Detect Multiband Communication in Elastic Security
NOTE: This technique has been deprecated by MITRE ATT&CK and should no longer be used in new detections. The behaviors it described are now captured under more specific sub-techniques of T1071 (Application Layer Protocol) and related C2 techniques. Adversaries may split command-and-control (C2) communications between different protocols or network channels. One protocol may carry inbound commands from the operator while a separate protocol carries outbound data from the victim, allowing the adversary to evade firewall rules that inspect a single protocol or threshold-based anomaly detection on any one communication channel. The split may also be randomized across sessions to further avoid detection heuristics. Common patterns include using DNS for data exfiltration while HTTP carries commands, or combining ICMP with HTTPS, or rotating between multiple out-of-band channels based on availability or operator choice.
MITRE ATT&CK
- Tactic
- Command and Control
- Canonical reference
- https://attack.mitre.org/techniques/T1026/
Elastic Detection Query
sequence by host.name, process.pid with maxspan=10m
[network where event.category == "network" and event.type == "start" and
destination.port == 53 and
not process.name in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe", "opera.exe", "safari", "svchost.exe", "lsass.exe", "services.exe", "wuauclt.exe", "microsoftedgeupdate.exe") and
not cidrMatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")]
[network where event.category == "network" and event.type == "start" and
destination.port in (80, 443, 8080, 8443) and
not process.name in ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe", "opera.exe", "safari", "svchost.exe", "lsass.exe", "services.exe", "wuauclt.exe", "microsoftedgeupdate.exe") and
not cidrMatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16")]Elastic EQL sequence rule detecting T1026 Multiband Communication: identifies non-browser, non-system processes that make a DNS connection (port 53) followed by an HTTP/HTTPS connection (ports 80, 443, 8080, 8443) within a 10-minute window on the same host and PID. The sequence correlation ensures a single application is responsible for both communication channels, matching the split-channel C2 pattern where DNS carries exfiltrated data while HTTP/HTTPS delivers commands.
Data Sources
Required Tables
False Positives & Tuning
- Custom enterprise applications that perform explicit DNS resolution before establishing HTTPS API connections (e.g., legacy ERP connectors, middleware agents) — these perform the same DNS-then-HTTPS pattern legitimately
- Security and monitoring agents (EDR sensors, SIEM collectors, telemetry reporters) that resolve their management server addresses via DNS before beaconing over HTTPS for health checks
- Developer toolchains such as package managers (npm, pip, cargo, go get) that resolve registry hostnames and immediately download packages over HTTP/HTTPS within seconds of the DNS query
Other platforms for T1026
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Split Protocol Communication — DNS Query Plus HTTP Fetch from PowerShell
Expected signal: Sysmon Event ID 3: Two network connection events from powershell.exe — one to 9.9.9.9:53 (DNS) and one to the HTTP destination on port 80. Sysmon Event ID 22: DNS query for 'dns.quad9.net' from powershell.exe. Both events share the same ProcessId, surfacing as a DNS+HTTP multiprotocol combination from a scripting engine.
- Test 2Split Protocol Communication — curl with DNS and HTTPS Separation (Linux/macOS)
Expected signal: Auditd SYSCALL records for connect() syscalls from bash or dig/curl child processes to 8.8.8.8:53 (UDP/TCP) and to the HTTPS destination on port 443. If Sysmon for Linux is deployed: Event ID 3 network connection events showing alternating DNS and HTTPS connections from the parent shell process or its children sharing the same session. Zeek/Suricata network logs will show interleaved DNS and HTTPS flows from the same source IP.
- Test 3Three-Protocol Multiband Simulation — DNS, HTTP, and Custom High Port
Expected signal: Sysmon Event ID 3: Three network connection attempts from powershell.exe — port 53 (DNS resolution of time.windows.com), port 80 (HTTP to checkip.amazonaws.com), and port 8888 (TCP attempt to 1.1.1.1 — connection may be refused or filtered but process creation and connection attempt are still logged). Sysmon Event ID 22: DNS query for time.windows.com. All events share the same ProcessId.
- Test 4Sustained Beaconing Simulation Across Two Protocols (Windows)
Expected signal: Sysmon Event ID 3: Twelve network connection events from powershell.exe over approximately 60 seconds — six to port 53 (DNS) and six to port 80 (HTTP), interleaved at 5-second intervals. Sysmon Event ID 22: Six DNS query events for google.com. The pattern of alternating DNS and HTTP connections within the time bucket will be visible in NetFlow and EDR telemetry as a clear two-band beaconing rhythm.
References (7)
- https://attack.mitre.org/techniques/T1026
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-deguisne/old/bh-us-04-deguisne-paper.pdf
- https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/
- https://www.sans.org/reading-room/whitepapers/dns/paper/34152
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Unlock Pro Content
Get the full detection package for T1026 including response playbook, investigation guide, and atomic red team tests.