLine|contains:
- '-nop'
- '-enc'
- '-ExecutionPolicy Bypass'
- '/c '
selection_cs_smb_lateral:
Image|endswith: '\\cmd.exe'
CommandLine|re: '.*\\\\\[0-9]{1,3}\\\.*|.*\\\\\[a-zA-Z0-9-]+\\\.*cmd\\.exe.*'
selection_remote_service_create:
Image|endswith: '\\sc.exe'
CommandLine|contains|all:
- '\\'
- 'create'
filter_windows_native:
ParentImage|startswith:
- 'C:\\Windows\\System32\'
- 'C:\\Windows\\SysWOW64\'
Image|startswith:
- 'C:\\Windows\\System32\'
- 'C:\\Windows\\SysWOW64\'
condition: (selection_psexec or selection_wmi_remote or selection_cs_rundll32_beacon or selection_cs_spawned_shell or selection_cs_smb_lateral or selection_remote_service_create) and not filter_windows_native
falsepositives:
- Legitimate remote administration tools requiring verification against approved inventory
- SCCM or similar enterprise management platform activity
level: high
tags:
- attack.lateral_movement
- attack.t1021
- attack.t1021.002
- attack.t1047
- attack.t1055
- attack.t1059
- group.qilin
---
title: QILIN Data Staging and Exfiltration Tool Execution
id: d4e5f6a7-b8c9-0d1e-2f3a-4b5c6d7e8f9a
status: experimental
description: >
Detects execution of data exfiltration and staging tools commonly used by
QILIN affiliates prior to encryption detonation. QILIN affiliates have been
observed using rclone, WinSCP, MEGAsync, FileZilla, and 7-Zip for data
staging and exfiltration to cloud storage providers before deploying
encryptors. Detection at this stage provides the last opportunity for
intervention before irreversible encryption.
author: Security Arsenal Threat Intelligence
date: 2026/06/30
references:
- https://securityarsenal.com/darkside
logsource:
product: windows
category: process_creation
detection:
selection_exfil_tools:
Image|endswith:
- '\
clone.exe'
- '\\winscp.exe'
- '\\winscp.com'
- '\\megasync.exe'
- '\filezilla.exe'
- '\ftp.exe'
- '\\psftp.exe'
selection_7zip_stage:
Image|endswith:
- '\\7z.exe'
- '\\7za.exe'
- '\\7zr.exe'
CommandLine|contains|all:
- ' a '
- '-p'
selection_rclone_config:
Image|endswith: '\
clone.exe'
CommandLine|contains:
- 'copy'
- 'sync'
- 'move'
- 'remote'
- ':s3,'
- ':mega,'
- ':gdrive,'
- ':sftp,'
selection_powershell_exfil:
Image|endswith:
- '\\powershell.exe'
- '\\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest'
- 'Invoke-RestMethod'
- 'System.Net.WebClient'
- 'UploadFile'
- 'DownloadFile'
condition: selection_exfil_tools or selection_7zip_stage or selection_rclone_config or selection_powershell_exfil
falsepositives:
- Legitimate file transfer operations requiring verification against approved tool list
- Backup software using 7-Zip compression
level: high
tags:
- attack.exfiltration
- attack.t1567
- attack.t1567.001
- attack.t1567.002
- attack.t1074
- attack.t1074.001
- group.qilin
KQL Hunt Query — Microsoft Sentinel
// QILIN Pre-Ransomware Activity Hunt — 14 Day Lookback
// Hunts for VSS deletion, lateral movement, data staging, and persistence indicators
let qilinTimeWindow = 14d;
// VSS deletion and backup destruction indicators
let vssDeletion = DeviceProcessEvents
| where Timestamp > ago(qilinTimeWindow)\| where ProcessCommandLine has_any ('vssadmin delete shadows', 'wmic shadowcopy delete', 'Win32_ShadowCopy', 'wbadmin delete catalog', 'bcdedit')
| extend DetectionCategory = 'VSS_Deletion', RiskLevel = 'CRITICAL'
