Skip to Content

Qilin Ransomware Uses RDP Authentication Logs for Stealthy Network Expansion

May 3, 2026 by
Qilin Ransomware Uses RDP Authentication Logs for Stealthy Network Expansion
Nilmay System, Nilesh Modi


Qilin ransomware, also known as Agenda, continues to evolve as one of the most active and dangerous cyber threats. A newly observed technique shows how the group is leveraging Remote Desktop Protocol (RDP) authentication historyto silently map compromised networks and identify high-value targets.

Growing Threat Landscape

Since its emergence in 2022, Qilin has rapidly scaled its operations:

  • 2023: 45 confirmed attacks across sectors like healthcare, finance, and manufacturing

  • 2025: Over 700 attacks in a single year

  • Targets include NHS hospitals in London and U.S. government systems

Qilin operates under a Ransomware-as-a-Service (RaaS) model and uses methods like spear phishing, vulnerability exploitation, and misuse of remote management tools to gain access.

New Technique: RDP Authentication Enumeration

Security researcher Maurice Fielenbach identified a stealthy reconnaissance method used by Qilin on compromised systems.

Attackers executed a PowerShell command to extract Event ID 1149 logs from the Remote Desktop Services:

  • Identifies accounts that attempted RDP access

  • Reveals connected client systems

  • Helps pinpoint privileged accounts

This allows attackers to create a targeted list for lateral movement without triggering typical security alerts.

Why This Method Is Dangerous

  • Uses built-in Windows logs (low detection risk)

  • Avoids noisy scanning or Active Directory enumeration

  • Exploits logs often ignored by security teams

Unlike traditional methods, this approach blends into normal system activity, making detection difficult.

Lateral Movement Strategy

Event ID 1149 logs provide:

  • Usernames and domain details

  • Source machines of RDP connections

Although it only records connection requests (not successful logins), attackers can correlate it with other logs (like Event ID 4624) to confirm access.

Recommended Security Measures

Organizations should take proactive steps to defend against such attacks:

  • Enable PowerShell ScriptBlock Logging

  • Monitor RDP-related logs, especially Event ID 1149

  • Track unauthorized installations of tools like ScreenConnect, AnyDesk, or Atera

  • Watch for Windows Defender tampering activity

These indicators often appear just before ransomware encryption begins, making early detection critical.

Source:

https://cybersecuritynews.com/qilin-ransomware-enumerates-rdp-authentication/


in News
CVE MCP Server Turns Claude Into a Fully Capable Security Analyst