T1026

Multiband Communication

NOTE: This technique has been deprecated by MITRE ATT&CK and should no longer be used in new detections. The behaviors it described are now captured under more specific sub-techniques of T1071 (Application Layer Protocol) and related C2 techniques. Adversaries may split command-and-control (C2) communications between different protocols or network channels. One protocol may carry inbound commands from the operator while a separate protocol carries outbound data from the victim, allowing the adversary to evade firewall rules that inspect a single protocol or threshold-based anomaly detection on any one communication channel. The split may also be randomized across sessions to further avoid detection heuristics. Common patterns include using DNS for data exfiltration while HTTP carries commands, or combining ICMP with HTTPS, or rotating between multiple out-of-band channels based on availability or operator choice.

Microsoft Sentinel / Defender

kusto

// Detect processes making outbound connections using multiple distinct protocol categories
// within a 10-minute window, which may indicate split-channel C2 communication
let ExcludedBrowsers = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe", "opera.exe", "safari.exe"]);
let ExcludedSystemProcs = dynamic(["svchost.exe", "lsass.exe", "services.exe", "wuauclt.exe", "MicrosoftEdgeUpdate.exe"]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName has_any (ExcludedBrowsers))
| where not(InitiatingProcessFileName has_any (ExcludedSystemProcs))
| extend ProtocolCategory = case(
    RemotePort == 53, "DNS",
    RemotePort == 80 or RemotePort == 8080, "HTTP",
    RemotePort == 443 or RemotePort == 8443, "HTTPS",
    RemotePort == 25 or RemotePort == 587 or RemotePort == 465, "SMTP",
    RemotePort == 21 or RemotePort == 20, "FTP",
    RemotePort == 22, "SSH",
    RemotePort == 123, "NTP",
    RemotePort == 161 or RemotePort == 162, "SNMP",
    true, strcat("Other:", tostring(RemotePort))
)
| summarize
    ProtocolSet = make_set(ProtocolCategory),
    DistinctPortCount = dcount(RemotePort),
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    SampleCmdLine = take_any(InitiatingProcessCommandLine)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId, bin(Timestamp, 10m)
| extend ProtocolCount = array_length(ProtocolSet)
| where ProtocolCount >= 3
    or (ProtocolCount >= 2 and ProtocolSet has "DNS" and ProtocolSet has_any ("HTTP", "HTTPS"))
    or (ProtocolCount >= 2 and ProtocolSet has "DNS" and ProtocolSet has "Other:")
| project
    FirstSeen,
    LastSeen,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessId,
    ProtocolSet,
    ProtocolCount,
    DistinctPortCount,
    ConnectionCount,
    UniqueRemoteIPs,
    SampleCmdLine
| sort by FirstSeen desc

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Network monitoring or diagnostic tools (Wireshark, netstat wrappers, custom scripts) that open connections across multiple protocols as part of legitimate testing
Update clients and package managers that contact DNS resolvers and then fetch payloads over HTTPS, then may send telemetry via a separate channel
Remote management agents (Ansible, Puppet, Chef client) that may use multiple protocols during configuration application phases
Security scanning tools or vulnerability assessment agents that probe multiple services simultaneously across different protocols
Backup agents that use separate channels for metadata (DNS/HTTP control plane) and data transfer (custom protocol over high port)