| project Timestamp, DeviceName, AccountName, DetectionCategory, RiskLevel, FileName, ProcessCommandLine, InitiatingProcessFileName;
// Lateral movement via PsExec, WMI, and Cobalt Strike patterns
let lateralMovement = DeviceProcessEvents
| where Timestamp > ago(qilinTimeWindow)
| where (FileName in~ ('psexec.exe', 'psexec64.exe', 'psexesvc.exe'))
or (FileName =~ 'wmic.exe' and ProcessCommandLine has_any ('process call create', '/node:'))
or (InitiatingProcessFileName =~ 'rundll32.exe' and FileName in~ ('cmd.exe', 'powershell.exe', 'pwsh.exe'))
or (InitiatingProcessFileName =~ 'dllhost.exe' and FileName in~ ('cmd.exe', 'powershell.exe'))
or (FileName =~ 'sc.exe' and ProcessCommandLine has 'create' and ProcessCommandLine has '\\')
| extend DetectionCategory = 'Lateral_Movement', RiskLevel = 'HIGH'
| project Timestamp, DeviceName, AccountName, DetectionCategory, RiskLevel, FileName, ProcessCommandLine, InitiatingProcessFileName;
// Data exfiltration and staging tool execution
let exfilTools = DeviceProcessEvents
| where Timestamp > ago(qilinTimeWindow)
| where FileName in~ ('rclone.exe', 'winscp.exe', 'winscp.com', 'megasync.exe', 'filezilla.exe', '7z.exe', '7za.exe')
or (FileName in~ ('powershell.exe', 'pwsh.exe') and ProcessCommandLine has_any ('Invoke-WebRequest', 'Invoke-RestMethod', 'UploadFile', 'WebClient'))
| extend DetectionCategory = 'Exfiltration_Staging', RiskLevel = 'HIGH'
| project Timestamp, DeviceName, AccountName, DetectionCategory, RiskLevel, FileName, ProcessCommandLine, InitiatingProcessFileName;
// Persistence via scheduled task creation
let persistenceTasks = DeviceProcessEvents
| where Timestamp > ago(qilinTimeWindow)
| where (FileName =~ 'schtasks.exe' and ProcessCommandLine has_any ('/create', '/change'))
or (ProcessCommandLine has 'Register-ScheduledTask')
| extend DetectionCategory = 'Persistence_ScheduledTask', RiskLevel = 'MEDIUM'
| project Timestamp, DeviceName, AccountName, DetectionCategory, RiskLevel, FileName, ProcessCommandLine, InitiatingProcessFileName;
// Defender exclusion additions — defense evasion
let defenderExclusions = DeviceProcessEvents
| where Timestamp > ago(qilinTimeWindow)
| where ProcessCommandLine has 'Add-MpPreference' and ProcessCommandLine has_any ('-ExclusionPath', '-ExclusionProcess', '-ExclusionExtension')
| extend DetectionCategory = 'Defender_Exclusion', RiskLevel = 'HIGH'
| project Timestamp, DeviceName, AccountName, DetectionCategory, RiskLevel, FileName, ProcessCommandLine, InitiatingProcessFileName;
union vssDeletion, lateralMovement, exfilTools, persistenceTasks, defenderExclusions
| sort by Timestamp desc
| summarize Detections = make_list(pack('Time', Timestamp, 'Device', DeviceName, 'Account', AccountName, 'Category', DetectionCategory, 'Risk', RiskLevel, 'Process', FileName, 'CommandLine', ProcessCommandLine, 'Parent', InitiatingProcessFileName)) by DeviceName
| extend DetectionCount = array_length(Detections)
| where DetectionCount >= 1
| order by DetectionCount desc
Rapid Response Detection Script
<#
.SYNOPSIS
QILIN Ransomware Rapid Detection & Hardening Sweep
.DESCRIPTION
Detects indicators of compromise associated with QILIN ransomware pre-encryption
activity including VSS deletion, lateral movement tools, persistence mechanisms,
Cobalt Strike named pipes, and data staging. Run as Administrator on Windows
endpoints — prioritize Domain Controllers, Exchange servers, and VPN gateways.
