Detect Redundant Access in IBM QRadar
Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. This deprecated technique has been superseded by T1136 (Create Account), T1505/003 (Web Shell), and T1133 (External Remote Services), but the underlying adversary behavior — establishing backup access channels in parallel — remains a critical detection target. Observable patterns include simultaneous deployment of web shells alongside account creation, installation of multiple remote access services within a short window, and evidence of access from multiple distinct toolsets or protocols to the same target environment.
MITRE ATT&CK
- Tactic
- Defense Evasion Persistence
- Canonical reference
- https://attack.mitre.org/techniques/T1108/
QRadar Detection Query
SELECT
sourceip AS DeviceName,
COUNT(*) AS TotalEvents,
COUNT(DISTINCT CASE
WHEN QIDNAME(qid) LIKE '%account created%' OR QIDNAME(qid) LIKE '%account modified%' OR eventid IN (4720, 4726, 4738) THEN 'AccountCreatedOrModified'
WHEN QIDNAME(qid) LIKE '%process%' AND (
LOWER("Image") LIKE '%ngrok%' OR LOWER("Image") LIKE '%frpc%' OR LOWER("Image") LIKE '%chisel%'
OR LOWER("Image") LIKE '%anydesk%' OR LOWER("Image") LIKE '%teamviewer%'
OR LOWER("Image") LIKE '%screenconnect%' OR LOWER("Image") LIKE '%plink%'
OR LOWER("Image") LIKE '%vncviewer%' OR LOWER("Image") LIKE '%psexec%'
) THEN 'RemoteAccessToolExecution'
WHEN eventid IN (7045, 4697) AND (
LOWER("ServiceName") LIKE '%vnc%' OR LOWER("ServiceName") LIKE '%rdp%'
OR LOWER("ServiceName") LIKE '%ssh%' OR LOWER("ServiceName") LIKE '%anydesk%'
OR LOWER("ServiceName") LIKE '%teamviewer%' OR LOWER("ServiceName") LIKE '%remote%'
) THEN 'RemoteServiceInstalled'
WHEN QIDNAME(qid) LIKE '%file create%' AND (
("TargetFilename" LIKE '%inetpub%' OR "TargetFilename" LIKE '%wwwroot%' OR "TargetFilename" LIKE '%htdocs%')
AND ("TargetFilename" LIKE '%.asp' OR "TargetFilename" LIKE '%.aspx' OR "TargetFilename" LIKE '%.php'
OR "TargetFilename" LIKE '%.jsp' OR "TargetFilename" LIKE '%.jspx')
) THEN 'WebShellDropped'
WHEN QIDNAME(qid) LIKE '%registry%' AND (
("TargetObject" LIKE '%\\Run\\%' OR "TargetObject" LIKE '%\\RunOnce\\%')
AND ("Details" LIKE '%ngrok%' OR "Details" LIKE '%frpc%' OR "Details" LIKE '%anydesk%'
OR "Details" LIKE '%teamviewer%' OR "Details" LIKE '%vnc%')
) THEN 'PersistenceRegistryKey'
ELSE NULL
END) AS DistinctSignals,
MIN(starttime) AS Earliest,
MAX(starttime) AS Latest,
ROUND((LONG(MAX(starttime)) - LONG(MIN(starttime))) / 60000.0, 1) AS TimeWindowMinutes
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
AND starttime > NOW() - 86400 SECONDS
AND (
eventid IN (4720, 4726, 4738, 7045, 4697)
OR QIDNAME(qid) LIKE '%remote access%'
OR QIDNAME(qid) LIKE '%web shell%'
OR QIDNAME(qid) LIKE '%registry run%'
OR (
LOWER("Image") LIKE '%ngrok%' OR LOWER("Image") LIKE '%frpc%'
OR LOWER("Image") LIKE '%chisel%' OR LOWER("Image") LIKE '%anydesk%'
OR LOWER("Image") LIKE '%teamviewer%' OR LOWER("Image") LIKE '%screenconnect%'
)
)
GROUP BY sourceip
HAVING DistinctSignals >= 2
ORDER BY DistinctSignals DESC, TimeWindowMinutes ASCAQL query that correlates five redundant access signal types (account creation, remote tool execution, remote service install, web shell drop, registry persistence) across Windows Security and Sysmon log sources within a 24-hour window. Groups by source IP/host and alerts when 2 or more distinct signal types appear on the same device.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT helpdesk staff installing multiple remote support tools (TeamViewer, AnyDesk) on the same workstation during a single support session while also resetting user accounts
- DevOps automation frameworks that create service accounts and install agents (e.g., Ansible deploying SSH keys and remote management services) during infrastructure provisioning
- Web application deployments where a developer with admin rights deploys both a web application (creating .php/.aspx files in wwwroot) and sets up a remote management service in the same change window
Other platforms for T1108
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Install Redundant Remote Access Service via SC.exe
Expected signal: Windows System Event ID 7045: New Service Installed with ServiceName=RemoteAccessBackup, ServiceFileName=C:\Windows\System32\calc.exe, ServiceType=user mode service, StartType=auto start. Windows Security Event ID 4697 (if auditing enabled): A service was installed in the system. Sysmon Event ID 1 for sc.exe process creation with full command line captured.
- Test 2Create Backup Local Administrator Account
Expected signal: Windows Security Event ID 4720: A user account was created — TargetUserName=df00tech-svc-backup. Security Event ID 4732: A member was added to a security-enabled local group — TargetUserName=df00tech-svc-backup, GroupName=Administrators. Security Event ID 4722: A user account was enabled. Sysmon Event ID 1 for net.exe and wmic.exe process creation with full command lines.
- Test 3Deploy ngrok Tunnel as Redundant C2 Channel
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Invoke-WebRequest command line downloading ngrok. Sysmon Event ID 11: File Create for ngrok.zip and ngrok.exe in %TEMP%. Sysmon Event ID 1: Process Create for ngrok.exe with 'http 8080' arguments. Sysmon Event ID 3: Network connection attempt from ngrok.exe to ngrok infrastructure (will fail or succeed depending on network access). Security Event ID 4688 (if command line auditing enabled).
- Test 4Drop Simulated Web Shell in IIS Web Root
Expected signal: Sysmon Event ID 11: File Create with TargetFilename=C:\inetpub\wwwroot\df00tech-test-shell.aspx, Image=cmd.exe (unexpected parent for web root writes). Sysmon Event ID 1: Process Create for cmd.exe with echo/redirect command line. Security Event ID 4663 (object access, if file auditing enabled on inetpub) showing file create by cmd.exe.
- Test 5Add SSH Authorized Key for Persistent Backdoor Access (Linux/macOS)
Expected signal: Linux auditd: syscall write/open on ~/.ssh/authorized_keys by the bash/sh process — generates SYSCALL and PATH audit records. Syslog/auth.log: no immediate logon event but future SSH logons using this key will generate 'Accepted publickey' entries identifying the key fingerprint. File integrity monitoring (FIM): if deployed, triggers on modification of ~/.ssh/authorized_keys.
References (10)
- https://attack.mitre.org/techniques/T1108/
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://attack.mitre.org/techniques/T1136/
- https://attack.mitre.org/techniques/T1505/003/
- https://attack.mitre.org/techniques/T1133/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security
Unlock Pro Content
Get the full detection package for T1108 including response playbook, investigation guide, and atomic red team tests.