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe" OR Image="*\\iexplore.exe" OR Image="*\\brave.exe" OR Image="*\\opera.exe")
  NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe" OR Image="*\\wuauclt.exe")
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1")
| eval ProtocolCategory=case(
    DestinationPort==53, "DNS",
    DestinationPort==80 OR DestinationPort==8080, "HTTP",
    DestinationPort==443 OR DestinationPort==8443, "HTTPS",
    DestinationPort==25 OR DestinationPort==587 OR DestinationPort==465, "SMTP",
    DestinationPort==21 OR DestinationPort==20, "FTP",
    DestinationPort==22, "SSH",
    DestinationPort==123, "NTP",
    1==1, "Other:".DestinationPort
)
| bucket span=10m _time
| stats
    values(ProtocolCategory) as Protocols,
    dc(DestinationPort) as DistinctPorts,
    count as Connections,
    dc(DestinationIp) as UniqueIPs,
    values(DestinationPort) as Ports
    by _time, host, Image, ProcessId, User
| eval ProtocolCount=mvcount(Protocols)
| eval HasDNS=if(mvfind(Protocols, "DNS") >= 0, 1, 0)
| eval HasHTTP=if(mvfind(Protocols, "HTTP") >= 0 OR mvfind(Protocols, "HTTPS") >= 0, 1, 0)
| eval HasOther=if(mvfind(Protocols, "Other:*") >= 0, 1, 0)
| where ProtocolCount >= 3
    OR (ProtocolCount >= 2 AND HasDNS=1 AND HasHTTP=1)
    OR (ProtocolCount >= 2 AND HasDNS=1 AND HasOther=1)
| table _time, host, User, Image, ProcessId, Protocols, ProtocolCount, DistinctPorts, Connections, UniqueIPs, Ports
| sort - _time

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Network monitoring or diagnostic tools that probe multiple protocol endpoints as part of their normal function
Software update managers that use DNS resolution followed by HTTPS download followed by separate telemetry channels
Remote management agents (Ansible, Puppet, Chef) that use multiple protocols during active provisioning runs
Security scanning tools or EDR agents making multi-protocol health check connections
Custom internal tooling or scripts that implement their own multi-step connection flows

IBM QRadar (AQL)

sql

SELECT
  sourceip AS "Source IP",
  username AS "Username",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  COUNT(DISTINCT destinationport) AS "Distinct Ports",
  SUM(CASE WHEN destinationport = 53 THEN 1 ELSE 0 END) AS "DNS Connections",
  SUM(CASE WHEN destinationport IN (80, 8080, 443, 8443) THEN 1 ELSE 0 END) AS "Web Connections",
  SUM(CASE WHEN destinationport IN (22, 21, 25, 587, 465, 123) THEN 1 ELSE 0 END) AS "OtherProto Connections",
  COUNT(*) AS "Total Connections"
FROM flows
WHERE
  destinationport IN (53, 80, 443, 8080, 8443, 22, 25, 587, 465, 21, 20, 123)
  AND NOT (
    destinationip LIKE '10.%'
    OR destinationip LIKE '192.168.%'
    OR destinationip LIKE '172.16.%' OR destinationip LIKE '172.17.%'
    OR destinationip LIKE '172.18.%' OR destinationip LIKE '172.19.%'
    OR destinationip LIKE '172.20.%' OR destinationip LIKE '172.21.%'
    OR destinationip LIKE '172.22.%' OR destinationip LIKE '172.23.%'
    OR destinationip LIKE '172.24.%' OR destinationip LIKE '172.25.%'
    OR destinationip LIKE '172.26.%' OR destinationip LIKE '172.27.%'
    OR destinationip LIKE '172.28.%' OR destinationip LIKE '172.29.%'
    OR destinationip LIKE '172.30.%' OR destinationip LIKE '172.31.%'
    OR destinationip = '127.0.0.1'
  )
  AND starttime > NOW() - 24 HOURS
GROUP BY
  sourceip,
  username,
  LOGSOURCENAME(logsourceid)
HAVING
  SUM(CASE WHEN destinationport = 53 THEN 1 ELSE 0 END) > 0
  AND SUM(CASE WHEN destinationport IN (80, 8080, 443, 8443) THEN 1 ELSE 0 END) > 0
  AND COUNT(DISTINCT destinationport) >= 3
ORDER BY "Total Connections" DESC

medium severity medium confidence

Data Sources

QRadar Network Activity (Flow Processor) QRadar Log Activity (Windows/Linux endpoint flows) Cisco NetFlow / IPFIX feeds ingested via QRadar Flow Collector

