T1008

Fallback Channels

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. Malware families such as HOPLIGHT, InvisiMole, TrickBot, and BISCUIT implement hard-coded primary and secondary C2 addresses, while others like OilRig's ISMAgent dynamically fall back from HTTP to DNS tunneling. Detection focuses on processes establishing connections to multiple distinct external destinations in sequence — particularly where port diversity (80→443→8080) or protocol switching (HTTP→DNS) is observed — which is anomalous for non-browser processes.

Microsoft Sentinel / Defender

kusto

// Primary detection: non-browser processes connecting to 3+ distinct external IPs
// or 3+ distinct ports within a 1-hour window, indicating fallback C2 behavior
let ExcludedProcesses = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "opera.exe", "brave.exe",
  "MicrosoftEdgeUpdate.exe", "MsMpEng.exe", "OneDrive.exe", "Teams.exe", "Slack.exe",
  "Zoom.exe", "Skype.exe", "outlook.exe", "lync.exe", "SearchApp.exe",
  "msedgewebview2.exe", "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE"
]);
let C2FallbackPorts = dynamic([53, 80, 443, 4443, 8080, 8443, 8888, 1194, 4444, 9443, 2222, 3128]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where RemotePort in (C2FallbackPorts)
| where not(InitiatingProcessFileName has_any (ExcludedProcesses))
| summarize
    UniqueDestIPs = dcount(RemoteIP),
    UniqueDestPorts = dcount(RemotePort),
    TotalConnections = count(),
    DestinationIPs = make_set(RemoteIP, 10),
    DestinationPorts = make_set(RemotePort, 10),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine,
       InitiatingProcessId, InitiatingProcessParentFileName, bin(Timestamp, 1h)
| where UniqueDestIPs >= 3 or (UniqueDestPorts >= 3 and TotalConnections >= 5)
| extend ConnectionSpanMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| extend RiskScore = case(
    UniqueDestIPs >= 5 and UniqueDestPorts >= 3, "Critical",
    UniqueDestIPs >= 4 or (UniqueDestPorts >= 3 and TotalConnections >= 8), "High",
    UniqueDestIPs >= 3, "Medium",
    "Low"
  )
| project FirstSeen, LastSeen, ConnectionSpanMinutes, DeviceName, AccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
    UniqueDestIPs, UniqueDestPorts, TotalConnections, DestinationIPs, DestinationPorts, RiskScore
| sort by UniqueDestIPs desc, UniqueDestPorts desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Software update clients and package managers (e.g., Windows Update components, npm, pip) that contact multiple CDN endpoints or mirror servers during downloads
IT monitoring and management agents (SCCM, Qualys, Tenable) that beacon to multiple management servers or cloud endpoints
Backup agents and cloud sync clients (Veeam, Backblaze, Crashplan) contacting multiple storage endpoints
Custom business applications with built-in load-balancing or geographic failover logic connecting to multiple cloud provider IPs
Security scanning tools and vulnerability assessment agents that make broad outbound connections as part of their normal operation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
    OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
    OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
    OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
    OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
    OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*"
    OR DestinationIp="127.*" OR DestinationIp="169.254.*")
  NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
    OR Image="*\\iexplore.exe" OR Image="*\\Teams.exe" OR Image="*\\Slack.exe"
    OR Image="*\\Zoom.exe" OR Image="*\\OneDrive.exe" OR Image="*\\outlook.exe"
    OR Image="*\\MsMpEng.exe" OR Image="*\\SearchApp.exe" OR Image="*\\brave.exe")
  (DestinationPort=53 OR DestinationPort=80 OR DestinationPort=443 OR DestinationPort=4443
    OR DestinationPort=8080 OR DestinationPort=8443 OR DestinationPort=8888
    OR DestinationPort=1194 OR DestinationPort=4444 OR DestinationPort=9443
    OR DestinationPort=2222 OR DestinationPort=3128)
| bucket _time span=1h
| stats
    dc(DestinationIp) as UniqueDestIPs,
    dc(DestinationPort) as UniqueDestPorts,
    count as TotalConnections,
    values(DestinationIp) as DestinationIPs,
    values(DestinationPort) as DestinationPorts,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by _time, host, Image, ProcessId, ParentImage
| where UniqueDestIPs >= 3 OR (UniqueDestPorts >= 3 AND TotalConnections >= 5)
| eval ConnectionSpanSeconds = LastSeen - FirstSeen
| eval RiskScore=case(
    UniqueDestIPs >= 5 AND UniqueDestPorts >= 3, "Critical",
    UniqueDestIPs >= 4 OR (UniqueDestPorts >= 3 AND TotalConnections >= 8), "High",
    UniqueDestIPs >= 3, "Medium",
    true(), "Low"
  )
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| table FirstSeen, host, ProcessName, Image, ProcessId, ParentImage,
    UniqueDestIPs, UniqueDestPorts, TotalConnections,
    DestinationIPs, DestinationPorts, ConnectionSpanSeconds, RiskScore
| sort - UniqueDestIPs

