In the world of ransomware, the loudest move is the encryption itself. But the most dangerous move happens days earlier, in total silence. Qilin ransomware (also known as Agenda) has officially graduated from a mid-tier threat to a top-tier predator by adopting a “living-off-the-land” reconnaissance technique that bypasses traditional security alerts.
Believed to be of Russian origin, Qilin has exploded in activity. After a massive 2024 that saw the group paralyze London’s NHS services—canceling over 6,000 appointments—the group has reached a grim milestone in April 2026: surpassing 1,800 total victims since its inception. Their latest weapon? A specialized script that turns your own Windows logs into a roadmap for their next attack.
The Stealth Move: Enumerating RDP History
Recently, security researchers at Hexastrike identified a sharp tactical shift. Instead of running noisy network scanners that trigger “Port Scan” alerts, Qilin operators are now using a simple PowerShell command to harvest RDP authentication history.
How It Works:
The attackers query Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log.
- What they get: A complete list of usernames, domain names, and source IP addresses that have ever requested a Remote Desktop connection to that server.
- The Result: In seconds, the attackers have a prioritized list of high-value admin accounts and the “jump boxes” they use to manage the network.
Why This Bypasses Most SIEMs
Most organizations focus their security monitoring on the “Security” event log. However, Event ID 1149 lives in a specific “Operational” sub-log that many teams don’t even ingest into their SIEM.
Because this log records the request for a connection (not necessarily a successful login), it provides a “ghost” history of who has been on the machine. By the time an admin notices a rogue ScreenConnect installation—the group’s favorite persistence tool—Qilin has already mapped every privileged path in the building.
Inside the Qilin Playbook: Double Extortion 2.0
Qilin’s success isn’t just technical; it’s psychological. They employ a ruthless double extortion model:
- Encryption: Your servers are locked with a Rust-based payload, designed for maximum speed and cross-platform destruction.
- Public Doxxing: If the ransom isn’t paid, sensitive data is leaked on a public Tor site. In the case of the Cobb County Government and London NHS, this included everything from autopsy photos to private medical records. +1
Detection & Defense: What Your Team Must Do Now
To catch a Qilin intrusion before the encryption begins, security teams must look for the “fingerprints” of their recon phase:
- Monitor PowerShell ScriptBlocks: Enable ScriptBlock Logging (Event ID 4104). There is virtually no legitimate reason for a standard process to query the
RemoteConnectionManageroperational logs via PowerShell. - Watch for “Shadow” RMM: Flag any unauthorized presence of ScreenConnect, AnyDesk, or Atera. Qilin frequently uses these tools to push their RDP-scanning scripts.
- Log Forwarding: Ensure that Terminal Services Operational logs are being forwarded to your SIEM for analysis, not just the standard Security logs.
- MFA is Mandatory: Since Qilin relies heavily on stolen RDP credentials, Multi-Factor Authentication is the single most effective barrier to their lateral movement.
