T1008 Splunk · SPL

Detect Fallback Channels in Splunk

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. Malware families such as HOPLIGHT, InvisiMole, TrickBot, and BISCUIT implement hard-coded primary and secondary C2 addresses, while others like OilRig's ISMAgent dynamically fall back from HTTP to DNS tunneling. Detection focuses on processes establishing connections to multiple distinct external destinations in sequence — particularly where port diversity (80→443→8080) or protocol switching (HTTP→DNS) is observed — which is anomalous for non-browser processes.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1008 Fallback Channels
Canonical reference
https://attack.mitre.org/techniques/T1008/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
    OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
    OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
    OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
    OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
    OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*"
    OR DestinationIp="127.*" OR DestinationIp="169.254.*")
  NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe"
    OR Image="*\\iexplore.exe" OR Image="*\\Teams.exe" OR Image="*\\Slack.exe"
    OR Image="*\\Zoom.exe" OR Image="*\\OneDrive.exe" OR Image="*\\outlook.exe"
    OR Image="*\\MsMpEng.exe" OR Image="*\\SearchApp.exe" OR Image="*\\brave.exe")
  (DestinationPort=53 OR DestinationPort=80 OR DestinationPort=443 OR DestinationPort=4443
    OR DestinationPort=8080 OR DestinationPort=8443 OR DestinationPort=8888
    OR DestinationPort=1194 OR DestinationPort=4444 OR DestinationPort=9443
    OR DestinationPort=2222 OR DestinationPort=3128)
| bucket _time span=1h
| stats
    dc(DestinationIp) as UniqueDestIPs,
    dc(DestinationPort) as UniqueDestPorts,
    count as TotalConnections,
    values(DestinationIp) as DestinationIPs,
    values(DestinationPort) as DestinationPorts,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
    by _time, host, Image, ProcessId, ParentImage
| where UniqueDestIPs >= 3 OR (UniqueDestPorts >= 3 AND TotalConnections >= 5)
| eval ConnectionSpanSeconds = LastSeen - FirstSeen
| eval RiskScore=case(
    UniqueDestIPs >= 5 AND UniqueDestPorts >= 3, "Critical",
    UniqueDestIPs >= 4 OR (UniqueDestPorts >= 3 AND TotalConnections >= 8), "High",
    UniqueDestIPs >= 3, "Medium",
    true(), "Low"
  )
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| table FirstSeen, host, ProcessName, Image, ProcessId, ParentImage,
    UniqueDestIPs, UniqueDestPorts, TotalConnections,
    DestinationIPs, DestinationPorts, ConnectionSpanSeconds, RiskScore
| sort - UniqueDestIPs
high severity medium confidence

Detects C2 fallback channel behavior using Sysmon Event ID 3 (Network Connection). Identifies non-browser processes making connections to three or more distinct external IP addresses, or three or more distinct ports within a one-hour window. Private RFC 1918 ranges and known-legitimate applications are excluded. A RiskScore field categorizes the severity of the connection diversity. This pattern matches malware like TrickBot (secondary C2 relay), CHOPSTICK (channel switching), Valak (multiple C2 hosts), and S-Type (port 80→443→8080 fallback).

Data Sources

Network Traffic: Network Connection CreationSysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software update clients and package managers (e.g., Windows Update components, npm, pip) that contact multiple CDN endpoints or mirror servers during downloads
  • IT monitoring and management agents (SCCM, Qualys, Tenable) that beacon to multiple management servers or cloud endpoints
  • Backup agents and cloud sync clients (Veeam, Backblaze, Crashplan) contacting multiple storage endpoints
  • Custom business applications with built-in load-balancing or geographic failover logic connecting to multiple cloud provider IPs
  • Security scanning tools and vulnerability assessment agents that make broad outbound connections as part of their normal operation
Download portable Sigma rule (.yml)

Other platforms for T1008

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Sequential HTTP Fallback Simulation (Windows)

    Expected signal: Sysmon Event ID 3: Three sequential network connection events from powershell.exe to 192.0.2.10:80, 192.0.2.11:443, and 192.0.2.12:8080 within seconds of each other. Sysmon Event ID 1: Process creation for powershell.exe with Net.WebClient in the command line. All three connections will fail (no listener), but Sysmon logs all outbound connection attempts.

  2. Test 2DNS Fallback Simulation After HTTP Failure (Linux/macOS)

    Expected signal: Syslog/auditd: curl process creation with failed connections to 192.0.2.50 and 192.0.2.51. dig process creation events for 20 sequential DNS queries to 8.8.8.8 (external resolver). If Sysmon for Linux is deployed: Event ID 3 for curl network connections and dig DNS queries. Network capture shows failed TCP SYN to RFC 5737 IPs followed by UDP/53 query burst to 8.8.8.8.

  3. Test 3Multi-Port C2 Fallback via Netcat (Windows)

    Expected signal: Sysmon Event ID 3: Three network connection events from powershell.exe to 192.0.2.100 on ports 80, 443, and 8080. Connections will time out (no listener). Sysmon Event ID 1: Process creation with TcpClient and multiple ports visible in command line.

  4. Test 4Proxy-Aware Fallback (JHUHUGIT Pattern, Windows)

    Expected signal: Sysmon Event ID 1: powershell.exe with registry access command in arguments. Sysmon Event ID 3: Two outbound network connections — first to 192.0.2.200:443, then to 192.0.2.201:8080. Sysmon Event ID 12/13: Registry read from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings (proxy settings access). Security Event ID 4663 if object access auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1071.004DNST1568Dynamic ResolutionT1568.001Fast Flux DNST1568.002Domain Generation AlgorithmsT1573Encrypted ChannelT1573.001Symmetric CryptographyT1090ProxyT1090.003Multi-hop ProxyT1219Remote Access Tools

Same Tactic: Command and Control

Popular Detections