T1108 Microsoft Sentinel · KQL

Detect Redundant Access in Microsoft Sentinel

Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. This deprecated technique has been superseded by T1136 (Create Account), T1505/003 (Web Shell), and T1133 (External Remote Services), but the underlying adversary behavior — establishing backup access channels in parallel — remains a critical detection target. Observable patterns include simultaneous deployment of web shells alongside account creation, installation of multiple remote access services within a short window, and evidence of access from multiple distinct toolsets or protocols to the same target environment.

MITRE ATT&CK

Tactic
Defense Evasion Persistence
Canonical reference
https://attack.mitre.org/techniques/T1108/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect multiple distinct remote access mechanisms established within 24h on the same device
// Covers web shell drops, remote service installs, new local/domain accounts, and external remote tool execution
let LookbackWindow = 24h;
let RemoteAccessBinaries = dynamic([
  "ngrok.exe", "frpc.exe", "frps.exe", "chisel.exe", "plink.exe", "putty.exe",
  "mRemoteNG.exe", "AnyDesk.exe", "TeamViewer.exe", "ScreenConnect.exe",
  "LogMeIn.exe", "VNCviewer.exe", "vncserver.exe", "psexec.exe", "psexesvc.exe",
  "mstsc.exe", "winscp.exe", "ssh.exe", "sshd.exe"
]);
let WebShellExtensions = dynamic([".asp", ".aspx", ".php", ".jsp", ".jspx", ".shtml"]);
let WebServerPaths = dynamic(["\\inetpub\\", "\\wwwroot\\", "\\htdocs\\", "\\www\\", "\\webapps\\"]);
// Signal 1: New account creation
let NewAccounts = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID in (4720, 4726, 4738)
| project TimeGenerated, DeviceName=Computer, AccountName=TargetUserName, Signal="AccountCreatedOrModified";
// Signal 2: Remote access tool execution
let RemoteToolExec = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where FileName in~ (RemoteAccessBinaries)
   or (ProcessCommandLine has_any ("ngrok", "frpc", "chisel", "ligolo") and ProcessCommandLine has_any ("tcp", "http", "tunnel", "connect", "proxy"))
| project TimeGenerated=Timestamp, DeviceName, AccountName, Signal="RemoteAccessToolExecution", Detail=strcat(FileName, " | ", ProcessCommandLine);
// Signal 3: Remote service installation
let RemoteServiceInstall = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID in (7045, 4697)
| where ServiceName has_any ("vnc", "rdp", "ssh", "remote", "screen", "anydesk", "teamviewer", "logmein")
   or ServiceFileName has_any ("ngrok", "frpc", "chisel", "plink", "psexec")
| project TimeGenerated, DeviceName=Computer, AccountName=SubjectUserName, Signal="RemoteServiceInstalled", Detail=ServiceName;
// Signal 4: Web shell written to web server path
let WebShellDrop = DeviceFileEvents
| where Timestamp > ago(LookbackWindow)
| where FolderPath has_any (WebServerPaths)
| where FileName has_any (WebShellExtensions)
| where InitiatingProcessFileName !in~ ("w3wp.exe", "httpd.exe", "nginx.exe", "iisexpress.exe")
| project TimeGenerated=Timestamp, DeviceName, AccountName, Signal="WebShellDropped", Detail=strcat(FolderPath, "\\", FileName);
// Signal 5: Registry run key modification for remote access persistence
let RegistryPersist = DeviceRegistryEvents
| where Timestamp > ago(LookbackWindow)
| where RegistryKey has_any ("\\Run\\", "\\RunOnce\\", "\\Services\\")
| where RegistryValueData has_any ("ngrok", "frpc", "chisel", "anydesk", "teamviewer", "vnc", "rdp")
| project TimeGenerated=Timestamp, DeviceName, AccountName, Signal="PersistenceRegistryKey", Detail=strcat(RegistryKey, " = ", RegistryValueData);
// Union all signals and find devices with 2 or more distinct signal types
let AllSignals = union NewAccounts, RemoteToolExec, RemoteServiceInstall, WebShellDrop, RegistryPersist;
AllSignals
| summarize
    SignalCount=count(),
    DistinctSignals=dcount(Signal),
    SignalTypes=make_set(Signal),
    Details=make_set(Detail),
    Earliest=min(TimeGenerated),
    Latest=max(TimeGenerated)
  by DeviceName
| where DistinctSignals >= 2
| extend TimeWindowMinutes = datetime_diff('minute', Latest, Earliest)
| project DeviceName, DistinctSignals, SignalTypes, Details, Earliest, Latest, TimeWindowMinutes
| sort by DistinctSignals desc, TimeWindowMinutes asc
high severity medium confidence