Required Tables

flows

False Positives

Software updaters and package managers that resolve CDN mirror hostnames via DNS then fetch payloads over HTTP/HTTPS, producing high flow counts spanning both DNS and web ports from a single source IP
Corporate VPN clients performing split-tunnel DNS resolution alongside direct HTTPS connections to cloud services — the host appears to use both channels simultaneously but for legitimate split-tunnel routing
Internal monitoring platforms (Nagios, Zabbix, PRTG) that poll endpoints over SNMP or SSH while simultaneously reporting metrics over HTTPS to a central server, producing multi-protocol flows from the same source

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon*) EventCode=3
| where !(
    Image matches /(?i)(chrome|firefox|msedge|iexplore|brave|opera|safari|svchost|lsass|services|wuauclt|MicrosoftEdgeUpdate)\.exe$/
  )
| where !(
    DestinationIp matches /^10\./ OR
    DestinationIp matches /^192\.168\./ OR
    DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ OR
    DestinationIp matches /^127\./
  )
| where DestinationPort in ("53","80","443","8080","8443","22","25","587","465","21","20","123")
| num(DestinationPort)
| eval ProtocolCategory = if(DestinationPort == 53, "DNS",
    if(DestinationPort in (80,8080), "HTTP",
    if(DestinationPort in (443,8443), "HTTPS",
    if(DestinationPort in (25,587,465), "SMTP",
    if(DestinationPort in (21,20), "FTP",
    if(DestinationPort == 22, "SSH",
    if(DestinationPort == 123, "NTP",
    concat("Other:",string(DestinationPort)))))))))
| timeslice 10m
| stats values(ProtocolCategory) as Protocols, dcount(DestinationPort) as DistinctPorts, count as Connections, dcount(DestinationIp) as UniqueIPs by _timeslice, Computer, Image, ProcessId, User
| where (Protocols contains "DNS") and (Protocols contains "HTTP" or Protocols contains "HTTPS")
| sort by _timeslice desc

medium severity medium confidence

Data Sources

Sumo Logic Windows Collector ingesting Sysmon EventCode=3 Sumo Logic Cloud Syslog with network connection events Sumo Logic S3 source (endpoint telemetry exports)

Required Tables

Windows Sysmon Event ID 3 (Network Connection)

False Positives

Custom LOB applications that implement their own DNS resolver calls before making HTTPS API requests, bypassing the OS DNS cache and appearing as distinct DNS + HTTPS Sysmon 3 events attributed to the same process
Security scanners and vulnerability assessment tools that probe multiple ports and protocols during scheduled discovery sweeps, generating high Sysmon 3 volume across DNS and web ports
Docker Desktop, WSL2, and container runtimes that perform frequent DNS resolution for service mesh discovery and image registry pulls, producing continuous DNS + HTTPS connection events from platform processes

Google Chronicle / SecOps

yaral

rule multiband_c2_communication_t1026 {
  meta:
    author = "df00tech"
    description = "Detects T1026 Multiband Communication: non-browser, non-system process making DNS and HTTP/HTTPS connections within 10 minutes, indicating split-channel C2"
    severity = "MEDIUM"
    priority = "MEDIUM"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1026"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1026/"
    platform = "Windows"
    false_positives = "Software update clients, package managers, enterprise applications with custom DNS resolution logic"

  events:
    $dns_conn.metadata.event_type = "NETWORK_CONNECTION"
    $dns_conn.target.port = 53
    $dns_conn.principal.process.file.full_path != /(?i)(chrome|firefox|msedge|iexplore|brave|opera|safari|svchost|lsass|services|wuauclt|MicrosoftEdgeUpdate)\.exe/
    not net.ip_in_range_cidr($dns_conn.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($dns_conn.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($dns_conn.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($dns_conn.target.ip, "127.0.0.0/8")
    $dns_conn.principal.hostname = $hostname
    $dns_conn.principal.process.pid = $pid
    $dns_conn.principal.process.file.full_path = $process_path

