Qilin ransomware uses RDP history to quietly map compromised networks

Qilin ransomware operators have been observed using Windows Remote Desktop Protocol logs to map activity on a compromised server. The technique gives attackers a quick view of which users connected through RDP, which systems they came from, and which accounts may help them move deeper into the network.

The activity centers on Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log. Attackers used PowerShell to pull those records and extract usernames, domains, and source client machines.

This matters because it gives ransomware operators useful reconnaissance without running noisy scans. Instead of immediately probing Active Directory or using obvious discovery tools, Qilin can read existing Windows logs and build a list of likely next-hop targets.

Qilin is using normal Windows data for reconnaissance

Security researcher Maurice Fielenbach reported the activity after observing Qilin operators enumerate RDP authentication history on a compromised server. The script was transferred through a rogue ScreenConnect installation during the intrusion.

ScreenConnect and other remote monitoring and management tools remain attractive to ransomware affiliates because they look like legitimate admin software. Sophos also reported a Qilin-linked campaign where attackers targeted ScreenConnect credentials at a managed service provider.

Once attackers gain remote access, they do not always need malware-heavy discovery tools. A single PowerShell query can reveal historical RDP activity and show which users regularly access a server.

At a glance

Item	Details
Threat group	Qilin, also known as Agenda
Technique observed	Enumeration of RDP authentication history
Windows log queried	Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Event ID	1149
Data exposed to attackers	Usernames, domains, and source client machines
Delivery method observed	Rogue ScreenConnect installation

Why Event ID 1149 is useful to attackers

Event ID 1149 appears in the RemoteConnectionManager operational log and relates to RDP connection activity. Its wording can suggest successful authentication, but defenders should treat it carefully because it does not always prove a complete interactive logon by itself.

For attackers, the value comes from the trail it leaves. If a domain admin, backup operator, help desk account, or server administrator regularly connects to a machine through RDP, that history can point attackers toward accounts worth stealing or systems worth targeting.

This turns a local event log into a shortcut for lateral movement. Qilin can use it to identify privileged users, jump boxes, admin workstations, and machines that already have trusted access paths inside the environment.

Why this method can avoid early detection

The technique creates less noise than traditional network scanning. Many security tools alert on port scans, domain enumeration, suspicious LDAP queries, or credential-dumping tools, but a local event-log query may look like normal administrative work.

The risk increases when organizations do not forward the RemoteConnectionManager operational log to their SIEM. Many teams collect Security logs but ignore RDP-specific operational channels, which leaves a blind spot during incident response.

PowerShell also plays a major role. If script block logging is not enabled, defenders may miss the exact command used to pull the RDP history.

Qilin remains one of the most active ransomware threats

Qilin, also known as Agenda, has operated as a ransomware-as-a-service group since 2022. The U.S. Health Sector Cybersecurity Coordination Center has described it as a RaaS operation that targets healthcare and other sectors worldwide.

The group has used phishing, spear phishing, exposed applications, RDP, RMM tools, and other common intrusion methods. It also practices double extortion, which means victims face both encryption and data-leak pressure.

Qilin has also been tied to major real-world disruption. Reuters reported that the 2024 Synnovis cyberattack, attributed to Qilin, disrupted London healthcare services and was later identified as a contributing factor in a patient death.

What defenders should monitor

• PowerShell queries against Event ID 1149 in the RemoteConnectionManager operational log.
• PowerShell Script Block Logging events, especially Event ID 4104.
• Unexpected ScreenConnect, AnyDesk, Atera, or similar RMM installations.
• RDP activity from unusual client systems or non-admin accounts.
• Windows Defender tampering events before encryption activity.
• Security Event ID 4624 and 4625 activity tied to RDP logon attempts.
• Local Session Manager events that confirm real RDP session activity.

Defenders should not rely on Event ID 1149 alone to confirm successful access. They should correlate it with Security log events and Local Session Manager logs to understand whether the RDP session fully succeeded.

Organizations should also review which accounts can use RDP. Admin access should require multi-factor authentication, limited privileges, and strong monitoring.

How organizations can reduce the risk

The first step is visibility. Security teams should collect RDP-related operational logs, not only standard Security logs. This helps analysts spot unusual RDP history access before ransomware deployment begins.

The second step is control. RDP should not stay open across wide parts of the environment. Admin teams should restrict it to approved systems, require VPN or zero trust access, and remove unnecessary local administrator rights.

The third step is RMM governance. Tools like ScreenConnect, AnyDesk, Atera, and similar platforms should have approved installers, allowlists, MFA, and alerting for new or unauthorized deployments.

FAQ