Qilin Ransomware Lists RDP Auth History on Enumerates Authentication

Qilin ransomware represents a highly active and damaging threat within the contemporary cyber landscape.

The group has steadily evolved its tactics since it first appeared in 2022, and its latest technique of enumerating Remote Desktop Protocol (RDP) authentication history on compromised servers gives it a fast, quiet way to map out a network and find the next target.

Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) group believed to be based in Russia. When it first emerged in July 2022, it attracted little attention.

By 2023, the group had begun picking up pace, claiming 45 attacks and launching campaigns against critical sectors such as healthcare, manufacturing, finance, and government agencies.

By 2025, Qilin had already surpassed 700 confirmed attacks in a single year, making it one of the most prolific ransomware operators on record.

Victims have included NHS hospitals in London and county government systems in the United States, showing that no sector is safe.

The group typically gains initial access through spearphishing emails, exploitation of known software vulnerabilities, or by abusing Remote Monitoring and Management (RMM) tools.

Once inside a network, attackers focus on expanding their reach quietly, using living-off-the-land techniques that blend into normal system activity to avoid triggering alerts.

Qilin also employs double extortion, meaning the group encrypts data while also threatening to leak it publicly if the ransom demand is not met, putting enormous pressure on victims to comply.

Maurice Fielenbach, Information Security Researcher at Hexastrike, recently identified a particularly sharp reconnaissance move by Qilin operators on a compromised server.

His observation highlighted how the group used a PowerShell command to pull every Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log.

This single query gave the attackers a clear map of which accounts used RDP on the host, which client systems connected to it, and which accounts appeared privileged enough to be worth targeting next. The script was delivered through a rogue ScreenConnect installation during the intrusion.

What makes this behavior stand out is how little noise it creates. Rather than running loud network scans or Active Directory enumeration tools that security systems are built to detect, Qilin used a built-in Windows logging mechanism to gather all the reconnaissance data it needed.

It is a calculated move that reflects a broader shift in how ransomware groups approach stealth before encryption.

RDP Enumeration as a Lateral Movement Strategy

The RDP authentication enumeration technique that Qilin used sits at the center of its lateral movement strategy.

By querying Event ID 1149, which records when a remote desktop connection request is received, the attackers extracted usernames, domain names, and the source client machines involved in each session.

In one command, they built a prioritized list of accounts worth targeting for further compromise.

This approach is particularly effective because Event ID 1149 lives in the RemoteConnectionManager Operational log rather than in the main Security event log.

Many organizations do not forward this log to their Security Information and Event Management (SIEM) system or simply treat it as low priority. This gap gives attackers a quiet window to gather valuable intelligence.

It is also important to note that Event ID 1149 does not confirm a successful RDP login on its own. It only records that a connection request was received.

Correlating it with Event ID 4624 from the Security log or entries from the Local Session Manager log is necessary to verify actual successful logins.

Security teams are advised to enable PowerShell ScriptBlock Logging across their entire environment, as there is no legitimate reason for a non-administrative process to run this type of RDP enumeration query.

Organizations should also watch for unauthorized installations of remote access tools such as ScreenConnect, AnyDesk, Atera, or Total Software Deployment on any compromised host.

Monitoring for Windows Defender tampering events alongside these indicators adds another strong layer of detection. Together, these signals observed in the hours before encryption begins can serve as a reliable fingerprint of an active Qilin intrusion.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.