Listen to this Post
Introduction:
Adversaries are increasingly abandoning noisy network scanners in favor of living-off-the-land (LOTL) techniques that abuse native operating system capabilities. The Qilin ransomware group has been observed using a single PowerShell command to extract every successful RDP authentication from a compromised host’s Event Log, mapping usernames, domains, and source client IPs in seconds. This technique provides attackers with a clean, low-noise map of privileged accounts and potential pivot targets without triggering traditional endpoint detection.
Learning Objectives:
- Detect and analyze RDP authentication history enumeration using Event ID 1149.
- Implement PowerShell ScriptBlock Logging to capture malicious commands in real time.
- Identify rogue remote access tools (ScreenConnect, Atera, AnyDesk) and Defender tampering artifacts linked to Qilin activity.
You Should Know:
- Extracting RDP Authentication History with Event ID 1149
The core technique leverages the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log. Every time a user successfully authenticates via RDP, Windows logs Event ID 1149, which contains the username, domain, and source client address. Qilin’s command retrieves all these entries in a single query.
Step‑by‑step guide – what this does and how to use it:
Attackers run the following PowerShell command on a compromised Windows host:
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" | Where-Object { $<em>.Id -eq 1149 } | ForEach-Object { $</em>.Properties[bash].Value + " " + $<em>.Properties[bash].Value + " " + $</em>.Properties[bash].Value }
– `Get-WinEvent` reads the specified operational log.
– `Where-Object { $_.Id -eq 1149 }` filters only successful RDP authentication events.
– The `ForEach-Object` extracts three properties: username (index 0), domain (index 1), and source client IP/hostname (index 2).
Alternative using `wevtutil` (Command Prompt):
wevtutil qe "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" /f:text /rd:true /c:50 | findstr /i "EventID.1149 User Domain Client"
To mimic hunting for this activity in your environment:
Hunt for the exact command in any running PowerShell processes
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object { $_.Message -match "Get-WinEvent.1149" }
Linux-side log analysis (if forwarding Windows logs to a syslog server):
grep -E "1149.RemoteConnectionManager" /var/log/syslog | awk -F'User:|Domain:|Client:' '{print $2, $3, $4}'
2. Catching the Query with PowerShell ScriptBlock Logging
PowerShell ScriptBlock Logging (Event ID 4104) records the full command text of every PowerShell script or command executed, including the one‑liners used by Qilin. There is virtually no benign reason for a non‑administrative process to run a full RDP history query.
Step‑by‑step guide – enable and hunt:
Enable ScriptBlock Logging via Group Policy:
- Navigate to `Computer Configuration → Administrative Templates → Windows Components → Windows PowerShell`
– Set “Turn on PowerShell ScriptBlock Logging” to Enabled. - Also enable “Turn on PowerShell Transcription” for additional capture.
Detection query using `Get-WinEvent`:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object { $<em>.Message -match "Get-WinEvent.TerminalServices" -or $</em>.Message -match "1149" }
To test if logging is active:
Run this test command – it should generate Event ID 4104 Write-Host "Testing ScriptBlock Logging"
Then check: `Get-WinEvent -LogName “Microsoft-Windows-PowerShell/Operational” | Where-Object Id -eq 4104 | Select-Object -First 1`
Proactive hunting via Sysmon (Event ID 1 – ProcessCreation):
<!-- Sysmon config snippet to log PowerShell commands--> <ProcessCreate onmatch="include"> <CommandLine condition="contains">Get-WinEvent</CommandLine> <CommandLine condition="contains">1149</CommandLine> </ProcessCreate>
- Identifying Rogue Remote Access Tools – The Qilin Fingerprint
According to the threat report, Qilin delivered the RDP‑harvesting script via a rogue ScreenConnect instance. The same host may also show signs of Total Software Deployment, Atera, or AnyDesk installations alongside Defender tampering events.
Step‑by‑step guide – detect unauthorized remote access tools:
Windows registry checks for installed remote tools:
ScreenConnect (ConnectWise Control)
Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\ScreenConnect\" -Name InstallPath -ErrorAction SilentlyContinue
Atera
Get-ItemProperty "HKLM:\SOFTWARE\ATERA Networks\" -ErrorAction SilentlyContinue
AnyDesk
Get-ItemProperty "HKLM:\SOFTWARE\AnyDesk" -ErrorAction SilentlyContinue
Total Software Deployment
Get-Service | Where-Object { $<em>.DisplayName -like "Total Software" -or $</em>.DisplayName -like "TSD" }
List running processes from these vendors:
tasklist /fi "IMAGENAME eq ScreenConnect.exe" /fi "IMAGENAME eq AnyDesk.exe" /fi "IMAGENAME eq AteraAgent.exe"
Linux command to scan for unexpected remote access (if managing Windows remotely):
Using nmap to detect open RDP and common remote tool ports on a suspect host nmap -p 3389,8040,7070,50000-50030 <target-ip> --open
- Microsoft Defender Tampering Events – Another Red Flag
Qilin actors frequently disable or tamper with Defender before encryption. Look for specific Event IDs from the Windows Defender Operational log.
