title: Redundant Access (T1108)
id: df00tech-t1108
status: experimental
description: "Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. This deprecated technique has been superseded by T1136 (Create Account), T1505/003 (Web Shell), and T1133 (External Remote Services), but the underlying adversary behavior — establishing backup access channels in parallel — remains a critical detection target. Observable patterns include simultaneous deployment of web shells alongside account creation, installation of multiple remote access services within a short window, and evidence of access from multiple distinct toolsets or protocols to the same target environment."
references:
  - https://attack.mitre.org/techniques/T1108/
  - https://df00tech.com/detections/T1108
author: df00tech
date: 2026/04/17
tags:
  - attack.t1108
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators legitimately installing multiple remote management tools (RMM agents, VNC, RDP helpers) during system provisioning or maintenance windows"
  - "Software deployment pipelines (SCCM, Intune, Ansible) creating local service accounts and installing remote access agents as part of automated onboarding"
  - Penetration testing engagements where multiple access mechanisms are intentionally deployed — coordinate with red team to suppress expected signals
  - "DevOps/CI pipelines that install SSH, tunnel tools, and create service accounts in sequence during automated deployment jobs"
  - Security teams deploying honeypot infrastructure where multiple remote access mechanisms are intentionally created to attract attackers
level: high