.AUTHOR
Security Arsenal Threat Intelligence
.DATE
2026-06-30
#>
Write-Host \"========================================\" -ForegroundColor Red
Write-Host \" QILIN Ransomware Rapid Detection Sweep\" -ForegroundColor Red
Write-Host \"========================================\" -ForegroundColor Red
Write-Host \"Scan started: $(Get-Date)\" -ForegroundColor Cyan
Write-Host \"\"
# 1. Check RDP Exposure and NLA Status
Write-Host \"[1] Checking RDP Exposure & NLA...\" -ForegroundColor Yellow
$rdpReg = Get-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server' -Name \"fDenyTSConnections\" -ErrorAction SilentlyContinue
if ($rdpReg -and $rdpReg.fDenyTSConnections -eq 0) {
Write-Host \" [!] RDP is ENABLED on this host\" -ForegroundColor Red
$rdpListener = Get-NetTCPConnection -LocalPort 3389 -State Listen -ErrorAction SilentlyContinue
if ($rdpListener) {
Write-Host \" [!] RDP actively listening on port 3389\" -ForegroundColor Red
$rdpListener | ForEach-Object { Write-Host \" LocalAddress: $($_.LocalAddress) PID: $($_.OwningProcess)\" -ForegroundColor Red }
}
$rdpNLA = Get-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp' -Name \"UserAuthentication\" -ErrorAction SilentlyContinue
if ($rdpNLA -and $rdpNLA.UserAuthentication -eq 0) {
Write-Host \" [!] Network Level Authentication (NLA) is DISABLED — enable immediately\" -ForegroundColor Red
} else {
Write-Host \" [OK] NLA is enabled\" -ForegroundColor Green
}
} else {
Write-Host \" [OK] RDP is disabled\" -ForegroundColor Green
}
# 2. Enumerate Scheduled Tasks Modified in Last 7 Days (non-Microsoft)
Write-Host \"\"
Write-Host \"[2] Non-Microsoft Scheduled Tasks Modified in Last 7 Days...\" -ForegroundColor Yellow
$allTasks = Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' -and $_.TaskPath -notmatch '\\\Microsoft\\' }
$recentTasks = @()
foreach ($task in $allTasks) {
$info = Get-ScheduledTaskInfo -TaskName $task.TaskName -TaskPath $task.TaskPath -ErrorAction SilentlyContinue
$taskXml = [xml](Export-ScheduledTask -TaskName $task.TaskName -TaskPath $task.TaskPath -ErrorAction SilentlyContinue)
$regDate = $taskXml.Task.RegistrationInfo.Date
if ($regDate -and [datetime]$regDate -gt (Get-Date).AddDays(-7)) {
$recentTasks += [PSCustomObject]@{
TaskName = $task.TaskName
Author = $task.Author
State = $task.State
RegistrationDate = $regDate
Actions = ($task.Actions | ForEach-Object { \"$($_.Execute) $($_.Arguments)\" }) -join '; '
}
}
}
if ($recentTasks.Count -gt 0) {
$recentTasks | Format-Table -AutoSize -Wrap
Write-Host \" [!] Review these tasks for malicious persistence\" -ForegroundColor Red
} else {
Write-Host \" [OK] No recently created non-Microsoft scheduled tasks found\" -ForegroundColor Green
}
# 3. Volume Shadow Copy Status
Write-Host \"\"
Write-Host \"[3] Volume Shadow Copy Status...\" -ForegroundColor Yellow
$vssOutput = vssadmin list shadows 2>$null
if ($LASTEXITCODE -eq 0) {
if ($vssOutput -match 'No items found') {
Write-Host \" [!] NO Volume Shadow Copies exist — verify if expected or if VSS was deleted\" -ForegroundColor Red
} else {
$shadowCount = ([regex]::Matches($vssOutput, 'Shadow Copy Volume')).Count
Write-Host \" [OK] Found $shadowCount shadow copy volume(s)\" -ForegroundColor Green
$vssOutput -split \"`n\" | Where-Object { $_ -match 'Creation Time|Shadow Copy Volume' } | ForEach-Object { Write-Host \" $_\" -ForegroundColor Gray }
}
} else {
Write-Host \" [!] Unable to query VSS status — verify vssadmin access\" -ForegroundColor Yellow
}
# 4. Suspicious Services with Abnormal Execution Paths
Write-Host \"\"
Write-Host \"[4] Suspicious Services...\" -ForegroundColor Yellow
$suspiciousSvcs = Get-CimInstance Win32_Service | Where-Object {
$_.PathName -match 'powershell\\.exe|cmd\\.exe|rundll32\\.exe|wscript\\.exe|cscript\\.exe' -and
$_.PathName -notmatch 'Windows\\\System32\\\|Windows\\\SysWOW64\\'
}
if ($suspiciousSvcs) {
$suspiciousSvcs | ForEach-Object {
Write-Host \" [!] Service: $($_.Name) | Path: $($_.PathName) | State: $($_.State)\" -ForegroundColor Red
}
} else {
Write-Host \" [OK] No suspicious services detected\" -ForegroundColor Green
