Detect Fallback Channels in IBM QRadar
Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. Malware families such as HOPLIGHT, InvisiMole, TrickBot, and BISCUIT implement hard-coded primary and secondary C2 addresses, while others like OilRig's ISMAgent dynamically fall back from HTTP to DNS tunneling. Detection focuses on processes establishing connections to multiple distinct external destinations in sequence — particularly where port diversity (80→443→8080) or protocol switching (HTTP→DNS) is observed — which is anomalous for non-browser processes.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1008 Fallback Channels
- Canonical reference
- https://attack.mitre.org/techniques/T1008/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
sourceip,
username,
"Process Name" AS ProcessName,
COUNT(*) AS TotalConnections,
COUNT(DISTINCT destinationip) AS UniqueDestIPs,
COUNT(DISTINCT destinationport) AS UniqueDestPorts
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND CATEGORYNAME(category) LIKE '%Network%'
AND destinationport IN (53, 80, 443, 4443, 8080, 8443, 8888, 1194, 4444, 9443, 2222, 3128)
AND NOT (destinationip ILIKE '10.%'
OR destinationip ILIKE '192.168.%'
OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '172.17.%'
OR destinationip ILIKE '172.18.%' OR destinationip ILIKE '172.19.%'
OR destinationip ILIKE '172.20.%' OR destinationip ILIKE '172.21.%'
OR destinationip ILIKE '172.22.%' OR destinationip ILIKE '172.23.%'
OR destinationip ILIKE '172.24.%' OR destinationip ILIKE '172.25.%'
OR destinationip ILIKE '172.26.%' OR destinationip ILIKE '172.27.%'
OR destinationip ILIKE '172.28.%' OR destinationip ILIKE '172.29.%'
OR destinationip ILIKE '172.30.%' OR destinationip ILIKE '172.31.%'
OR destinationip ILIKE '127.%' OR destinationip ILIKE '169.254.%')
AND NOT ("Process Name" ILIKE '%chrome.exe' OR "Process Name" ILIKE '%firefox.exe'
OR "Process Name" ILIKE '%msedge.exe' OR "Process Name" ILIKE '%iexplore.exe'
OR "Process Name" ILIKE '%Teams.exe' OR "Process Name" ILIKE '%Slack.exe'
OR "Process Name" ILIKE '%Zoom.exe' OR "Process Name" ILIKE '%outlook.exe'
OR "Process Name" ILIKE '%MsMpEng.exe' OR "Process Name" ILIKE '%OneDrive.exe')
AND devicetime > (NOW() - 86400000)
GROUP BY sourceip, username, "Process Name",
FLOOR(LONG(devicetime) / 3600000)
HAVING COUNT(DISTINCT destinationip) >= 3
OR (COUNT(DISTINCT destinationport) >= 3 AND COUNT(*) >= 5)
ORDER BY UniqueDestIPs DESCQRadar AQL query detecting fallback C2 channel behavior by aggregating network connection events per process per hour. Identifies non-browser processes connecting to 3 or more distinct external IPs or 3 or more distinct ports on known C2 fallback ports. Groups by 1-hour floor buckets to mirror the KQL/SPL logic.
Data Sources
Required Tables
False Positives & Tuning
- Backup agents (e.g., Veeam, Commvault) connecting to multiple cloud storage endpoints during backup jobs
- Monitoring agents like Datadog or New Relic connecting to multiple regional ingest endpoints
- Software deployment tools contacting multiple mirrors or repositories simultaneously
Other platforms for T1008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Sequential HTTP Fallback Simulation (Windows)
Expected signal: Sysmon Event ID 3: Three sequential network connection events from powershell.exe to 192.0.2.10:80, 192.0.2.11:443, and 192.0.2.12:8080 within seconds of each other. Sysmon Event ID 1: Process creation for powershell.exe with Net.WebClient in the command line. All three connections will fail (no listener), but Sysmon logs all outbound connection attempts.
- Test 2DNS Fallback Simulation After HTTP Failure (Linux/macOS)
Expected signal: Syslog/auditd: curl process creation with failed connections to 192.0.2.50 and 192.0.2.51. dig process creation events for 20 sequential DNS queries to 8.8.8.8 (external resolver). If Sysmon for Linux is deployed: Event ID 3 for curl network connections and dig DNS queries. Network capture shows failed TCP SYN to RFC 5737 IPs followed by UDP/53 query burst to 8.8.8.8.
- Test 3Multi-Port C2 Fallback via Netcat (Windows)
Expected signal: Sysmon Event ID 3: Three network connection events from powershell.exe to 192.0.2.100 on ports 80, 443, and 8080. Connections will time out (no listener). Sysmon Event ID 1: Process creation with TcpClient and multiple ports visible in command line.
- Test 4Proxy-Aware Fallback (JHUHUGIT Pattern, Windows)
Expected signal: Sysmon Event ID 1: powershell.exe with registry access command in arguments. Sysmon Event ID 3: Two outbound network connections — first to 192.0.2.200:443, then to 192.0.2.201:8080. Sysmon Event ID 12/13: Registry read from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings (proxy settings access). Security Event ID 4663 if object access auditing is enabled.
References (10)
- https://attack.mitre.org/techniques/T1008/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trump-decoy/
- https://us-cert.cisa.gov/ncas/analysis-reports/AR19-100A
- https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/
- https://www.welivesecurity.com/wp-content/uploads/2018/06/ESET_InvisiMole.pdf
- https://www.welivesecurity.com/2017/10/30/ebury-is-alive-but-unseen/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1008/T1008.md
Unlock Pro Content
Get the full detection package for T1008 including response playbook, investigation guide, and atomic red team tests.