Qilin ransomware, one of the most prolific and dangerous threat actors in today’s cybersecurity landscape, has been observed employing a stealthy new reconnaissance technique. Researchers have identified the group enumerating Remote Desktop Protocol (RDP) authentication history on compromised servers — a quiet, built-in method that allows operators to map an entire network without triggering standard detection tools.
Background: From Minor Player to Major Threat
Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) group believed to be based in Russia. When it first emerged in July 2022, it attracted little attention from the cybersecurity community. By 2023, however, the group had begun accelerating its operations, claiming 45 attacks and launching campaigns against critical sectors including healthcare, manufacturing, finance, and government agencies.
By 2025, Qilin had already surpassed 700 confirmed attacks in a single year, making it one of the most prolific ransomware operators on record. Victims have included NHS hospitals in London and county government systems across the United States, demonstrating that no sector is immune from the group’s reach.
Initial Access and Lateral Movement Tactics
Qilin typically gains initial access through spearphishing emails, exploitation of known software vulnerabilities, or by abusing Remote Monitoring and Management (RMM) tools. Once inside a network, attackers focus on expanding their foothold quietly, using living-off-the-land techniques that blend into normal system activity to avoid triggering security alerts.
The group also employs double extortion: encrypting victim data while simultaneously threatening to leak it publicly unless the ransom demand is met. This dual pressure places enormous strain on victim organizations and significantly increases the likelihood of ransom payment.
The New RDP Enumeration Technique
Maurice Fielenbach, an Information Security Researcher at Hexastrike, recently identified a particularly sharp reconnaissance move by Qilin operators on a compromised server. The observation highlighted how the group used a PowerShell command to pull every Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log.
This single query gave the attackers a complete map of:
- Which accounts had used RDP on the host.
- Which client systems had connected to it via remote desktop.
- Which accounts appeared privileged enough to be worth targeting next for lateral movement.
The script was delivered through a rogue ScreenConnect installation during the intrusion phase, highlighting the group’s continued abuse of legitimate RMM software for malicious access.
Why This Technique Is So Effective
What makes this behavior particularly dangerous is the minimal noise it creates. Rather than running loud network scans or Active Directory enumeration tools that modern security systems are specifically designed to detect, Qilin used a built-in Windows logging mechanism to gather all the reconnaissance data it needed.
This calculated approach reflects a broader shift in how sophisticated ransomware groups operate before initiating encryption. By relying on native operating system features, the group significantly reduces the risk of detection during the critical lateral movement phase — the period between initial compromise and ransomware deployment when defenders have the best opportunity to intervene.
Defensive Recommendations
Organizations should take the following steps to defend against this and similar RDP enumeration techniques:
- Monitor Event ID 1149: Alert on unusual queries or bulk reads of Terminal Services operational logs, especially via PowerShell.
- Restrict RMM tool usage: Audit all legitimate RMM tools in use and ensure only authorized installations are permitted.
- Limit RDP exposure: Disable RDP where it is not required and ensure it is never directly exposed to the internet.
- Enable MFA on all RDP access: Multi-factor authentication significantly limits the value of stolen RDP credentials.
- Implement network segmentation: Restrict lateral movement by segmenting networks and limiting RDP connectivity between systems.
As Qilin continues to evolve its tactics, defenders must move beyond signature-based detection and focus on behavioral analytics capable of identifying living-off-the-land techniques that exploit legitimate Windows features.