T1026 Microsoft Sentinel · KQL

Detect Multiband Communication in Microsoft Sentinel

NOTE: This technique has been deprecated by MITRE ATT&CK and should no longer be used in new detections. The behaviors it described are now captured under more specific sub-techniques of T1071 (Application Layer Protocol) and related C2 techniques. Adversaries may split command-and-control (C2) communications between different protocols or network channels. One protocol may carry inbound commands from the operator while a separate protocol carries outbound data from the victim, allowing the adversary to evade firewall rules that inspect a single protocol or threshold-based anomaly detection on any one communication channel. The split may also be randomized across sessions to further avoid detection heuristics. Common patterns include using DNS for data exfiltration while HTTP carries commands, or combining ICMP with HTTPS, or rotating between multiple out-of-band channels based on availability or operator choice.

MITRE ATT&CK

Tactic
Command and Control
Canonical reference
https://attack.mitre.org/techniques/T1026/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect processes making outbound connections using multiple distinct protocol categories
// within a 10-minute window, which may indicate split-channel C2 communication
let ExcludedBrowsers = dynamic(["chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "brave.exe", "opera.exe", "safari.exe"]);
let ExcludedSystemProcs = dynamic(["svchost.exe", "lsass.exe", "services.exe", "wuauclt.exe", "MicrosoftEdgeUpdate.exe"]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "InboundConnectionAccepted")
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName has_any (ExcludedBrowsers))
| where not(InitiatingProcessFileName has_any (ExcludedSystemProcs))
| extend ProtocolCategory = case(
    RemotePort == 53, "DNS",
    RemotePort == 80 or RemotePort == 8080, "HTTP",
    RemotePort == 443 or RemotePort == 8443, "HTTPS",
    RemotePort == 25 or RemotePort == 587 or RemotePort == 465, "SMTP",
    RemotePort == 21 or RemotePort == 20, "FTP",
    RemotePort == 22, "SSH",
    RemotePort == 123, "NTP",
    RemotePort == 161 or RemotePort == 162, "SNMP",
    true, strcat("Other:", tostring(RemotePort))
)
| summarize
    ProtocolSet = make_set(ProtocolCategory),
    DistinctPortCount = dcount(RemotePort),
    ConnectionCount = count(),
    UniqueRemoteIPs = dcount(RemoteIP),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    SampleCmdLine = take_any(InitiatingProcessCommandLine)
    by DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessId, bin(Timestamp, 10m)
| extend ProtocolCount = array_length(ProtocolSet)
| where ProtocolCount >= 3
    or (ProtocolCount >= 2 and ProtocolSet has "DNS" and ProtocolSet has_any ("HTTP", "HTTPS"))
    or (ProtocolCount >= 2 and ProtocolSet has "DNS" and ProtocolSet has "Other:")
| project
    FirstSeen,
    LastSeen,
    DeviceName,
    AccountName,
    InitiatingProcessFileName,
    InitiatingProcessId,
    ProtocolSet,
    ProtocolCount,
    DistinctPortCount,
    ConnectionCount,
    UniqueRemoteIPs,
    SampleCmdLine
| sort by FirstSeen desc
medium severity low confidence

Detects processes that make outbound network connections using three or more distinct protocol categories, or that combine DNS with HTTP/HTTPS or other non-standard protocols, within a 10-minute window. This pattern is characteristic of multiband C2 where operators split inbound commands and outbound data across different channels to evade single-protocol monitoring rules. Standard web browsers and known system processes are excluded. Remaining process-level alerts with high protocol diversity or DNS+HTTP combinations warrant analyst review.

Data Sources

Network Traffic: Network Connection CreationNetwork Traffic: Network Traffic FlowMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives & Tuning

  • Network monitoring or diagnostic tools (Wireshark, netstat wrappers, custom scripts) that open connections across multiple protocols as part of legitimate testing
  • Update clients and package managers that contact DNS resolvers and then fetch payloads over HTTPS, then may send telemetry via a separate channel
  • Remote management agents (Ansible, Puppet, Chef client) that may use multiple protocols during configuration application phases
  • Security scanning tools or vulnerability assessment agents that probe multiple services simultaneously across different protocols
  • Backup agents that use separate channels for metadata (DNS/HTTP control plane) and data transfer (custom protocol over high port)
Download portable Sigma rule (.yml)

Other platforms for T1026

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Split Protocol Communication — DNS Query Plus HTTP Fetch from PowerShell

    Expected signal: Sysmon Event ID 3: Two network connection events from powershell.exe — one to 9.9.9.9:53 (DNS) and one to the HTTP destination on port 80. Sysmon Event ID 22: DNS query for 'dns.quad9.net' from powershell.exe. Both events share the same ProcessId, surfacing as a DNS+HTTP multiprotocol combination from a scripting engine.

  2. Test 2Split Protocol Communication — curl with DNS and HTTPS Separation (Linux/macOS)

    Expected signal: Auditd SYSCALL records for connect() syscalls from bash or dig/curl child processes to 8.8.8.8:53 (UDP/TCP) and to the HTTPS destination on port 443. If Sysmon for Linux is deployed: Event ID 3 network connection events showing alternating DNS and HTTPS connections from the parent shell process or its children sharing the same session. Zeek/Suricata network logs will show interleaved DNS and HTTPS flows from the same source IP.

  3. Test 3Three-Protocol Multiband Simulation — DNS, HTTP, and Custom High Port

    Expected signal: Sysmon Event ID 3: Three network connection attempts from powershell.exe — port 53 (DNS resolution of time.windows.com), port 80 (HTTP to checkip.amazonaws.com), and port 8888 (TCP attempt to 1.1.1.1 — connection may be refused or filtered but process creation and connection attempt are still logged). Sysmon Event ID 22: DNS query for time.windows.com. All events share the same ProcessId.

  4. Test 4Sustained Beaconing Simulation Across Two Protocols (Windows)

    Expected signal: Sysmon Event ID 3: Twelve network connection events from powershell.exe over approximately 60 seconds — six to port 53 (DNS) and six to port 80 (HTTP), interleaved at 5-second intervals. Sysmon Event ID 22: Six DNS query events for google.com. The pattern of alternating DNS and HTTP connections within the time bucket will be visible in NetFlow and EDR telemetry as a clear two-band beaconing rhythm.

Last updated: 2026-04-18 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1026 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1071.001Web ProtocolsT1071.004DNST1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1132Data EncodingT1573Encrypted ChannelT1568Dynamic ResolutionT1095Non-Application Layer ProtocolT1041Exfiltration Over C2 Channel

Same Tactic: Command and Control

Popular Detections