}
# 5. Cobalt Strike Named Pipe Detection
Write-Host \"\"
Write-Host \"[5] Cobalt Strike Named Pipe Detection...\" -ForegroundColor Yellow
$csPipePattern = 'postex_|status_|msagent_|MSSE-|spoolss_|searchText_|cafefrica_|powershell_'
$csPipes = Get-ChildItem '\\\.\\pipe\' -ErrorAction SilentlyContinue | Where-Object { $_.Name -match $csPipePattern }
if ($csPipes) {
$csPipes | ForEach-Object { Write-Host \" [!] Suspicious Named Pipe: $($_.Name)\" -ForegroundColor Red }
} else {
Write-Host \" [OK] No Cobalt Strike named pipes detected\" -ForegroundColor Green
}
# 6. Running Exfiltration Tools
Write-Host \"\"
Write-Host \"[6] Exfiltration Tool Detection...\" -ForegroundColor Yellow
$exfilProcNames = @('rclone', 'winscp', 'megasync', 'filezilla', '7z', '7za')
$runningExfil = Get-Process -ErrorAction SilentlyContinue | Where-Object { $exfilProcNames -contains $_.Name }
if ($runningExfil) {
$runningExfil | ForEach-Object { Write-Host \" [!] Running: $($_.Name) (PID: $($_.Id)) — investigate immediately\" -ForegroundColor Red }
} else {
Write-Host \" [OK] No known exfiltration tools currently running\" -ForegroundColor Green
}
# 7. Recent Archive Files in Temp Directories (Data Staging)
Write-Host \"\"
Write-Host \"[7] Recent Archive Files in Temp/Public Directories...\" -ForegroundColor Yellow
$stagingPaths = @('C:\\Users\\Public', 'C:\\Windows\\Temp', 'C:\\Temp', $env:TEMP)
$archiveExts = @('.zip', '.7z', '.rar', '.tar', '.gz')
$recentArchives = foreach ($path in $stagingPaths) {
if (Test-Path $path) {
Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) -and $archiveExts -contains $_.Extension }
}
}
if ($recentArchives) {
$recentArchives | ForEach-Object {
$sizeMB = [math]::Round($_.Length / 1MB, 2)
Write-Host \" [!] Recent archive: $($_.FullName) | Size: ${sizeMB}MB | Modified: $($_.LastWriteTime)\" -ForegroundColor Red
}
} else {
Write-Host \" [OK] No recent archive files found in temp directories\" -ForegroundColor Green
}
# 8. Windows Defender Exclusions Audit
Write-Host \"\"
Write-Host \"[8] Windows Defender Exclusions Audit...\" -ForegroundColor Yellow
$defenderPrefs = Get-MpPreference -ErrorAction SilentlyContinue
$exclusionsFound = $false
if ($defenderPrefs.ExclusionPath) {
$defenderPrefs.ExclusionPath | ForEach-Object { Write-Host \" [!] Excluded Path: $_\" -ForegroundColor Yellow; $exclusionsFound = $true }
}
if ($defenderPrefs.ExclusionProcess) {
$defenderPrefs.ExclusionProcess | ForEach-Object { Write-Host \" [!] Excluded Process: $_\" -ForegroundColor Yellow; $exclusionsFound = $true }
}
if (-not $exclusionsFound) {
Write-Host \" [OK] No Defender exclusions configured\" -ForegroundColor Green
}
Write-Host \"\"
Write-Host \"========================================\" -ForegroundColor Red
Write-Host \" Scan Complete: $(Get-Date)\" -ForegroundColor Cyan
Write-Host \"========================================\" -ForegroundColor Red
Write-Host \"Escalate ALL flagged items to IR team immediately.\" -ForegroundColor Red
---
Incident Response Priorities
T-Minus Detection Checklist (Before Encryption Fires)
Before QILIN detonates its encryptor, affiliates execute a predictable sequence of actions. Hunt for these indicators in priority order:
Priority 1 — Data Staging & Exfiltration (T-Minus 24–72 Hours):
- Large file copy operations to central staging directories (
C:\\Users\\Public,C:\\Windows\\Temp, network shares) - 7-Zip or WinRAR archive creation exceeding 1GB in temp directories
rclone.exeorWinSCP.exeprocess execution with cloud storage endpoints (mega.io, gofile.io, S3)- Non-standard outbound FTP/SFTP sessions from servers or workstations
- Outbound network connections to
*.mega.co.nz,*.mega.io,*.file.io,*.gofile.io - PowerShell
Invoke-WebRequestorSystem.Net.WebClientupload operations to external IPs
Priority 2 — Defense Evasion (T-Minus 6–12 Hours):
- Windows Defender exclusion path additions via
Add-MpPreference -ExclusionPath - Security tool process termination (
taskkill /f MsMpEng.exe,MsSense.exe) - Windows Event Log clearing (