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software update clients and package managers (e.g., Windows Update components, npm, pip) that contact multiple CDN endpoints or mirror servers during downloads
IT monitoring and management agents (SCCM, Qualys, Tenable) that beacon to multiple management servers or cloud endpoints
Backup agents and cloud sync clients (Veeam, Backblaze, Crashplan) contacting multiple storage endpoints
Custom business applications with built-in load-balancing or geographic failover logic connecting to multiple cloud provider IPs
Security scanning tools and vulnerability assessment agents that make broad outbound connections as part of their normal operation

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  sourceip,
  username,
  "Process Name" AS ProcessName,
  COUNT(*) AS TotalConnections,
  COUNT(DISTINCT destinationip) AS UniqueDestIPs,
  COUNT(DISTINCT destinationport) AS UniqueDestPorts
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND CATEGORYNAME(category) LIKE '%Network%'
  AND destinationport IN (53, 80, 443, 4443, 8080, 8443, 8888, 1194, 4444, 9443, 2222, 3128)
  AND NOT (destinationip ILIKE '10.%'
    OR destinationip ILIKE '192.168.%'
    OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '172.17.%'
    OR destinationip ILIKE '172.18.%' OR destinationip ILIKE '172.19.%'
    OR destinationip ILIKE '172.20.%' OR destinationip ILIKE '172.21.%'
    OR destinationip ILIKE '172.22.%' OR destinationip ILIKE '172.23.%'
    OR destinationip ILIKE '172.24.%' OR destinationip ILIKE '172.25.%'
    OR destinationip ILIKE '172.26.%' OR destinationip ILIKE '172.27.%'
    OR destinationip ILIKE '172.28.%' OR destinationip ILIKE '172.29.%'
    OR destinationip ILIKE '172.30.%' OR destinationip ILIKE '172.31.%'
    OR destinationip ILIKE '127.%' OR destinationip ILIKE '169.254.%')
  AND NOT ("Process Name" ILIKE '%chrome.exe' OR "Process Name" ILIKE '%firefox.exe'
    OR "Process Name" ILIKE '%msedge.exe' OR "Process Name" ILIKE '%iexplore.exe'
    OR "Process Name" ILIKE '%Teams.exe' OR "Process Name" ILIKE '%Slack.exe'
    OR "Process Name" ILIKE '%Zoom.exe' OR "Process Name" ILIKE '%outlook.exe'
    OR "Process Name" ILIKE '%MsMpEng.exe' OR "Process Name" ILIKE '%OneDrive.exe')
  AND devicetime > (NOW() - 86400000)
GROUP BY sourceip, username, "Process Name",
  FLOOR(LONG(devicetime) / 3600000)
HAVING COUNT(DISTINCT destinationip) >= 3
   OR (COUNT(DISTINCT destinationport) >= 3 AND COUNT(*) >= 5)
ORDER BY UniqueDestIPs DESC

high severity medium confidence

Data Sources

QRadar SIEM with Windows Security Event Log DSM Sysmon DSM for QRadar

Required Tables

events

False Positives

Backup agents (e.g., Veeam, Commvault) connecting to multiple cloud storage endpoints during backup jobs
Monitoring agents like Datadog or New Relic connecting to multiple regional ingest endpoints
Software deployment tools contacting multiple mirrors or repositories simultaneously

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/sysmon
| where EventID = 3
| where !isPrivateIP(DestinationIp)
| where DestinationPort in (53, 80, 443, 4443, 8080, 8443, 8888, 1194, 4444, 9443, 2222, 3128)
| where !(Image matches "*\\chrome.exe" or Image matches "*\\firefox.exe"
  or Image matches "*\\msedge.exe" or Image matches "*\\iexplore.exe"
  or Image matches "*\\Teams.exe" or Image matches "*\\Slack.exe"
  or Image matches "*\\Zoom.exe" or Image matches "*\\outlook.exe"
  or Image matches "*\\MsMpEng.exe" or Image matches "*\\OneDrive.exe"
  or Image matches "*\\brave.exe" or Image matches "*\\SearchApp.exe")
| timeslice 1h
| parse field=Image "*\\*" as _dir, ProcessName
| stats
    dcount(DestinationIp) as UniqueDestIPs,
    dcount(DestinationPort) as UniqueDestPorts,
    count as TotalConnections,
    values(DestinationIp) as DestinationIPs,
    values(DestinationPort) as DestinationPorts,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen
    by _timeslice, Computer, Image, ProcessName, ProcessId, ParentImage
| where UniqueDestIPs >= 3 or (UniqueDestPorts >= 3 and TotalConnections >= 5)
| if (UniqueDestIPs >= 5 and UniqueDestPorts >= 3, "Critical",
    if (UniqueDestIPs >= 4 or (UniqueDestPorts >= 3 and TotalConnections >= 8), "High",
      if (UniqueDestIPs >= 3, "Medium", "Low"))) as RiskScore
| fields FirstSeen, LastSeen, Computer, ProcessName, Image, ProcessId, ParentImage,
    UniqueDestIPs, UniqueDestPorts, TotalConnections, DestinationIPs, DestinationPorts, RiskScore
| sort by UniqueDestIPs desc

high severity medium confidence

Data Sources

Sumo Logic with Sysmon source Windows endpoint collection via Sumo Logic installed collector

