T1026 Splunk · SPL

Detect Multiband Communication in Splunk

NOTE: This technique has been deprecated by MITRE ATT&CK and should no longer be used in new detections. The behaviors it described are now captured under more specific sub-techniques of T1071 (Application Layer Protocol) and related C2 techniques. Adversaries may split command-and-control (C2) communications between different protocols or network channels. One protocol may carry inbound commands from the operator while a separate protocol carries outbound data from the victim, allowing the adversary to evade firewall rules that inspect a single protocol or threshold-based anomaly detection on any one communication channel. The split may also be randomized across sessions to further avoid detection heuristics. Common patterns include using DNS for data exfiltration while HTTP carries commands, or combining ICMP with HTTPS, or rotating between multiple out-of-band channels based on availability or operator choice.

MITRE ATT&CK

Tactic
Command and Control
Canonical reference
https://attack.mitre.org/techniques/T1026/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  NOT (Image="*\\chrome.exe" OR Image="*\\firefox.exe" OR Image="*\\msedge.exe" OR Image="*\\iexplore.exe" OR Image="*\\brave.exe" OR Image="*\\opera.exe")
  NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe" OR Image="*\\wuauclt.exe")
  NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1")
| eval ProtocolCategory=case(
    DestinationPort==53, "DNS",
    DestinationPort==80 OR DestinationPort==8080, "HTTP",
    DestinationPort==443 OR DestinationPort==8443, "HTTPS",
    DestinationPort==25 OR DestinationPort==587 OR DestinationPort==465, "SMTP",
    DestinationPort==21 OR DestinationPort==20, "FTP",
    DestinationPort==22, "SSH",
    DestinationPort==123, "NTP",
    1==1, "Other:".DestinationPort
)
| bucket span=10m _time
| stats
    values(ProtocolCategory) as Protocols,
    dc(DestinationPort) as DistinctPorts,
    count as Connections,
    dc(DestinationIp) as UniqueIPs,
    values(DestinationPort) as Ports
    by _time, host, Image, ProcessId, User
| eval ProtocolCount=mvcount(Protocols)
| eval HasDNS=if(mvfind(Protocols, "DNS") >= 0, 1, 0)
| eval HasHTTP=if(mvfind(Protocols, "HTTP") >= 0 OR mvfind(Protocols, "HTTPS") >= 0, 1, 0)
| eval HasOther=if(mvfind(Protocols, "Other:*") >= 0, 1, 0)
| where ProtocolCount >= 3
    OR (ProtocolCount >= 2 AND HasDNS=1 AND HasHTTP=1)
    OR (ProtocolCount >= 2 AND HasDNS=1 AND HasOther=1)
| table _time, host, User, Image, ProcessId, Protocols, ProtocolCount, DistinctPorts, Connections, UniqueIPs, Ports
| sort - _time
medium severity low confidence

Detects individual processes making outbound network connections across multiple distinct protocol categories within a 10-minute window using Sysmon Event ID 3 (Network Connection). Alerts fire when a non-browser process uses three or more protocol categories, or combines DNS with HTTP/HTTPS (split DNS+HTTP C2), or combines DNS with non-standard high ports. Evaluates protocol diversity per process per time bucket to surface multiband communication patterns consistent with split-channel C2 frameworks.

Data Sources

Network Traffic: Network Connection CreationSysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Network monitoring or diagnostic tools that probe multiple protocol endpoints as part of their normal function
  • Software update managers that use DNS resolution followed by HTTPS download followed by separate telemetry channels
  • Remote management agents (Ansible, Puppet, Chef) that use multiple protocols during active provisioning runs
  • Security scanning tools or EDR agents making multi-protocol health check connections
  • Custom internal tooling or scripts that implement their own multi-step connection flows
Download portable Sigma rule (.yml)

Other platforms for T1026

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Split Protocol Communication — DNS Query Plus HTTP Fetch from PowerShell

    Expected signal: Sysmon Event ID 3: Two network connection events from powershell.exe — one to 9.9.9.9:53 (DNS) and one to the HTTP destination on port 80. Sysmon Event ID 22: DNS query for 'dns.quad9.net' from powershell.exe. Both events share the same ProcessId, surfacing as a DNS+HTTP multiprotocol combination from a scripting engine.

  2. Test 2Split Protocol Communication — curl with DNS and HTTPS Separation (Linux/macOS)

    Expected signal: Auditd SYSCALL records for connect() syscalls from bash or dig/curl child processes to 8.8.8.8:53 (UDP/TCP) and to the HTTPS destination on port 443. If Sysmon for Linux is deployed: Event ID 3 network connection events showing alternating DNS and HTTPS connections from the parent shell process or its children sharing the same session. Zeek/Suricata network logs will show interleaved DNS and HTTPS flows from the same source IP.

  3. Test 3Three-Protocol Multiband Simulation — DNS, HTTP, and Custom High Port

    Expected signal: Sysmon Event ID 3: Three network connection attempts from powershell.exe — port 53 (DNS resolution of time.windows.com), port 80 (HTTP to checkip.amazonaws.com), and port 8888 (TCP attempt to 1.1.1.1 — connection may be refused or filtered but process creation and connection attempt are still logged). Sysmon Event ID 22: DNS query for time.windows.com. All events share the same ProcessId.

  4. Test 4Sustained Beaconing Simulation Across Two Protocols (Windows)

    Expected signal: Sysmon Event ID 3: Twelve network connection events from powershell.exe over approximately 60 seconds — six to port 53 (DNS) and six to port 80 (HTTP), interleaved at 5-second intervals. Sysmon Event ID 22: Six DNS query events for google.com. The pattern of alternating DNS and HTTP connections within the time bucket will be visible in NetFlow and EDR telemetry as a clear two-band beaconing rhythm.

Last updated: 2026-04-18 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1026 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1071.001Web ProtocolsT1071.004DNST1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1132Data EncodingT1573Encrypted ChannelT1568Dynamic ResolutionT1095Non-Application Layer ProtocolT1041Exfiltration Over C2 Channel

Same Tactic: Command and Control

Popular Detections