T1108

Redundant Access

Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. This deprecated technique has been superseded by T1136 (Create Account), T1505/003 (Web Shell), and T1133 (External Remote Services), but the underlying adversary behavior — establishing backup access channels in parallel — remains a critical detection target. Observable patterns include simultaneous deployment of web shells alongside account creation, installation of multiple remote access services within a short window, and evidence of access from multiple distinct toolsets or protocols to the same target environment.

Microsoft Sentinel / Defender

kusto

// Detect multiple distinct remote access mechanisms established within 24h on the same device
// Covers web shell drops, remote service installs, new local/domain accounts, and external remote tool execution
let LookbackWindow = 24h;
let RemoteAccessBinaries = dynamic([
  "ngrok.exe", "frpc.exe", "frps.exe", "chisel.exe", "plink.exe", "putty.exe",
  "mRemoteNG.exe", "AnyDesk.exe", "TeamViewer.exe", "ScreenConnect.exe",
  "LogMeIn.exe", "VNCviewer.exe", "vncserver.exe", "psexec.exe", "psexesvc.exe",
  "mstsc.exe", "winscp.exe", "ssh.exe", "sshd.exe"
]);
let WebShellExtensions = dynamic([".asp", ".aspx", ".php", ".jsp", ".jspx", ".shtml"]);
let WebServerPaths = dynamic(["\\inetpub\\", "\\wwwroot\\", "\\htdocs\\", "\\www\\", "\\webapps\\"]);
// Signal 1: New account creation
let NewAccounts = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID in (4720, 4726, 4738)
| project TimeGenerated, DeviceName=Computer, AccountName=TargetUserName, Signal="AccountCreatedOrModified";
// Signal 2: Remote access tool execution
let RemoteToolExec = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ (RemoteAccessBinaries)
   or (ProcessCommandLine has_any ("ngrok", "frpc", "chisel", "ligolo") and ProcessCommandLine has_any ("tcp", "http", "tunnel", "connect", "proxy"))
| project TimeGenerated=Timestamp, DeviceName, AccountName, Signal="RemoteAccessToolExecution", Detail=strcat(FileName, " | ", ProcessCommandLine);
// Signal 3: Remote service installation
let RemoteServiceInstall = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID in (7045, 4697)
| where ServiceName has_any ("vnc", "rdp", "ssh", "remote", "screen", "anydesk", "teamviewer", "logmein")
   or ServiceFileName has_any ("ngrok", "frpc", "chisel", "plink", "psexec")
| project TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName, Signal="RemoteServiceInstalled", Detail=ServiceName;
// Signal 4: Web shell written to web server path
let WebShellDrop = DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where FolderPath has_any (WebServerPaths)
| where FileName has_any (WebShellExtensions)
| where InitiatingProcessFileName !in~ ("w3wp.exe", "httpd.exe", "nginx.exe", "iisexpress.exe")
| project TimeGenerated=Timestamp, DeviceName, AccountName, Signal="WebShellDropped", Detail=strcat(FolderPath, "\\", FileName);
// Signal 5: Registry run key modification for remote access persistence
let RegistryPersist = DeviceRegistryEvents
| where Timestamp > ago(LookbackWindow)
| where RegistryKey has_any ("\\Run\\", "\\RunOnce\\", "\\Services\\")
| where RegistryValueData has_any ("ngrok", "frpc", "chisel", "anydesk", "teamviewer", "vnc", "rdp")
| project TimeGenerated=Timestamp, DeviceName, AccountName, Signal="PersistenceRegistryKey", Detail=strcat(RegistryKey, " = ", RegistryValueData);
// Union all signals and find devices with 2 or more distinct signal types
let AllSignals = union NewAccounts, RemoteToolExec, RemoteServiceInstall, WebShellDrop, RegistryPersist;
AllSignals
| summarize
    SignalCount=count(),
    DistinctSignals=dcount(Signal),
    SignalTypes=make_set(Signal),
    Details=make_set(Detail),
    Earliest=min(TimeGenerated),
    Latest=max(TimeGenerated)
  by DeviceName
| where DistinctSignals >= 2
| extend TimeWindowMinutes = datetime_diff('minute', Latest, Earliest)
| project DeviceName, DistinctSignals, SignalTypes, Details, Earliest, Latest, TimeWindowMinutes
| sort by DistinctSignals desc, TimeWindowMinutes asc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Registry Key Modification User Account: User Account Creation Service: Service Creation Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceRegistryEvents SecurityEvent

