{"description": "Enterprise techniques used by Qilin, ATT&CK software S1242 (v2.0)", "name": "Qilin (S1242)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can bypass standard user access controls by using stolen tokens to launch processes at an elevated security context.(Citation: Picus Qilin MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can use an embedded [Mimikatz](https://attack.mitre.org/software/S0002) module for token manipulation.(Citation: Picus Qilin MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can list all local users found on a targeted system.(Citation: Trend Micro Agenda Ransomware AUG 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can use PowerShell cmdlets to enumerate domain users.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can use WinSCP for the secure file transfer of the Linux ransomware binary to a targeted system.(Citation: Trend Micro Agenda Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has created a RunOnce autostart entry at `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce*aster = %Public%\\enc.exe` pointing to a dropped copy of itself in the Public folder.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: Halcyon Qilin.B OCT 2024)(Citation: Cisco Talos Qilin Ransomware OCT 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.004", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can configure a Winlogon registry entry.(Citation: Trend Micro Agenda Ransomware AUG 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has been deployed on VMware vCenter and ESXi servers via custom PowerShell script.(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Picus Qilin MAR 2025) [Qilin](https://attack.mitre.org/software/S1242) has also used PowerShell for discovery in vCenter and Active Directory environments.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has run `cmd /C [PsExec] -accepteula \\\\IP Address -c -f -h -d -i\nC:\\Users\\xxx\\.exe --password [PASSWORD] --spread --spread-process` to execute its encryptor to target multiple network shares.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can use AES-256 or ChaCha20 for domain-wide encryption of victim servers and workstations and RSA-4096 or RSA-2048 to secure generated encryption keys.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: Picus Qilin MAR 2025)(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Halcyon Qilin.B OCT 2024)(Citation: HC3 Qilin Threat Profile JUN 2024)(Citation: Trend Micro Agenda Ransomware OCT 2025)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can set the wallpaper on compromised hosts to display a ransom message in each encrypted folder.(Citation: Sophos Qilin MSP APR 2025)(Citation: Trend Micro Agenda Ransomware OCT 2025)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1678", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has the ability to delay execution.(Citation: Trend Micro Agenda Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can terminate antivirus-related processes and services.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: Halcyon Qilin.B OCT 2024)(Citation: Picus Qilin MAR 2025)\n\n", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1685.005", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has the ability to clear Windows Event Logs.(Citation: Halcyon Qilin.B OCT 2024)(Citation: Sophos Qilin MSP APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has pushed a scheduled task via a Group Policy Object for payload execution.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: BushidoToken Qilin RaaS JUN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can require a specific password to be passed by command-line argument during execution which must match a pre-defined value in the configuration in order for it to continue execution.(Citation: Picus Qilin MAR 2025)(Citation: Trend Micro Agenda Ransomware OCT 2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can create a mutex to ensure only one instance is running.(Citation: Halcyon Qilin.B OCT 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has been delivered through exploitation of exposed applications and interfaces including Citrix and RDP.(Citation: SentinelOne Qilin NOV 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can exclude specific directories and files from encryption.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: Trend Micro Agenda Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can use symbolic links to redirect file paths for remote and local objects and can use  `chmod +x` to make its payload binary executable.(Citation: Picus Qilin MAR 2025)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can delete itself from infected hosts after execution.(Citation: Halcyon Qilin.B OCT 2024)(Citation: Sophos Qilin MSP APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1490", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can execute `vssadmin.exe delete shadows /all /quiet` to remove volume shadow copies and can disable High Availability (HA) and Distributed Resource Scheduler (DRS) in vCenter clusters.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: Halcyon Qilin.B OCT 2024)(Citation: Sophos Qilin MSP APR 2025)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has used [PsExec](https://attack.mitre.org/software/S0029) to distribute a second encryptor, named encryptor_1.exe, across the targeted environment.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has used `GetLogicalDrives()` and `EnumResourceW()` to locate mounted drives and shares.(Citation: Halcyon Qilin.B OCT 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has created a scheduled task named TVInstallRestore to mimic TeamViewer. (Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has named its payload file TeamViewer_Host_Setup to disguise itself as a legitimate TeamViewer file.