wevtutil cl,Clear-EventLog) - Firewall rule modifications enabling inbound RDP/SMB from non-standard subnets
- Tamper protection disablement via registry modification
Priority 3 — Backup Destruction (T-Minus 1–6 Hours):
vssadmin.exe delete shadows /all /quietwmic.exe shadowcopy deletewbadmin.exe delete catalogbcdedit.exe /set {default} recoveryenabled no- Veeam/Commvault/Backup Exec service termination
- Backup repository file deletion on network shares
Priority 4 — Lateral Movement (Ongoing Throughout Intrusion):
- PsExec.exe execution targeting multiple hosts in short succession
- WMI remote process creation via
/node:parameter - Cobalt Strike beacon SMB named pipe connections (
\\\.\\pipe\\postex_*,\\\.\\pipe\\status_*) - RDP sessions originating from internal jump boxes to multiple systems within 1 hour
- New service creation on remote hosts via
sc.exe \\\host create - SMB admin share access (
\\\host\\ADMIN$,\\\host\\C$) from non-admin workstations
Critical Assets QILIN Prioritizes for Exfiltration
Based on historical QILIN intrusion analysis, affiliates prioritize exfiltration of:
- Financial documents — invoices, accounts payable/receivable, tax filings, audit reports, banking credentials
- Customer PII databases — CRM exports, customer registration data, billing systems, patient records (healthcare)
- Intellectual property — engineering drawings and CAD files (manufacturing), source code repositories, proprietary formulas (food production), research data (education)
- Executive communications — email archives (.PST files), board meeting minutes, strategic planning documents, M&A materials
- IT infrastructure documentation — network diagrams, credential stores, Active Directory databases (ntds.dit), password vaults, SSH keys
- Legal documents — contracts, NDAs, litigation files, regulatory compliance records
- ERP system databases — SAP, Oracle, Dynamics exports containing financial and operational data
Containment Actions (Ordered by Urgency)
| Timeframe | Action | Rationale |
|---|---|---|
| 0–15 min | Isolate affected hosts from network via EDR network containment (do NOT power off — preserve volatile evidence) | Prevents lateral spread while maintaining forensic artifacts in memory |
| 0–15 min | Disable compromised VPN/edge appliance accounts and rotate credentials | Blocks continued initial access vector exploitation via CVE-2026-50751 or compromised credentials |
| 15–30 min | Block known C2 infrastructure at perimeter firewall and proxy | Disrupts active Cobalt Strike beacon communication and data exfiltration channels |
| 15–30 min | Force password reset for all privileged accounts (Tier 0/Tier 1) — Domain Admins, Enterprise Admins, Service Accounts | Removes cached credential validity exploited for lateral movement |
| 30–60 min | Identify and preserve VSS snapshots on unaffected hosts — take emergency snapshots | Protects recovery options if encryption deploys on additional systems |
| 30–60 min | Deploy EDR isolation mode to suspected compromise hosts | Prevents further process execution while investigation proceeds |
| 1–4 hours | Conduct Kerberos ticket purge (klist purge) on all domain controllers and affected hosts | Invalidates forged tickets used for lateral movement |
| 1–4 hours | Engage IR retainer and notify legal/compliance teams | Activates response resources and starts regulatory notification clock |
| 4–24 hours | Deploy enhanced monitoring rules (Sigma rules above) across SIEM/EDR | Detects secondary intrusion attempts and follow-on activity |
| 4–24 hours | Review all VPN/edge appliance logs for unauthorized access since June 8, 2026 (CVE-2026-50751 KEV date) | Identifies the full scope of initial access exploitation |
Hardening Recommendations
Immediate (24 Hours)
-
Patch Check Point Security Gateways — CVE-2026-50751 (IKEv1 improper authentication). Disable IKEv1 if not required; enforce IKEv2 with certificate-based authentication. Review VPN session logs dating to June 8, 2026 (KEV addition date) for unauthorized access. Verify no rogue VPN accounts exist.