False Positives

IT administrators legitimately installing multiple remote management tools (RMM agents, VNC, RDP helpers) during system provisioning or maintenance windows
Software deployment pipelines (SCCM, Intune, Ansible) creating local service accounts and installing remote access agents as part of automated onboarding
Penetration testing engagements where multiple access mechanisms are intentionally deployed — coordinate with red team to suppress expected signals
DevOps/CI pipelines that install SSH, tunnel tools, and create service accounts in sequence during automated deployment jobs
Security teams deploying honeypot infrastructure where multiple remote access mechanisms are intentionally created to attract attackers

Splunk

spl

| union
  [ search index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4720 OR EventCode=4726 OR EventCode=4738)
    | eval Signal="AccountCreatedOrModified", DeviceName=host, Detail=TargetUserName
    | table _time, DeviceName, Signal, Detail ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      (Image="*\ngrok.exe" OR Image="*\frpc.exe" OR Image="*\chisel.exe" OR Image="*\plink.exe"
       OR Image="*\AnyDesk.exe" OR Image="*\TeamViewer.exe" OR Image="*\ScreenConnect.exe"
       OR Image="*\vncviewer.exe" OR Image="*\vncserver.exe" OR Image="*\psexec.exe"
       OR (CommandLine="*ngrok*" AND (CommandLine="*tcp*" OR CommandLine="*http*" OR CommandLine="*tunnel*"))
       OR (CommandLine="*frpc*" AND CommandLine="*connect*"))
    | eval Signal="RemoteAccessToolExecution", DeviceName=host, Detail=mvjoin(mvappend(Image, CommandLine)," | ")
    | table _time, DeviceName, Signal, Detail ]
  [ search index=wineventlog sourcetype="WinEventLog:System" (EventCode=7045 OR EventCode=4697)
      (ServiceName="*vnc*" OR ServiceName="*rdp*" OR ServiceName="*ssh*" OR ServiceName="*remote*"
       OR ServiceName="*anydesk*" OR ServiceName="*teamviewer*" OR ServiceName="*screenconnect*"
       OR ServiceFileName="*ngrok*" OR ServiceFileName="*frpc*" OR ServiceFileName="*chisel*")
    | eval Signal="RemoteServiceInstalled", DeviceName=host, Detail=ServiceName
    | table _time, DeviceName, Signal, Detail ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
      (TargetFilename="*\inetpub*" OR TargetFilename="*\wwwroot*" OR TargetFilename="*\htdocs*")
      (TargetFilename="*.asp" OR TargetFilename="*.aspx" OR TargetFilename="*.php"
       OR TargetFilename="*.jsp" OR TargetFilename="*.jspx" OR TargetFilename="*.shtml")
      NOT (Image="*\w3wp.exe" OR Image="*\httpd.exe" OR Image="*\nginx.exe")
    | eval Signal="WebShellDropped", DeviceName=host, Detail=TargetFilename
    | table _time, DeviceName, Signal, Detail ]
  [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
      (TargetObject="*\CurrentVersion\Run*" OR TargetObject="*\CurrentVersion\RunOnce*")
      (Details="*ngrok*" OR Details="*frpc*" OR Details="*chisel*" OR Details="*anydesk*"
       OR Details="*teamviewer*" OR Details="*vnc*")
    | eval Signal="PersistenceRegistryKey", DeviceName=host, Detail=mvjoin(mvappend(TargetObject,Details)," = ")
    | table _time, DeviceName, Signal, Detail ]
| stats
    count as TotalEvents,
    dc(Signal) as DistinctSignals,
    values(Signal) as SignalTypes,
    values(Detail) as Details,
    earliest(_time) as Earliest,
    latest(_time) as Latest
  by DeviceName
| where DistinctSignals >= 2
| eval TimeWindowMinutes=round((Latest-Earliest)/60,1)
| eval TimeWindowHours=round(TimeWindowMinutes/60,1)
| sort - DistinctSignals TimeWindowMinutes
| table DeviceName, DistinctSignals, SignalTypes, Details, TimeWindowHours, Earliest, Latest