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=endpoint/sysmon

False Positives

Enterprise asset management or inventory tools polling multiple endpoints for hardware/software inventory
CI/CD pipeline agents (Jenkins, GitLab Runner) connecting to multiple artifact repositories and build servers
Network scanning or vulnerability assessment tools legitimately deployed by IT security teams

Google Chronicle / SecOps

yaral

rule t1008_fallback_channels_multi_dest {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects non-browser processes connecting to 3+ distinct external IPs or 3+ distinct ports on C2 fallback ports within 1 hour — indicative of T1008 Fallback Channels behavior."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1008"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (53, 80, 443, 4443, 8080, 8443, 8888, 1194, 4444, 9443, 2222, 3128)
    not $e.target.ip_subnet = "10.0.0.0/8"
    not $e.target.ip_subnet = "172.16.0.0/12"
    not $e.target.ip_subnet = "192.168.0.0/16"
    not $e.target.ip_subnet = "127.0.0.0/8"
    not $e.target.ip_subnet = "169.254.0.0/16"
    not $e.principal.process.file.full_path = /(?i)(chrome|firefox|msedge|iexplore|Teams|Slack|Zoom|outlook|MsMpEng|OneDrive|brave|SearchApp|msedgewebview2)\.exe$/
    $host = $e.principal.hostname
    $proc = $e.principal.process.file.full_path
    $dest_ip = $e.target.ip
    $dest_port = $e.target.port

  match:
    $host, $proc over 1h

  outcome:
    $unique_dest_ips = count_distinct($dest_ip)
    $unique_dest_ports = count_distinct($dest_port)
    $total_connections = count()
    $risk_score = if(
      $unique_dest_ips >= 5 and $unique_dest_ports >= 3, "Critical",
      if($unique_dest_ips >= 4 or ($unique_dest_ports >= 3 and $total_connections >= 8), "High",
        if($unique_dest_ips >= 3, "Medium", "Low")))

  condition:
    $e and ($unique_dest_ips >= 3 or ($unique_dest_ports >= 3 and $total_connections >= 5))
}

high severity medium confidence

Data Sources

Chronicle SIEM with Endpoint Detection feeds Chronicle UDM normalized network events from CrowdStrike, Carbon Black, or Windows Defender ATP

Required Tables

network_connection UDM events

False Positives

Legitimate software that performs load balancing by rotating through multiple server IPs (e.g., cloud-native apps using service mesh)
Patch management tools contacting multiple Windows Update or vendor distribution servers during patch cycles
Helpdesk or remote access tools (e.g., ConnectWise, TeamViewer) with multi-region relay infrastructure may trigger port diversity conditions

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16"])
| RemotePort in [53, 80, 443, 4443, 8080, 8443, 8888, 1194, 4444, 9443, 2222, 3128]
| !match(field=ImageFileName, regex=/(chrome|firefox|msedge|iexplore|Teams|Slack|Zoom|outlook|MsMpEng|OneDrive|brave|SearchApp|msedgewebview2)\.exe$/i)
| eval HourBucket=formatTime("%Y-%m-%d %H:00:00", timestamp)
| groupBy([ComputerName, ImageFileName, ContextProcessId, HourBucket], function=[
    count(as=TotalConnections),
    count(RemoteAddressIP4, distinct=true, as=UniqueDestIPs),
    count(RemotePort, distinct=true, as=UniqueDestPorts),
    collect(RemoteAddressIP4, limit=10, as=DestinationIPs),
    collect(RemotePort, limit=10, as=DestinationPorts),
    min(timestamp, as=FirstSeen),
    max(timestamp, as=LastSeen)
  ])
| where UniqueDestIPs >= 3 or (UniqueDestPorts >= 3 and TotalConnections >= 5)
| eval RiskScore=if(UniqueDestIPs >= 5 and UniqueDestPorts >= 3, "Critical",
    if(UniqueDestIPs >= 4 or (UniqueDestPorts >= 3 and TotalConnections >= 8), "High",
      if(UniqueDestIPs >= 3, "Medium", "Low")))
| eval ProcessName=replace(ImageFileName, /.*\\/, "")
| table([FirstSeen, LastSeen, ComputerName, ProcessName, ImageFileName, ContextProcessId,
    UniqueDestIPs, UniqueDestPorts, TotalConnections, DestinationIPs, DestinationPorts, RiskScore])
| sort(UniqueDestIPs, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Detection (EDR) Falcon Data Replicator (FDR) NetworkConnectIP4 events

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

Falcon sensor itself or other CrowdStrike components performing multi-destination telemetry or cloud connectivity checks
Automated test frameworks or integration test runners that open multiple outbound connections to test endpoints in rapid succession
Certificate validation processes or OCSP responder lookups that contact multiple CA infrastructure endpoints

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Fallback Channels

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections