Skip to content

DET0496 Behavior-Chain Detection for Remote Access Tools (Tool-Agnostic)

Item Value
ID DET0496
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1219 (Remote Access Tools)

Analytics

Windows

AN1366

Chain of remote access tool behavior: (1) initial execution of remote-control/assist agent or GUI under user context; (2) persistence via service or autorun; (3) long-lived outbound connection/tunnel to external infrastructure; (4) interactive control signals such as shell or file-manager child processes spawned by the RAT parent.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Service Creation (DC0060) WinEventLog:System EventCode=7045
Windows Registry Key Creation (DC0056) WinEventLog:Sysmon EventCode=12
Windows Registry Key Modification (DC0063) WinEventLog:Sysmon EventCode=13, 14
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TimeWindow Correlation period binding start→persistence→egress→child (default 15m, adjust per environment).
UserContext Differentiate help-desk/jump hosts and admin accounts from standard endpoints.
ProcessAllowlist Known-good remote support tools; suppress expected events while still correlating anomalous sequences.
InstallPathRegex Alert when services/agents execute from user-writable or temp paths.
ExternalIPAllowlist Vendors’ support clouds/CDNs to reduce false positives on egress detection.
ShellSpawnRegex Define which child shells from GUI parents are acceptable versus suspicious.
EgressHeuristics Thresholds for session duration, connection counts, and bytes_out/bytes_in ratio.

Linux

AN1367

Sequence of RAT agent execution, systemd persistence, and long-lived external egress; optional interactive shells spawned from the agent.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve: Agent/headless flags (listen/connect/reverse/tunnel) or remote-control binaries spawning shells
File Creation (DC0039) auditd:PATH WRITE: Drop of binaries/scripts in ~/.local, /tmp, or /opt tool dirs
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3, 22
Mutable Elements
Field Description
TimeWindow Bind exec→service→egress events; extend for staged deployments.
DaemonAllowlist Approved .service names/paths to avoid flagging corporate agents.
SuspiciousChildProcesses Define shells/interpreters considered anomalous when spawned by GUI/agent parents.
EgressHeuristics Flow heuristics for long-lived, client-heavy connections post-install.

macOS

AN1368

Electron/GUI or headless RAT execution followed by LaunchAgent/Daemon persistence and persistent external connections; interactive children (osascript/sh/curl) spawned by parent.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Process exec of remote-control apps or binaries with headless/connect flags
File Creation (DC0039) macos:osquery CREATE/MODIFY: Creation of LaunchAgents/Daemons plists in user/system locations
Network Connection Creation (DC0082) macos:osquery CONNECT: Long-lived connections from remote-control parents to external IPs/domains
Mutable Elements
Field Description
AllowedAppBundlePaths Legitimate remote-support apps under /Applications.
LaunchdAllowlist Known-good LaunchAgents/Daemons identifiers.
TimeWindow Window for correlating exec→launchd→egress events.
EgressHeuristics Duration/volume thresholds for persistent sessions.