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Registry Key Modification User Account: User Account Creation Service: Service Creation Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 13 Windows Security Event Log Windows System Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security WinEventLog:System

False Positives

IT administrators installing multiple remote management tools during provisioning or maintenance activities
Software deployment pipelines that create service accounts and install remote agents automatically during onboarding
Penetration testing engagements with authorized deployment of multiple access mechanisms
DevOps pipelines installing SSH, tunnel tools, and creating service accounts in sequence
Managed service providers (MSPs) deploying their standard RMM toolset during customer onboarding

IBM QRadar (AQL)

sql

SELECT
  sourceip AS DeviceName,
  COUNT(*) AS TotalEvents,
  COUNT(DISTINCT CASE
    WHEN QIDNAME(qid) LIKE '%account created%' OR QIDNAME(qid) LIKE '%account modified%' OR eventid IN (4720, 4726, 4738) THEN 'AccountCreatedOrModified'
    WHEN QIDNAME(qid) LIKE '%process%' AND (
      LOWER("Image") LIKE '%ngrok%' OR LOWER("Image") LIKE '%frpc%' OR LOWER("Image") LIKE '%chisel%'
      OR LOWER("Image") LIKE '%anydesk%' OR LOWER("Image") LIKE '%teamviewer%'
      OR LOWER("Image") LIKE '%screenconnect%' OR LOWER("Image") LIKE '%plink%'
      OR LOWER("Image") LIKE '%vncviewer%' OR LOWER("Image") LIKE '%psexec%'
    ) THEN 'RemoteAccessToolExecution'
    WHEN eventid IN (7045, 4697) AND (
      LOWER("ServiceName") LIKE '%vnc%' OR LOWER("ServiceName") LIKE '%rdp%'
      OR LOWER("ServiceName") LIKE '%ssh%' OR LOWER("ServiceName") LIKE '%anydesk%'
      OR LOWER("ServiceName") LIKE '%teamviewer%' OR LOWER("ServiceName") LIKE '%remote%'
    ) THEN 'RemoteServiceInstalled'
    WHEN QIDNAME(qid) LIKE '%file create%' AND (
      ("TargetFilename" LIKE '%inetpub%' OR "TargetFilename" LIKE '%wwwroot%' OR "TargetFilename" LIKE '%htdocs%')
      AND ("TargetFilename" LIKE '%.asp' OR "TargetFilename" LIKE '%.aspx' OR "TargetFilename" LIKE '%.php'
        OR "TargetFilename" LIKE '%.jsp' OR "TargetFilename" LIKE '%.jspx')
    ) THEN 'WebShellDropped'
    WHEN QIDNAME(qid) LIKE '%registry%' AND (
      ("TargetObject" LIKE '%\\Run\\%' OR "TargetObject" LIKE '%\\RunOnce\\%')
      AND ("Details" LIKE '%ngrok%' OR "Details" LIKE '%frpc%' OR "Details" LIKE '%anydesk%'
        OR "Details" LIKE '%teamviewer%' OR "Details" LIKE '%vnc%')
    ) THEN 'PersistenceRegistryKey'
    ELSE NULL
  END) AS DistinctSignals,
  MIN(starttime) AS Earliest,
  MAX(starttime) AS Latest,
  ROUND((LONG(MAX(starttime)) - LONG(MIN(starttime))) / 60000.0, 1) AS TimeWindowMinutes
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND starttime > NOW() - 86400 SECONDS
  AND (
    eventid IN (4720, 4726, 4738, 7045, 4697)
    OR QIDNAME(qid) LIKE '%remote access%'
    OR QIDNAME(qid) LIKE '%web shell%'
    OR QIDNAME(qid) LIKE '%registry run%'
    OR (
      LOWER("Image") LIKE '%ngrok%' OR LOWER("Image") LIKE '%frpc%'
      OR LOWER("Image") LIKE '%chisel%' OR LOWER("Image") LIKE '%anydesk%'
      OR LOWER("Image") LIKE '%teamviewer%' OR LOWER("Image") LIKE '%screenconnect%'
    )
  )
GROUP BY sourceip
HAVING DistinctSignals >= 2
ORDER BY DistinctSignals DESC, TimeWindowMinutes ASC

