Qilin Ransomware Scans RDP Authentication History on Compromised Servers
Key Takeaways Qilin ransomware, also known as Agenda, is employing a stealthy new technique to map compromised networks by scanning Remote Desktop Protocol (RDP) authentication history. The group...
Key Takeaways
- Qilin ransomware, also known as Agenda, is employing a stealthy new technique to map compromised networks by scanning Remote Desktop Protocol (RDP) authentication history.
- The group uses a PowerShell command to query Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log, which is often overlooked by security tools.
- This method allows attackers to identify RDP users, connected client systems, and potentially privileged accounts for lateral movement without triggering common security alerts.
- Qilin is a prolific Ransomware-as-a-Service (RaaS) group that has claimed over 700 attacks in a single year, targeting critical sectors globally.
Qilin Ransomware Adopts Stealthy RDP Authentication History Scan for Network Reconnaissance
The Qilin ransomware group, a persistent and destructive force in the cyber threat landscape, has refined its operational tactics. Researchers have identified a new, highly discreet method employed by the group to conduct reconnaissance on compromised servers: scanning Remote Desktop Protocol (RDP) authentication history. This technique provides Qilin operators with a silent and efficient pathway to map network topography and pinpoint high-value targets for subsequent attacks.
Table Of Content
Emerging in July 2022, Qilin, also recognized as Agenda, operates as a Ransomware-as-a-Service (RaaS) model and is widely believed to be based in Russia. Initially, the group garnered minimal attention, but its activity escalated significantly by 2023, with 45 recorded attacks against vital sectors including healthcare, manufacturing, finance, and government entities. By 2025, Qilin’s reach expanded dramatically, surpassing 700 confirmed attacks within a single year, cementing its status as one of the most active ransomware operations to date. Its victims have included London’s NHS hospitals and county government systems in the United States, underscoring the indiscriminate nature of its campaigns.
Qilin typically establishes initial access through various vectors, such as spearphishing emails, exploiting known software vulnerabilities, or misusing Remote Monitoring and Management (RMM) tools. Once inside a network, the attackers prioritize covert expansion, leveraging “living-off-the-land” techniques that mimic legitimate system activities to evade detection. The group also employs a double extortion strategy, encrypting victim data while simultaneously threatening its public release if ransom demands are not met, intensifying pressure on organizations to comply.
Under the Radar: Qilin’s RDP Log Exploitation
Maurice Fielenbach, an Information Security Researcher at Hexastrike, recently brought to light a sophisticated reconnaissance maneuver executed by Qilin operators on a compromised server. Fielenbach observed the group utilizing a PowerShell command to extract all instances of Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log. This singular query provided the attackers with a comprehensive overview of which accounts had used RDP on the host, the client systems that connected, and which accounts held sufficient privileges to warrant further targeting. The malicious script was deployed via a rogue ScreenConnect installation during the initial intrusion, as detailed in a report from Hexastrike.
The significance of this tactic lies in its low-noise footprint. Instead of employing overt network scanning or Active Directory enumeration tools, which are commonly flagged by security systems, Qilin leverages an intrinsic Windows logging mechanism. This subtle approach allows the group to gather critical reconnaissance data while remaining undetected, reflecting a growing trend among ransomware operators to prioritize stealth before launching the encryption phase. More information on Qilin’s broader tactics can be found in a Picus Security blog post.
RDP Enumeration as a Lateral Movement Strategy
Qilin’s RDP authentication enumeration technique is central to its lateral movement strategy. By querying Event ID 1149, which logs every RDP connection request, attackers can extract usernames, domain names, and the source client machines involved in each session. This single command enables them to construct a prioritized list of accounts to target for further compromise, as detailed in the Hexastrike’s analysis.
This approach is particularly effective because Event ID 1149 resides in the RemoteConnectionManager Operational log, rather than
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.