The Situation
The on-call IT manager received the first alert at 03:00 on Sunday. The pathology lab night shift could not access patient records. Radiology reported the same issue within minutes. By 04:00, the scope was clear: this was not an outage.
The ransom note identified the attackers as Qilin. This ransomware-as-a-service operation had become the most active ransomware group by mid-2025, responsible for over 700 attacks in the first half of the year alone. They had encrypted 847 systems across the healthcare provider's network.
Backup systems were activated and paper-based processes implemented immediately. Patient safety took priority. But the CEO needed an answer to a question that could not wait: how did they get in?
The Information Commissioner's Office would require a full incident report. The organisation's cyber insurance claim depended on demonstrating appropriate security measures. Most critically, until the entry point was identified, the organisation could not be confident the threat actor would not return.
The Challenge
The DFIR team followed standard protocol: image the domain controllers and critical servers first. What they found was frustrating but not unexpected. Windows Security logs had been cleared (Event ID 1102). Volume Shadow Copies were deleted. The attackers had deployed aggressive anti-forensics across every server they touched.
VPN logs showed no exploitation attempts. The email security gateway showed no malicious attachments or links in the preceding days. EDR detected the ransomware deployment, but by that point it was already too late. The servers that should have held the answers had been deliberately sanitised.
Traditional DFIR does not scale. Manually imaging and analysing hundreds of employee endpoints to find patient zero would take weeks, possibly months. The organisation had 400 workstations across multiple sites. Without knowing where to look, the investigation risked stalling before it found answers.
The Investigation
Strand's automated collection changed the calculus. Rather than manually imaging endpoints one by one, Strand deployed lightweight collection agents across all 400 workstations simultaneously. Within three hours, the platform had ingested and analysed forensic artifacts from the entire endpoint estate, automatically mapping lateral movement patterns that would have taken weeks to identify manually.
Finding Patient Zero: Automated Lateral Movement Analysis
Strand's automated analysis flagged an anomaly that manual server-focused investigation would have missed entirely. A single workstation in the finance department showed outbound RDP connections to the domain controller, originating 52 hours before ransomware deployment. This was patient zero.
Network connection artifacts from the Windows SRUM database on workstation WS-FIN-042 revealed RDP connections (destination port 3389) to DC01 beginning Friday 19:23. The connections originated from a non-administrative user account that had no legitimate reason to RDP to domain controllers. Strand's lateral movement visualisation immediately highlighted this anomalous pattern across the 400-device dataset.
The Initial Foothold: Remote Access Tool Installation
Analysis of patient zero revealed how the attackers gained their initial foothold. A remote access tool had been installed three hours before the first RDP connection to servers. The tool provided persistent access and allowed the threat actor to operate interactively on the compromised workstation.
Prefetch analysis showed first execution of ScreenConnect (now ConnectWise Control) at Friday 16:14. The installer was delivered via a phishing email containing a link to a legitimate-looking IT support page. Registry analysis confirmed persistence via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The ScreenConnect session logs, recovered from the endpoint, showed interactive access beginning immediately after installation.
Privilege Escalation: From User to Domain Admin
From the compromised workstation, the threat actor used RDP to reach the domain controller. Within 40 minutes of their first server connection, they had escalated to domain administrator privileges. The server logs had been cleared, but the endpoint that initiated the attack retained the evidence.
SRUM database entries on WS-FIN-042 showed sustained network activity to DC01 between 19:23 and 20:47. ShimCache analysis revealed execution of ADFind.exe and secretsdump (Impacket) on the endpoint. The attacker used the compromised workstation as their operational base, running tools locally rather than on the servers where they might be detected. This is a known Scattered Spider technique.
The Attack Progression: 52 Hours from Access to Encryption
With domain admin credentials obtained via the compromised endpoint, the threat actor conducted reconnaissance, harvested additional credentials, exfiltrated data, and staged ransomware for deployment at 03:00 Sunday. The entire operation was orchestrated from the single compromised workstation.