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log Microsoft Sysmon via QRadar DSM QRadar Custom Properties for Sysmon fields

Required Tables

events

False Positives

Legitimate IT helpdesk staff installing multiple remote support tools (TeamViewer, AnyDesk) on the same workstation during a single support session while also resetting user accounts
DevOps automation frameworks that create service accounts and install agents (e.g., Ansible deploying SSH keys and remote management services) during infrastructure provisioning
Web application deployments where a developer with admin rights deploys both a web application (creating .php/.aspx files in wwwroot) and sets up a remote management service in the same change window

Sumo Logic CSE

sql

_sourceCategory=windows* ("EventCode=4720" OR "EventCode=4726" OR "EventCode=4738" OR "EventCode=7045" OR "EventCode=4697" OR "EventCode=1" OR "EventCode=11" OR "EventCode=13")
| parse "Computer=\"*\"" as DeviceName nodrop
| parse "EventCode=*" as EventCode nodrop
| parse "Image=*\\\\*" as _dummy, ProcImage nodrop
| parse "TargetFilename=*" as TargetFilename nodrop
| parse "TargetObject=*" as RegistryKey nodrop
| parse "Details=*" as RegistryValue nodrop
| parse "ServiceName=*" as ServiceName nodrop
| parse "TargetUserName=*" as TargetUser nodrop
// Assign signal type per event
| if (EventCode in ("4720","4726","4738"), "AccountCreatedOrModified",
    if (EventCode == "1" and (
      ProcImage matches "*ngrok*" or ProcImage matches "*frpc*" or ProcImage matches "*chisel*"
      or ProcImage matches "*AnyDesk*" or ProcImage matches "*TeamViewer*"
      or ProcImage matches "*ScreenConnect*" or ProcImage matches "*plink*"
      or ProcImage matches "*vncviewer*" or ProcImage matches "*psexec*"
    ), "RemoteAccessToolExecution",
    if (EventCode in ("7045","4697") and (
      ServiceName matches "*vnc*" or ServiceName matches "*rdp*" or ServiceName matches "*ssh*"
      or ServiceName matches "*anydesk*" or ServiceName matches "*teamviewer*" or ServiceName matches "*remote*"
    ), "RemoteServiceInstalled",
    if (EventCode == "11" and (
      (TargetFilename matches "*\\inetpub\\*" or TargetFilename matches "*\\wwwroot\\*" or TargetFilename matches "*\\htdocs\\*")
      and (TargetFilename matches "*.asp" or TargetFilename matches "*.aspx" or TargetFilename matches "*.php"
        or TargetFilename matches "*.jsp" or TargetFilename matches "*.jspx")
    ), "WebShellDropped",
    if (EventCode == "13" and (
      (RegistryKey matches "*\\Run\\*" or RegistryKey matches "*\\RunOnce\\*")
      and (RegistryValue matches "*ngrok*" or RegistryValue matches "*frpc*"
        or RegistryValue matches "*anydesk*" or RegistryValue matches "*teamviewer*" or RegistryValue matches "*vnc*")
    ), "PersistenceRegistryKey", null))))) as Signal
| where !isNull(Signal)
| timeslice 24h
| stats
    count as TotalEvents,
    dcount(Signal) as DistinctSignals,
    values(Signal) as SignalTypes,
    min(_messagetime) as Earliest,
    max(_messagetime) as Latest
  by DeviceName, _timeslice
| where DistinctSignals >= 2
| fields - _timeslice
| sort by DistinctSignals desc

