Qilin ransomware, also known as Agenda, continues to evolve as one of the most active and dangerous cyber threats. A newly observed technique shows how the group is leveraging Remote Desktop Protocol (RDP) authentication historyto silently map compromised networks and identify high-value targets.
Growing Threat Landscape
Since its emergence in 2022, Qilin has rapidly scaled its operations:
2023: 45 confirmed attacks across sectors like healthcare, finance, and manufacturing
2025: Over 700 attacks in a single year
Targets include NHS hospitals in London and U.S. government systems
Qilin operates under a Ransomware-as-a-Service (RaaS) model and uses methods like spear phishing, vulnerability exploitation, and misuse of remote management tools to gain access.
New Technique: RDP Authentication Enumeration
Security researcher Maurice Fielenbach identified a stealthy reconnaissance method used by Qilin on compromised systems.
Attackers executed a PowerShell command to extract Event ID 1149 logs from the Remote Desktop Services:
Identifies accounts that attempted RDP access
Reveals connected client systems
Helps pinpoint privileged accounts
This allows attackers to create a targeted list for lateral movement without triggering typical security alerts.
Why This Method Is Dangerous
Uses built-in Windows logs (low detection risk)
Avoids noisy scanning or Active Directory enumeration
Exploits logs often ignored by security teams
Unlike traditional methods, this approach blends into normal system activity, making detection difficult.
Lateral Movement Strategy
Event ID 1149 logs provide:
Usernames and domain details
Source machines of RDP connections
Although it only records connection requests (not successful logins), attackers can correlate it with other logs (like Event ID 4624) to confirm access.
Recommended Security Measures
Organizations should take proactive steps to defend against such attacks:
Enable PowerShell ScriptBlock Logging
Monitor RDP-related logs, especially Event ID 1149
Track unauthorized installations of tools like ScreenConnect, AnyDesk, or Atera
Watch for Windows Defender tampering activity
These indicators often appear just before ransomware encryption begins, making early detection critical.
Source:
https://cybersecuritynews.com/qilin-ransomware-enumerates-rdp-authentication/
