T1026 Sumo Logic CSE · Sumo

Detect Multiband Communication in Sumo Logic CSE

NOTE: This technique has been deprecated by MITRE ATT&CK and should no longer be used in new detections. The behaviors it described are now captured under more specific sub-techniques of T1071 (Application Layer Protocol) and related C2 techniques. Adversaries may split command-and-control (C2) communications between different protocols or network channels. One protocol may carry inbound commands from the operator while a separate protocol carries outbound data from the victim, allowing the adversary to evade firewall rules that inspect a single protocol or threshold-based anomaly detection on any one communication channel. The split may also be randomized across sessions to further avoid detection heuristics. Common patterns include using DNS for data exfiltration while HTTP carries commands, or combining ICMP with HTTPS, or rotating between multiple out-of-band channels based on availability or operator choice.

MITRE ATT&CK

Tactic
Command and Control
Canonical reference
https://attack.mitre.org/techniques/T1026/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*) EventCode=3
| where !(
    Image matches /(?i)(chrome|firefox|msedge|iexplore|brave|opera|safari|svchost|lsass|services|wuauclt|MicrosoftEdgeUpdate)\.exe$/
  )
| where !(
    DestinationIp matches /^10\./ OR
    DestinationIp matches /^192\.168\./ OR
    DestinationIp matches /^172\.(1[6-9]|2[0-9]|3[01])\./ OR
    DestinationIp matches /^127\./
  )
| where DestinationPort in ("53","80","443","8080","8443","22","25","587","465","21","20","123")
| num(DestinationPort)
| eval ProtocolCategory = if(DestinationPort == 53, "DNS",
    if(DestinationPort in (80,8080), "HTTP",
    if(DestinationPort in (443,8443), "HTTPS",
    if(DestinationPort in (25,587,465), "SMTP",
    if(DestinationPort in (21,20), "FTP",
    if(DestinationPort == 22, "SSH",
    if(DestinationPort == 123, "NTP",
    concat("Other:",string(DestinationPort)))))))))
| timeslice 10m
| stats values(ProtocolCategory) as Protocols, dcount(DestinationPort) as DistinctPorts, count as Connections, dcount(DestinationIp) as UniqueIPs by _timeslice, Computer, Image, ProcessId, User
| where (Protocols contains "DNS") and (Protocols contains "HTTP" or Protocols contains "HTTPS")
| sort by _timeslice desc
medium severity medium confidence

Sumo Logic query targeting Sysmon Event ID 3 (Network Connection) that categorizes destination ports into named protocol groups and aggregates over 10-minute time buckets with timeslice. The values() aggregation collects distinct protocol labels per process per window, and the post-aggregation filter enforces the DNS + HTTP/HTTPS multiband requirement. Non-browser and non-system processes communicating over split DNS and web channels within 10 minutes are flagged as potential T1026 multiband C2.

Data Sources

Sumo Logic Windows Collector ingesting Sysmon EventCode=3Sumo Logic Cloud Syslog with network connection eventsSumo Logic S3 source (endpoint telemetry exports)

Required Tables

Windows Sysmon Event ID 3 (Network Connection)

False Positives & Tuning

  • Custom LOB applications that implement their own DNS resolver calls before making HTTPS API requests, bypassing the OS DNS cache and appearing as distinct DNS + HTTPS Sysmon 3 events attributed to the same process
  • Security scanners and vulnerability assessment tools that probe multiple ports and protocols during scheduled discovery sweeps, generating high Sysmon 3 volume across DNS and web ports
  • Docker Desktop, WSL2, and container runtimes that perform frequent DNS resolution for service mesh discovery and image registry pulls, producing continuous DNS + HTTPS connection events from platform processes
Download portable Sigma rule (.yml)

Other platforms for T1026

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Split Protocol Communication — DNS Query Plus HTTP Fetch from PowerShell

    Expected signal: Sysmon Event ID 3: Two network connection events from powershell.exe — one to 9.9.9.9:53 (DNS) and one to the HTTP destination on port 80. Sysmon Event ID 22: DNS query for 'dns.quad9.net' from powershell.exe. Both events share the same ProcessId, surfacing as a DNS+HTTP multiprotocol combination from a scripting engine.

  2. Test 2Split Protocol Communication — curl with DNS and HTTPS Separation (Linux/macOS)

    Expected signal: Auditd SYSCALL records for connect() syscalls from bash or dig/curl child processes to 8.8.8.8:53 (UDP/TCP) and to the HTTPS destination on port 443. If Sysmon for Linux is deployed: Event ID 3 network connection events showing alternating DNS and HTTPS connections from the parent shell process or its children sharing the same session. Zeek/Suricata network logs will show interleaved DNS and HTTPS flows from the same source IP.

  3. Test 3Three-Protocol Multiband Simulation — DNS, HTTP, and Custom High Port

    Expected signal: Sysmon Event ID 3: Three network connection attempts from powershell.exe — port 53 (DNS resolution of time.windows.com), port 80 (HTTP to checkip.amazonaws.com), and port 8888 (TCP attempt to 1.1.1.1 — connection may be refused or filtered but process creation and connection attempt are still logged). Sysmon Event ID 22: DNS query for time.windows.com. All events share the same ProcessId.

  4. Test 4Sustained Beaconing Simulation Across Two Protocols (Windows)

    Expected signal: Sysmon Event ID 3: Twelve network connection events from powershell.exe over approximately 60 seconds — six to port 53 (DNS) and six to port 80 (HTTP), interleaved at 5-second intervals. Sysmon Event ID 22: Six DNS query events for google.com. The pattern of alternating DNS and HTTP connections within the time bucket will be visible in NetFlow and EDR telemetry as a clear two-band beaconing rhythm.

Last updated: 2026-04-18 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1026 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1071Application Layer ProtocolT1071.001Web ProtocolsT1071.004DNST1048Exfiltration Over Alternative ProtocolT1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolT1132Data EncodingT1573Encrypted ChannelT1568Dynamic ResolutionT1095Non-Application Layer ProtocolT1041Exfiltration Over C2 Channel

Same Tactic: Command and Control

Popular Detections