high severity medium confidence

Data Sources

Sumo Logic Windows Collection (Security + Sysmon) Sumo Logic Installed Collector with Windows Event Log Source

Required Tables

windows* (Security and Sysmon source categories)

False Positives

System administrators performing bulk server hardening that includes creating service accounts (EventCode 4720) and installing endpoint management agents like VNC or SSH within the same 24-hour window
Software deployment systems (SCCM, Intune) that simultaneously install remote management tools and create local service accounts as part of a standard workstation build process
Security operations teams deploying honeypot or deception technology that intentionally creates fake remote service entries and accounts to attract attacker activity

Google Chronicle / SecOps

yaral

rule redundant_access_multi_signal_24h {
  meta:
    author = "Argus Detection Platform"
    description = "Detects multiple distinct remote access mechanisms established within 24h on the same device, indicating T1108 redundant access behavior (superseded by T1136, T1505.003, T1133)"
    severity = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1108"
    reference = "https://attack.mitre.org/techniques/T1108/"
  events:
    // Signal A: Account creation or modification
    $e1.metadata.event_type = "USER_CREATION" or
    ($e1.metadata.event_type = "USER_CHANGE" and
     $e1.target.user.userid != /^(SYSTEM|LOCAL SERVICE|NETWORK SERVICE)$/)
    $e1.principal.hostname = $host

    // Signal B: Remote access tool process execution
    $e2.metadata.event_type = "PROCESS_LAUNCH"
    $e2.principal.hostname = $host
    (
      re.regex($e2.target.process.file.full_path, `(?i)(ngrok|frpc|frps|chisel|plink|putty|mRemoteNG|AnyDesk|TeamViewer|ScreenConnect|LogMeIn|vncviewer|vncserver|psexec|psexesvc|winscp)\.exe`) or
      (
        re.regex($e2.target.process.command_line, `(?i)(ngrok|frpc|chisel|ligolo)`) and
        re.regex($e2.target.process.command_line, `(?i)(tcp|http|tunnel|connect|proxy)`)
      )
    )

    // Correlation: same host, within 24 hours, different events
    $e1.principal.hostname = $e2.principal.hostname
    $e1.metadata.event_timestamp.seconds < $e2.metadata.event_timestamp.seconds + 86400
    $e2.metadata.event_timestamp.seconds < $e1.metadata.event_timestamp.seconds + 86400
    $e1.metadata.id != $e2.metadata.id

  condition:
    $e1 and $e2
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Security Event Log via Chronicle Forwarder Microsoft Defender for Endpoint via Chronicle integration Sysmon via Chronicle Forwarder

Required Tables

UDM events: USER_CREATION, USER_CHANGE, PROCESS_LAUNCH, FILE_CREATION, REGISTRY_MODIFICATION

False Positives

Managed service providers (MSPs) onboarding new client systems where they simultaneously create admin accounts and install their preferred remote management suite (e.g., ConnectWise, AnyDesk) during onboarding
IT asset management workflows where automated scripts create service accounts and install monitoring/remote access agents as part of provisioning scripts triggered by CMDB changes
Developers working on remote access tooling who test their own ngrok or frpc configurations alongside normal account management activities on development systems