-
Patch ConnectWise ScreenConnect — CVE-2024-1708 (path traversal to RCE). Upgrade to latest version immediately. Restrict ScreenConnect access to internal networks via VPN only. Review all extension installations and session logs for unauthorized remote sessions. Disable file transfer functionality if not required.
-
Audit Microsoft Exchange Servers — CVE-2023-21529 (deserialization RCE). Apply latest cumulative updates. Scan for web shells in Exchange IIS directories (
.aspxfiles in\\FrontEnd\\HttpProxy\\owa\\auth\\). Review Exchange transport logs for suspicious mailbox export operations and mailbox forwarding rule creation. -
Patch Cisco FMC — CVE-2026-20131 (deserialization). Review firewall management access logs for unauthorized configuration changes. Restrict FMC management interface to dedicated management VLAN.
-
Enforce MFA on ALL VPN/RDP access — Deploy FIDO2 hardware tokens for privileged accounts. Disable legacy authentication protocols (Basic Auth, PPTP, L2TP without IPsec). Implement conditional access policies requiring device compliance for VPN connections.
-
Enable Volume Shadow Copy protection — Deploy registry key
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR = 0. Monitor forvssadmin.exeexecution via Sysmon Event ID 1. Implement Windows Backup scheduled task with immutable storage target. -
Deploy Sigma rules — Import the three Sigma rules above into your SIEM/EDR platform. Configure alerting for immediate notification (via SOAR or paging) for critical-level detections. Tune false positives against legitimate backup administration activities.
Short-Term (2 Weeks)
-
Network Segmentation Architecture Review — Implement Tier 0/Tier 1/Tier 2 model per Microsoft ESC guidance. Restrict SMB (445), RDP (3389), WinRM (5985/5986), and WMI traffic between network segments via host firewall and network ACLs. Deploy hardened jump servers for administrative access with session recording (e.g., CyberArk, Royal Server).
-
Privileged Access Management (PAM) — Deploy just-in-time (JIT) privileged access for Domain Admin and Enterprise Admin accounts. Remove all standing privileged access. Implement local admin password randomization via LAPS or equivalent. Enforce separate admin workstations (PAWs) for Tier 0 administration.
-
Email Security Hardening — Enable Exchange Online anti-phishing policies with impersonation protection and mailbox intelligence. Block macro execution from internet-downloaded Office documents via GPO (
Block macros from running in Office files from the Internet). Deploy DMARC enforcement (p=reject) and verify SPF/DKIM coverage. -
Backup Architecture Overhaul — Implement 3-2-1-1-0 backup strategy (3 copies, 2 media types, 1 offsite, 1 immutable/air-gapped, 0 errors). Deploy immutable backup storage (AWS Object Lock, Azure Immutable Blob, dedicated backup appliance). Test full restore procedures quarterly with documented RTO/RPO validation.
-
EDR Coverage Gap Assessment — Ensure 100% endpoint coverage including all servers, domain controllers, hypervisor management interfaces, and network appliances with agent support. Configure EDR automatic isolation for high-confidence ransomware detections. Enable behavioral attack surface reduction (ASR) rules in block mode.
-
Threat Hunting Sprint — Run the KQL hunt query above across your Microsoft Sentinel environment for the past 30 days. Investigate all results classified HIGH or CRITICAL. Run the PowerShell detection script on all Domain Controllers, Exchange servers, VPN gateway management hosts, and file servers. Document and remediate all findings.
-
Supply Chain Security Review — Audit all RMM/MSP tool deployments (ConnectWise, Kaseya, NinjaRMM, Datto) for unauthorized access. Implement MFA on all RMM consoles. Review Nx Console and similar developer tool installations for supply chain compromise indicators (CVE-2026-48027).
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.