Bright Nexus

Published on April 30, 2026

Qilin Ransomware Enumerates RDP Authentication History on a Compromised Server

Severity

Medium

Detail

Qilin ransomware group continues to rank among the most aggressive ransomware threats, with hundreds of attacks targeting critical sectors worldwide.

Operating under a Ransomware-as-a-Service model, the group has steadily refined its tactics—most recently adopting a stealthy method of enumerating Remote Desktop Protocol activity to map networks and identify high-value targets without triggering traditional security alerts.

How?

Qilin typically gains initial access through spearphishing emails, exploitation of vulnerabilities, or misuse of remote management tools. In observed cases, attackers leveraged tools like ConnectWise ScreenConnect to establish a foothold and begin post-compromise activity.

Once inside, instead of launching noisy scans or obvious enumeration tools, the attackers quietly query Windows event logs using PowerShell. Specifically, they extract Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log. This event records incoming RDP connection requests, including usernames, domains, and source client machines.

By running a single command, the attackers build a clear map of:

  • Which accounts are actively using RDP
  • Which systems are connecting across the network
  • Which accounts may have elevated or administrative privileges

This method is highly effective because Event ID 1149 is often overlooked. Many organizations do not forward this log to SIEM platforms or treat it as low priority, creating a blind spot that attackers exploit.

Importantly, Event ID 1149 alone does not confirm successful login. Attackers can correlate it with Event ID 4624 from the Security log or Local Session Manager logs to verify actual access. This layered analysis allows them to prioritize targets for lateral movement with minimal footprint.

This approach reflects a broader “living-off-the-land” strategy, where attackers rely on native Windows tools and logs instead of introducing new binaries that might be flagged by security systems. The result is quiet reconnaissance that blends into normal system activity.

After identifying valuable targets, Qilin proceeds with lateral movement, privilege escalation, and eventually data exfiltration and encryption. The group also employs double extortion—threatening to leak stolen data if ransom demands are not met.

Conclusion

Qilin’s use of RDP log enumeration highlights a shift toward low-noise, intelligence-driven ransomware operations. Security teams should enable PowerShell ScriptBlock Logging, monitor access to RDP-related event logs, and ensure logs like Event ID 1149 are forwarded and analyzed. Detecting unauthorized use of remote access tools and correlating multiple event sources can provide early warning signals—often hours before encryption begins—giving defenders a critical window to respond.

Source

https://cybersecuritynews.com/qilin-ransomware-enumerates-rdp-authentication/