CrowdStrike LogScale (CQL)

cql

// Detect redundant access: 2+ distinct remote access signal types on same host within 24h
// Signal 1: Remote access tool process launches
#repo=base_sensor #event_simpleName=ProcessRollup2
| FileName = /(?i)(ngrok\.exe|frpc\.exe|frps\.exe|chisel\.exe|plink\.exe|AnyDesk\.exe|TeamViewer\.exe|ScreenConnect\.exe|vncviewer\.exe|vncserver\.exe|psexec\.exe|psexesvc\.exe|winscp\.exe)/
  OR (CommandLine = /(?i)(ngrok|frpc|chisel|ligolo)/ AND CommandLine = /(?i)(tcp|http|tunnel|connect|proxy)/)
| eval Signal="RemoteAccessToolExecution"
| eval Detail=FileName
| table [@timestamp, ComputerName, UserName, Signal, Detail]

// Union Signal 2: New service installation (via Windows event logs ingested)
| union [
  #repo=base_sensor #event_simpleName=ServiceInstalled
  | ServiceDisplayName = /(?i)(vnc|rdp|ssh|remote|anydesk|teamviewer|screenconnect|logmein)/
    OR ImageFileName = /(?i)(ngrok|frpc|chisel|plink|psexec)/
  | eval Signal="RemoteServiceInstalled"
  | eval Detail=ServiceDisplayName
  | table [@timestamp, ComputerName, UserName, Signal, Detail]
]

// Union Signal 3: Web shell file creation
| union [
  #repo=base_sensor #event_simpleName=NewExecutableWritten
  | TargetFileName = /(?i)(\\inetpub\\|\\wwwroot\\|\\htdocs\\|\\webapps\\)/
  | TargetFileName = /\.(?:asp|aspx|php|jsp|jspx|shtml)$/
  | NOT (ParentBaseFileName = /(?i)(w3wp\.exe|httpd\.exe|nginx\.exe|iisexpress\.exe)/)
  | eval Signal="WebShellDropped"
  | eval Detail=TargetFileName
  | table [@timestamp, ComputerName, UserName, Signal, Detail]
]

// Union Signal 4: Registry run key persistence
| union [
  #repo=base_sensor #event_simpleName=RegGenericValueUpdate
  | RegObjectName = /(?i)(\\CurrentVersion\\Run|\\CurrentVersion\\RunOnce)/
  | RegStringValue = /(?i)(ngrok|frpc|chisel|anydesk|teamviewer|vnc|rdp)/
  | eval Signal="PersistenceRegistryKey"
  | eval Detail=RegStringValue
  | table [@timestamp, ComputerName, UserName, Signal, Detail]
]

// Aggregate: find hosts with 2+ distinct signal types in 24h
| groupBy([ComputerName], function=[
    count(Signal, as=TotalEvents),
    count(distinct(Signal), as=DistinctSignals),
    collect(Signal, as=SignalTypes, limit=20),
    collect(Detail, as=Details, limit=20),
    min(@timestamp, as=Earliest),
    max(@timestamp, as=Latest)
  ])
| DistinctSignals >= 2
| eval TimeWindowMinutes = round((Latest - Earliest) / 60000, 1)
| sort(DistinctSignals, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon Sensor (ProcessRollup2, ServiceInstalled, NewExecutableWritten, RegGenericValueUpdate) CrowdStrike Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=ServiceInstalled #event_simpleName=NewExecutableWritten #event_simpleName=RegGenericValueUpdate

False Positives

Red team engagements using CrowdStrike's own test tools alongside legitimate admin tooling — Falcon may generate multiple signal types from authorized offensive security operations on explicitly excluded test systems
Software vendors testing their remote administration products on internal QA machines where multiple tools (VNC, SSH, TeamViewer) are installed, configured, and registry entries set within a single test session
Cloud or virtualization platform agents (e.g., AWS Systems Manager, VMware Tools) that deploy remote management capabilities and create local service accounts as part of cloud instance bootstrapping on newly provisioned hosts

Last updated: 2026-04-17 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1108 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Redundant Access

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Defense Evasion

Popular Detections