The attack followed a methodical pattern: 18 hours of reconnaissance (AD enumeration using ADFind.exe, network scanning with SoftPerfect Network Scanner), 12 hours of credential harvesting and lateral movement, 8 hours of data exfiltration (340GB via rclone to Mega), followed by deployment during the early hours of Sunday.
Chrome Credential Harvesting via GPO
Qilin affiliates are known for a distinctive technique: harvesting saved passwords from Google Chrome across the entire domain using Group Policy. This technique, documented by Sophos in 2024, enables mass credential theft that persists long after the immediate incident is resolved.
Analysis of Group Policy Objects revealed a malicious GPO created on Saturday 15:00 that deployed a PowerShell script to all workstations. The script targeted Chrome's Login Data SQLite database at %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data, decrypting saved passwords using the Windows DPAPI and exfiltrating them to a staging share. This technique harvested credentials for 234 external services including banking, email, and SaaS applications. The GPO was named "Chrome Security Update" to appear legitimate.
Anti-Forensics: Log Clearing and Shadow Copy Deletion
Qilin operators are known for aggressive anti-forensic techniques. Windows Security logs were cleared (Event ID 1102) on the domain controller. Volume Shadow Copies were deleted. The ransomware binary deleted itself after execution.
Despite log clearing, Strand recovered evidence from multiple sources: Windows Event Log .evtx files that had not been fully overwritten, $MFT entries for deleted files, SRUM database entries showing process execution, and Prefetch files confirming execution of attacker tools.
Data Exfiltration Confirmation
Analysis confirmed approximately 340GB of data had been exfiltrated prior to encryption. The data included patient records, financial information, and operational documents. The double-extortion threat was legitimate.
Network connection artifacts showed repeated connections to Mega cloud storage. rclone configuration file recovered from $MFT referenced remote path "mega:exfil_backup". Registry UserAssist entries confirmed rclone execution at 22:00 Saturday.
Attack Timeline
Initial compromise: Remote access tool installed
- ›ScreenConnect installed on finance workstation WS-FIN-042
- ›Delivered via phishing email with fake IT support link
Prefetch: screenconnect.exe first execution
Lateral movement begins
- ›Outbound RDP from workstation to domain controller
- ›Non-admin user connecting to DC flagged by Strand
SRUM: RDP to DC01:3389
Privilege escalation
- ›ADFind.exe and Impacket secretsdump executed from endpoint
- ›Domain admin credentials obtained
ShimCache analysis on WS-FIN-042
Reconnaissance phase
- ›Active Directory enumeration
- ›Network mapping and share discovery
ADFind.exe, SoftPerfect Network Scanner
Credential harvesting
- ›LSASS dumps from key servers
- ›Additional admin accounts compromised
comsvcs.dll MiniDump technique
Chrome credential theft via GPO
- ›Malicious GPO "Chrome Security Update" deployed
- ›234 external service credentials harvested
Chrome Login Data SQLite + DPAPI decryption
Data exfiltration
- ›340GB transferred to Mega cloud storage
- ›Patient records, financials, operational documents
rclone.exe to mega:exfil
Ransomware deployment
- ›Qilin deployed via scheduled task
- ›847 systems encrypted
- ›Server logs cleared as anti-forensics
Event ID 1102 on all servers
Key Takeaways
- 1Server-focused forensics is insufficient when attackers deploy anti-forensics. Clearing Windows Security logs on servers is standard practice for ransomware operators. The evidence often survives on endpoints.
- 2Traditional DFIR does not scale. Manually analysing hundreds of endpoints to find patient zero is impractical within incident response timeframes. Automated collection and analysis is essential for large estates.
- 3Attackers use compromised workstations as operational bases to avoid detection on monitored servers. Tools executed from endpoints may not appear in server logs at all.
- 4SRUM database analysis reveals network connections even when firewall logs are unavailable. Outbound RDP from user workstations to domain controllers is a high-fidelity indicator of compromise.
- 5Qilin affiliates harvest Chrome saved passwords via GPO across entire domains. Post-incident credential rotation must include all external services where employees may have saved passwords, not just Active Directory.
- 6Remote access tools like ScreenConnect provide attackers with persistent, interactive access. Monitor for installation of RMM tools outside of approved management channels.