Detects adversaries establishing multiple redundant access mechanisms on the same host within a 24-hour window — a core indicator of T1108 behavior. Correlates five independent signals: new account creation (Security Event IDs 4720/4726/4738), remote access tool execution (ngrok, frpc, chisel, AnyDesk, etc.), remote service installation (Event IDs 7045/4697), web shell drops to web server paths, and registry persistence of remote access tools. Hosts with 2 or more distinct signal types within the window are flagged as high-confidence redundant access attempts. The technique is deprecated in ATT&CK but the underlying adversary behavior persists widely.

Data Sources

Process: Process CreationFile: File CreationWindows Registry: Registry Key ModificationUser Account: User Account CreationService: Service CreationMicrosoft Defender for EndpointWindows Security Event Log

Required Tables

DeviceProcessEventsDeviceFileEventsDeviceRegistryEventsSecurityEvent

False Positives & Tuning

  • IT administrators legitimately installing multiple remote management tools (RMM agents, VNC, RDP helpers) during system provisioning or maintenance windows
  • Software deployment pipelines (SCCM, Intune, Ansible) creating local service accounts and installing remote access agents as part of automated onboarding
  • Penetration testing engagements where multiple access mechanisms are intentionally deployed — coordinate with red team to suppress expected signals
  • DevOps/CI pipelines that install SSH, tunnel tools, and create service accounts in sequence during automated deployment jobs
  • Security teams deploying honeypot infrastructure where multiple remote access mechanisms are intentionally created to attract attackers
Download portable Sigma rule (.yml)

Other platforms for T1108

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Install Redundant Remote Access Service via SC.exe

    Expected signal: Windows System Event ID 7045: New Service Installed with ServiceName=RemoteAccessBackup, ServiceFileName=C:\Windows\System32\calc.exe, ServiceType=user mode service, StartType=auto start. Windows Security Event ID 4697 (if auditing enabled): A service was installed in the system. Sysmon Event ID 1 for sc.exe process creation with full command line captured.

  2. Test 2Create Backup Local Administrator Account

    Expected signal: Windows Security Event ID 4720: A user account was created — TargetUserName=df00tech-svc-backup. Security Event ID 4732: A member was added to a security-enabled local group — TargetUserName=df00tech-svc-backup, GroupName=Administrators. Security Event ID 4722: A user account was enabled. Sysmon Event ID 1 for net.exe and wmic.exe process creation with full command lines.

  3. Test 3Deploy ngrok Tunnel as Redundant C2 Channel

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with Invoke-WebRequest command line downloading ngrok. Sysmon Event ID 11: File Create for ngrok.zip and ngrok.exe in %TEMP%. Sysmon Event ID 1: Process Create for ngrok.exe with 'http 8080' arguments. Sysmon Event ID 3: Network connection attempt from ngrok.exe to ngrok infrastructure (will fail or succeed depending on network access). Security Event ID 4688 (if command line auditing enabled).

  4. Test 4Drop Simulated Web Shell in IIS Web Root

    Expected signal: Sysmon Event ID 11: File Create with TargetFilename=C:\inetpub\wwwroot\df00tech-test-shell.aspx, Image=cmd.exe (unexpected parent for web root writes). Sysmon Event ID 1: Process Create for cmd.exe with echo/redirect command line. Security Event ID 4663 (object access, if file auditing enabled on inetpub) showing file create by cmd.exe.

  5. Test 5Add SSH Authorized Key for Persistent Backdoor Access (Linux/macOS)

    Expected signal: Linux auditd: syscall write/open on ~/.ssh/authorized_keys by the bash/sh process — generates SYSCALL and PATH audit records. Syslog/auth.log: no immediate logon event but future SSH logons using this key will generate 'Accepted publickey' entries identifying the key fingerprint. File integrity monitoring (FIM): if deployed, triggers on modification of ~/.ssh/authorized_keys.

Last updated: 2026-04-17 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1108 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1133External Remote ServicesT1136Create AccountT1505.003Web ShellT1078Valid AccountsT1021.001Remote Desktop ProtocolT1021.004SSHT1572Protocol TunnelingT1543.003Windows ServiceT1053.005Scheduled TaskT1098Account ManipulationT1071.001Web Protocols

Same Tactic: Defense Evasion

Popular Detections