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can make Registry modifications to share networked drives between elevated and non-elevated processes and to increase the number of outstanding network requests per client.(Citation: Halcyon Qilin.B OCT 2024)(Citation: Picus Qilin MAR 2025) [Qilin](https://attack.mitre.org/software/S1242) can also modify `HKEY_CURRENT_USER\\Control Panel\\Desktop\\Wallpaper` to enable posting of ransom messages.(Citation: Cisco Talos Qilin Ransomware OCT 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can attempt to log on to the local computer via `LogonUserW` and use `GetLogicalDrives()` and `EnumResourceW()` for discovery.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: Halcyon Qilin.B OCT 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has the ability to list network drives.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: Halcyon Qilin.B OCT 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can employ several code obfuscation methods, including renaming functions, altering control flows, and encrypting strings.(Citation: HC3 Qilin Threat Profile JUN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can employ an embedded [Mimikatz](https://attack.mitre.org/software/S0002) module to dump LSASS memory.(Citation: Picus Qilin MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can run PowerShell cmdlets to discover domain groups.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has been delivered to victims through malicious email attachments.(Citation: SentinelOne Qilin NOV 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has been delivered via malicious links in spearphishing emails.(Citation: SentinelOne Qilin NOV 2022)(Citation: Sophos Qilin MSP APR 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can define specific processes to be terminated or left alone at execution.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: Halcyon Qilin.B OCT 2024)(Citation: HC3 Qilin Threat Profile JUN 2024)(Citation: Trend Micro Agenda Ransomware OCT 2025)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can inject pwndll.dll, a patched DLL from the legitimate DLL WICloader.dll, into svchost.exe for continuous execution.(Citation: Trend Micro Agenda Ransomware AUG 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can check `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control SystemStartOptions` to determine if a machine is running in safe mode.(Citation: Trend Micro Agenda Ransomware AUG 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can use the Splashtop remote management service (SRManager.exe) to execute the Linux ransomware binary directly on Windows systems.(Citation: Trend Micro Agenda Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can embed a copy of [PsExec](https://attack.mitre.org/software/S0029) within its payload and place it in the %Temp% directory under a randomly generated filename.(Citation: Picus Qilin MAR 2025)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can enable SSH access on ESXi hosts.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can enumerate domain-connected hosts during its discovery phase.(Citation: Picus Qilin MAR 2025)(Citation: Sophos Qilin MSP APR 2025)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1688", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can reboot targeted systems in safe mode to avoid detection.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: BushidoToken Qilin RaaS JUN 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has pushed scheduled tasks via Group Policy Objects (GPOs) for execution.(Citation: BushidoToken Qilin RaaS JUN 2024)(Citation: Trend Micro Agenda Ransomware AUG 2022) [Qilin](https://attack.mitre.org/software/S1242) has also created a scheduled task named TVInstallRestore, configured to run at logon using the `/SC ONLOGON` argument.(Citation: Cisco Talos Qilin Ransomware OCT 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can terminate specific services on compromised hosts.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: Halcyon Qilin.B OCT 2024)(Citation: HC3 Qilin Threat Profile JUN 2024)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can detect whether a system is running FreeBSD, VMkernel (ESXi), Nutanix AHV, or a standard Linux distribution to enable platform-specific encryption behaviors.(Citation: Trend Micro Agenda Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can accept a command line argument identifying specific IPs.(Citation: Trend Micro Agenda Ransomware AUG 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can identify specific services for termination or to be left running at execution.(Citation: Trend Micro Agenda Ransomware AUG 2022)(Citation: SentinelOne Qilin NOV 2022)(Citation: HC3 Qilin Threat Profile JUN 2024)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can initiate a reboot of the backup server to hinder recovery.(Citation: Picus Qilin MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has been executed by luring victims into clicking links in spearphishing emails.(Citation: SentinelOne Qilin NOV 2022)(Citation: Sophos Qilin MSP APR 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Qilin](https://attack.mitre.org/software/S1242) has been delivered to victims through spearphishing emails with malicious attachments.(Citation: SentinelOne Qilin NOV 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1673", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can detect virtual machine environments including ESXi hosts, datacenters, and clusters within vCenter environments.(Citation: Halcyon Qilin.B OCT 2024)(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "[Qilin](https://attack.mitre.org/software/S1242) can use WMIC to change the Volume Shadow Copy Service (VSS) startup type to manual.(Citation: Cisco Talos Qilin Ransomware OCT 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Qilin", "color": "#66b1ff"}]}