Step‑by‑step guide – detect Defender tampering:
Check for Event ID 5007 (configuration changed) and Event ID 5001 (real‑time protection disabled):
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=5007,5001} | Select-Object TimeCreated, Message
Manual verification of Defender status:
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled
To detect if Defender exclusions were added:
Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcess
Hunting correlation query – combine RDP harvesting + Defender tampering:
$rdpEvents = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational'; ID=1149} -MaxEvents 10
$defenderEvents = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=5007} -MaxEvents 10
if ($rdpEvents -and $defenderEvents) { Write-Host "Potential Qilin timeline overlap" }
5. Mitigation and Hardening Against LOTL RDP Enumeration
Preventing this technique requires both configuration hardening and active monitoring.
Step‑by‑step guide – reduce attacker visibility:
Restrict who can read the RDP Operational log:
- By default, only Administrators and SYSTEM can read it. Use `wevtutil gl` to verify permissions.
- Consider using Windows Event Forwarding (WEF) to ship these logs to a SIEM, then disable local access to the log for all non‑admin accounts.
Network‑level controls:
- Limit RDP source IPs using Windows Firewall or a jump host.
- Enable Network Level Authentication (NLA) which requires pre‑authentication before the logon screen – although it still generates Event ID 1149, it adds a layer.
Linux hardening (if hosting RDP gateway services like xrdp):
Limit xrdp access via iptables iptables -A INPUT -p tcp --dport 3389 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 3389 -j DROP
Deploy custom detection Sigma rule:
title: Qilin RDP History Enumeration id: 4f8b2a1c-9e3d-4f5a-8b2e-1c7d3f5a6b8e status: experimental description: Detects PowerShell command retrieving Event ID 1149 from RDP operational log references: - https://www.linkedin.com/posts/maurice-fielenbach_... (threat intel) logsource: product: windows service: powershell detection: selection: EventID: 4104 ScriptBlockText|contains: - 'Get-WinEvent' - '1149' - 'TerminalServices-RemoteConnectionManager' condition: selection
6. Incident Response Playbook for Suspected Qilin Pivoting
If you detect the RDP enumeration command or associated rogue tools, act immediately.
Step‑by‑step guide – contain and investigate:
- Isolate the host – cut network connectivity but preserve memory for forensics.
2. Capture volatile data:
Extract RDP history before the adversary deletes logs wevtutil epl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" C:\IR\rdp_logs.evtx
3. Pull PowerShell history files:
Get-ChildItem -Path $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -Recurse | ForEach-Object { Copy-Item $_.FullName C:\IR\ }
4. Check for scheduled tasks or WMI persistence:
schtasks /query /fo LIST /v > C:\IR\tasks.txt wmic process get caption,commandline > C:\IR\processes.txt
5. Review authentication logs for lateral movement (Event ID 4624 with Logon Type 10 – RDP):
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object { $_.Properties[bash].Value -eq 10 }
What Undercode Say:
- Living off the land remains the most dangerous evasion tactic – Qilin’s use of native `Get-WinEvent` bypasses many EDRs that only monitor suspicious binaries.
- Event logging is a double‑edged sword – while Event ID 1149 is essential for IT troubleshooting, it becomes an attacker’s map when combined with PowerShell. Defenders must aggressively monitor who queries those logs.
- Rogue remote access tools are a stronger indicator than the command itself – finding ScreenConnect, Atera, or AnyDesk on a server alongside PowerShell enumeration is nearly a direct Qilin signature.
- ScriptBlock Logging is non‑negotiable – without it, the RDP harvesting command leaves almost no trace in default Windows auditing. Enable it across all domain controllers and critical servers.
Prediction:
Qilin’s technique will soon be adopted by other ransomware groups and initial access brokers, shifting from noisy port scanning to silent Event Log mining. As more defenders enable ScriptBlock Logging, adversaries will likely pivot to alternative data sources – such as WMI repository or registry querying of Terminal Services client settings – or use .NET reflection to read logs without spawning PowerShell. The future will see defenders building detection specifically for log‑reader APIs and memory‑based enumeration, while attackers invest in log tampering and deletion to erase their footsteps.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mauricefielenbach Threatintel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