    $web_conn.metadata.event_type = "NETWORK_CONNECTION"
    $web_conn.target.port in (80, 443, 8080, 8443)
    $web_conn.principal.hostname = $hostname
    $web_conn.principal.process.pid = $pid
    not net.ip_in_range_cidr($web_conn.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($web_conn.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($web_conn.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($web_conn.target.ip, "127.0.0.0/8")

  match:
    $hostname, $pid, $process_path over 10m

  condition:
    $dns_conn and $web_conn
}

medium severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) via Chronicle Forwarder Chronicle Ingestion API (endpoint telemetry normalized to UDM) Chronicle third-party log ingestion (Sysmon, EDR telemetry normalized to NETWORK_CONNECTION)

Required Tables

NETWORK_CONNECTION (Chronicle UDM event type)

False Positives

Endpoint management and MDM agents (Microsoft Intune, Jamf, Tanium) that resolve management server hostnames via DNS and then communicate with them over HTTPS for policy enforcement and check-ins
Database connection poolers and ORMs that resolve read-replica or shard endpoints via DNS before establishing HTTPS-tunneled connections within the same connection setup sequence
Cloud-native applications and service mesh sidecars (Envoy, Linkerd) that perform explicit DNS-based service discovery before routing HTTP/HTTPS traffic to resolved upstream endpoints

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4
| NetworkDirection=2
| RemotePort in [53, 80, 443, 8080, 8443, 22, 25, 587, 465, 21, 20, 123]
| !match(field=ImageFileName, regex="(?i)(chrome|firefox|msedge|iexplore|brave|opera|safari|svchost|lsass|services|wuauclt|MicrosoftEdgeUpdate)\\.exe$")
| !match(field=RemoteAddressIP4, regex="^(10\\.|192\\.168\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|127\\.)")
| ProtocolCategory := "Other"
| ProtocolCategory := if(RemotePort == 53, "DNS", ProtocolCategory)
| ProtocolCategory := if(RemotePort in [80, 8080], "HTTP", ProtocolCategory)
| ProtocolCategory := if(RemotePort in [443, 8443], "HTTPS", ProtocolCategory)
| ProtocolCategory := if(RemotePort in [25, 587, 465], "SMTP", ProtocolCategory)
| ProtocolCategory := if(RemotePort in [21, 20], "FTP", ProtocolCategory)
| ProtocolCategory := if(RemotePort == 22, "SSH", ProtocolCategory)
| ProtocolCategory := if(RemotePort == 123, "NTP", ProtocolCategory)
| groupBy([ComputerName, UserName, ImageFileName, ContextProcessId, bucket(span=10m)], function=[
    values(ProtocolCategory, as=Protocols),
    count(RemotePort, distinct=true, as=DistinctPorts),
    count(as=Connections),
    count(RemoteAddressIP4, distinct=true, as=UniqueIPs)
  ])
| HasDNS := strings:contains(string=Protocols, substring="DNS")
| HasHTTP := strings:contains(string=Protocols, substring="HTTP")
| where HasDNS == true AND HasHTTP == true
| sort(_bucket, order=desc)
| select([_bucket, ComputerName, UserName, ImageFileName, ContextProcessId, Protocols, DistinctPorts, Connections, UniqueIPs])

medium severity medium confidence

Data Sources

CrowdStrike Falcon EDR (NetworkConnectIP4 events via FDR) CrowdStrike Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike SIEM Connector forwarding endpoint telemetry

Required Tables

NetworkConnectIP4

False Positives

The CrowdStrike Falcon sensor itself and other co-installed security agents (Carbon Black, SentinelOne, Defender) may generate false positives if their process names are not in the exclusion regex and they perform DNS lookups alongside HTTPS telemetry beaconing
Windows Defender SmartScreen and Application Guard components that perform DNS-based reputation lookups and HTTPS cloud calls for file/URL reputation checks may fire if running under unexpected wrapper process names
Enterprise software deployment and configuration management tools (SCCM client, Puppet agent, Ansible agent) that resolve endpoint hostnames via DNS and push configuration payloads over HTTPS during scheduled maintenance windows

Last updated: 2026-04-18 Research depth: deep

References (7)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1026 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Multiband Communication

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections