T1104

Multi-Stage Channels

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features. The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked. Known real-world examples include APT3 using SOCKS5 to proxy through 192.157.198[.]103 before connecting to a second IP on TCP/81, Lazarus Group injecting later stages into separate processes, Bazar loader downloading the Bazar backdoor as a second-stage implant, and LunarWeb using one URL for initial host profiling and two additional URLs for command retrieval.

Microsoft Sentinel / Defender

kusto

// T1104 Multi-Stage Channels
// Primary indicator: non-browser process connects to 2+ distinct external IPs
// suggesting first-stage C2 redirection to second-stage infrastructure
let ExcludedProcs = dynamic([
    "chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe",
    "onedrive.exe", "dropbox.exe", "teams.exe", "outlook.exe", "thunderbird.exe",
    "svchost.exe", "MsMpEng.exe", "DiagTrack.exe", "wuauclt.exe", "WaaSMedicAgent.exe",
    "SearchIndexer.exe", "backgroundTaskHost.exe", "RuntimeBroker.exe"
]);
let MultiStageConns = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName has_any (ExcludedProcs))
| where InitiatingProcessIntegrityLevel in ("Medium", "High", "System")
| summarize
    UniqueRemoteIPs = dcount(RemoteIP),
    RemoteIPList = make_set(RemoteIP, 15),
    RemotePorts = make_set(RemotePort, 10),
    ConnectionCount = count(),
    FirstContact = min(Timestamp),
    LastContact = max(Timestamp)
    by DeviceName,
       AccountName = InitiatingProcessAccountName,
       ProcessFileName = InitiatingProcessFileName,
       ProcessCommandLine = InitiatingProcessCommandLine,
       ProcessId = InitiatingProcessId
| where UniqueRemoteIPs >= 2
| extend DurationMinutes = datetime_diff('minute', LastContact, FirstContact)
| extend StrongIndicator = UniqueRemoteIPs >= 3
| project
    LastContact, DeviceName, AccountName, ProcessFileName, ProcessCommandLine,
    UniqueRemoteIPs, RemoteIPList, RemotePorts, ConnectionCount, DurationMinutes, StrongIndicator
| sort by UniqueRemoteIPs desc, LastContact desc;
// Secondary indicator: parent process connects to one external IP, spawns child that connects to a DIFFERENT external IP
let ParentNetConns = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName has_any (ExcludedProcs))
| summarize ParentIPSet = make_set(RemoteIP, 10)
    by DeviceName, ParentProcId = InitiatingProcessId, ParentFileName = InitiatingProcessFileName;
let ChildHandoff = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteIPType == "Public"
| where not(InitiatingProcessFileName has_any (ExcludedProcs))
| join kind=inner (ParentNetConns) on DeviceName,
    $left.InitiatingProcessParentId == $right.ParentProcId
| where not(set_has_element(ParentIPSet, RemoteIP))
| project
    Timestamp, DeviceName,
    ChildFileName = InitiatingProcessFileName,
    ChildCommandLine = InitiatingProcessCommandLine,
    ChildRemoteIP = RemoteIP, ChildRemotePort = RemotePort,
    ParentFileName, ParentIPSet
| extend StrongIndicator = true
| sort by Timestamp desc;
union
  (MultiStageConns | extend DetectionType = "SingleProcessMultiStageC2"),
  (ChildHandoff | extend DetectionType = "ParentChildC2Handoff", AccountName = "",
      ProcessFileName = ChildFileName, ProcessCommandLine = ChildCommandLine,
      UniqueRemoteIPs = 2, RemoteIPList = ParentIPSet, RemotePorts = dynamic([]),
      ConnectionCount = 1, DurationMinutes = 0, LastContact = Timestamp)
| sort by LastContact desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Microsoft Defender for Endpoint Process: Process Creation

Required Tables

DeviceNetworkEvents

False Positives

Update managers and package tools (e.g., npm, pip, choco) that sequentially contact CDNs and registries during install — these appear as single process connecting to multiple external IPs
Security agents and EDR tools that phone home to health endpoints and telemetry endpoints at different IP addresses as part of normal heartbeat operations
Development toolchains that pull dependencies from multiple distinct external hosts (e.g., cargo, go get, Maven) during build operations from developer workstations
Remote monitoring and management (RMM) agents such as ConnectWise or NinjaRMM that maintain connections to multiple infrastructure IPs for load balancing and failover
Backup agents (Veeam, Acronis) that contact licensing servers, cloud repositories, and update endpoints sequentially as part of a backup job

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe" OR Image="*\\iexplore.exe" OR Image="*\\opera.exe" OR Image="*\\brave.exe" OR Image="*\\OneDrive.exe" OR Image="*\\Teams.exe" OR Image="*\\Outlook.exe" OR Image="*\\thunderbird.exe" OR Image="*\\svchost.exe" OR Image="*\\MsMpEng.exe" OR Image="*\\WaaSMedicAgent.exe")
NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.2*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*" OR DestinationIp="::1" OR DestinationIp="0:0:0:0:0:0:0:1")
| stats
    dc(DestinationIp) as UniqueExternalIPs,
    values(DestinationIp) as IPList,
    values(DestinationPort) as Ports,
    count as ConnectionCount,
    earliest(_time) as FirstContact,
    latest(_time) as LastContact
    by host, ProcessId, Image, CommandLine, User, ProcessGuid
| where UniqueExternalIPs >= 2
| eval DurationMins=round((LastContact - FirstContact) / 60, 1)
| eval StrongIndicator=if(UniqueExternalIPs >= 3, "true", "false")
| eval DetectionType="SingleProcessMultiStageC2"
| append
    [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
      NOT (Image="*\\chrome.exe" OR Image="*\\msedge.exe" OR Image="*\\firefox.exe" OR Image="*\\iexplore.exe" OR Image="*\\OneDrive.exe" OR Image="*\\Teams.exe" OR Image="*\\svchost.exe")
      NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.2*" OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
      | stats values(DestinationIp) as ChildIPs count by host, ParentProcessId, ParentImage, Image as ChildImage, CommandLine as ChildCmdLine, User
      | join type=inner host ParentProcessId
          [ search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
            NOT (DestinationIp="10.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
            | stats values(DestinationIp) as ParentIPs by host, ProcessId as ParentProcessId ]
      | eval SharedIPs=mvfilter(match(ChildIPs, mvjoin(ParentIPs, "|")))
      | where isnull(SharedIPs) OR len(SharedIPs)=0
      | eval DetectionType="ParentChildC2Handoff", StrongIndicator="true", UniqueExternalIPs=2
      | table host, User, ChildImage, ChildCmdLine, ChildIPs, ParentImage, ParentIPs, DetectionType, StrongIndicator, UniqueExternalIPs ]
| table _time, host, User, Image, CommandLine, UniqueExternalIPs, IPList, Ports, ConnectionCount, DurationMins, StrongIndicator, DetectionType
| sort - UniqueExternalIPs

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Update managers and package tools (npm, pip, chocolatey) contacting multiple CDN endpoints and registries during installation
Security and EDR agents maintaining connections to telemetry, licensing, and health check endpoints across different IP addresses
Development toolchains pulling dependencies from multiple external hosts during build or compile operations
RMM agents (ConnectWise, NinjaRMM, Datto) maintaining connections to load-balanced infrastructure across distinct IPs
Backup clients (Veeam, Acronis, Commvault) contacting licensing, cloud repository, and update endpoints sequentially

Elastic Security (EQL)

eql

// T1104 Multi-Stage Channels — Elastic EQL
// Sequence: a non-browser process makes a network connection, then a child of that process makes a network connection to a DIFFERENT external IP
sequence by host.name with maxspan=30m
  [network where event.type == "connection" and event.action == "connection_attempted"
   and not process.name in ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe",
       "OneDrive.exe", "Dropbox.exe", "Teams.exe", "Outlook.exe", "thunderbird.exe",
       "svchost.exe", "MsMpEng.exe", "DiagTrack.exe", "wuauclt.exe", "WaaSMedicAgent.exe",
       "SearchIndexer.exe", "backgroundTaskHost.exe", "RuntimeBroker.exe")
   and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128", "169.254.0.0/16")
  ] by process.entity_id, destination.ip as first_external_ip
  [network where event.type == "connection" and event.action == "connection_attempted"
   and not process.name in ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe",
       "OneDrive.exe", "Dropbox.exe", "Teams.exe", "Outlook.exe", "thunderbird.exe",
       "svchost.exe", "MsMpEng.exe", "DiagTrack.exe", "wuauclt.exe", "WaaSMedicAgent.exe")
   and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128", "169.254.0.0/16")
  ] by process.parent.entity_id, destination.ip != first_external_ip

// Alternate: single process connecting to 3+ distinct external IPs (aggregation via ES|QL or threshold rule)
// Use a threshold alert on top of this base query:
// FROM logs-endpoint.events.network*
// | WHERE event.action == "connection_attempted"
//   AND NOT process.name IN ("chrome.exe", "msedge.exe", "firefox.exe", "svchost.exe", "MsMpEng.exe")
//   AND NOT CIDR_MATCH(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
// | STATS unique_ips = COUNT_DISTINCT(destination.ip), ip_list = VALUES(destination.ip),
//         port_list = VALUES(destination.port), conn_count = COUNT() BY host.name, process.name, process.command_line, process.pid
// | WHERE unique_ips >= 2
// | SORT unique_ips DESC

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent network events Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.network* logs-system.security*

False Positives

Legitimate update agents (e.g., software auto-updaters) that download a new binary from one server and then beacon home to a second analytics endpoint
Security tools such as EDR agents, vulnerability scanners, or SIEM forwarders that contact multiple cloud infrastructure IPs during normal operation
Developer toolchains (npm, pip, cargo) that pull packages from a CDN then report telemetry to a separate analytics service; exclude by process parent (IDE processes)
Load-balanced SaaS applications where DNS round-robin resolves to multiple distinct public IPs for the same service, producing multiple unique IP connections

IBM QRadar (AQL)

sql

-- T1104 Multi-Stage Channels — IBM QRadar AQL
-- Primary: non-browser processes contacting 2+ distinct external IPs within a 24-hour window
SELECT
    DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_contact,
    DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_contact,
    sourceip,
    username,
    ApplicationProtocol(applicationid) AS application,
    LOGSOURCENAME(logsourceid) AS log_source,
    "Sysmon ProcessImage" AS process_image,
    COUNT(*) AS connection_count,
    COUNT(DISTINCT destinationip) AS unique_external_ips,
    ARRAY_AGG(DISTINCT CHAR(destinationip)) AS external_ip_list,
    ARRAY_AGG(DISTINCT CHAR(destinationport)) AS destination_ports,
    CASE WHEN COUNT(DISTINCT destinationip) >= 3 THEN 'true' ELSE 'false' END AS strong_indicator,
    'SingleProcessMultiStageC2' AS detection_type
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 229  -- Sysmon
    AND QIDNAME(qid) LIKE '%Network Connection%'  -- Sysmon EventID 3
    AND starttime > NOW() - 86400000
    AND LONG(destinationip) NOT BETWEEN LONG('10.0.0.0') AND LONG('10.255.255.255')
    AND LONG(destinationip) NOT BETWEEN LONG('172.16.0.0') AND LONG('172.31.255.255')
    AND LONG(destinationip) NOT BETWEEN LONG('192.168.0.0') AND LONG('192.168.255.255')
    AND LONG(destinationip) NOT BETWEEN LONG('127.0.0.0') AND LONG('127.255.255.255')
    AND "Sysmon ProcessImage" NOT ILIKE '%\\chrome.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\msedge.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\firefox.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\iexplore.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\opera.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\brave.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\OneDrive.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\Teams.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\Outlook.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\thunderbird.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\svchost.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\MsMpEng.exe'
    AND "Sysmon ProcessImage" NOT ILIKE '%\\WaaSMedicAgent.exe'
GROUP BY sourceip, username, "Sysmon ProcessImage", ApplicationProtocol(applicationid), LOGSOURCENAME(logsourceid)
HAVING COUNT(DISTINCT destinationip) >= 2
ORDER BY unique_external_ips DESC, last_contact DESC
LIMIT 500

-- Secondary: parent-child IP handoff detection
-- Run as a correlated rule in QRadar with the following AQL as the building block:
-- SELECT "Sysmon ParentProcessId", "Sysmon ProcessId", destinationip, sourceip, starttime
-- FROM events
-- WHERE LOGSOURCETYPEID(logsourceid) = 229 AND QIDNAME(qid) LIKE '%Network Connection%'
-- Join on ParentProcessId matching a prior ProcessId with a different destinationip
-- Build as QRadar Offense Rule: "When an event matches MultiStageC2_Beacon within 30 minutes of MultiStageC2_Beacon from same host with different destination IP and same parent PID"

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon log source (LOGSOURCETYPEID 229) Windows Security Event Log

Required Tables

events

False Positives

Automated patching systems (WSUS, SCCM client, Ansible) that download manifests from one CDN server and then fetch packages from a different distribution node
Endpoint agents for monitoring tools (CrowdStrike Falcon, Carbon Black, Cylance) that regularly beacon to multiple cloud infrastructure IPs in different regions
Enterprise applications using microservice architectures where a single process communicates with multiple distinct public SaaS API endpoints as part of normal workflow
Version control clients (git) that clone from one remote and push to another, contacting different IP addresses under the same operation

Sumo Logic CSE

sql

// T1104 Multi-Stage Channels — Sumo Logic CSE (Cloud SIEM Enterprise)
// Primary detection: non-browser process contacting 2+ distinct external IPs
_index=sec_record*
| where metadata_deviceEventId = "windows:sysmon:3" or metadata_deviceEventId = "windows:network:connection"
| where !(srcDevice_ip matches "10.*" or srcDevice_ip matches "172.16.*" or srcDevice_ip matches "172.17.*" or srcDevice_ip matches "172.18.*" or srcDevice_ip matches "172.19.*" or srcDevice_ip matches "172.2*" or srcDevice_ip matches "172.30.*" or srcDevice_ip matches "172.31.*" or srcDevice_ip matches "192.168.*" or srcDevice_ip matches "127.*")
| where !(dstDevice_ip matches "10.*" or dstDevice_ip matches "172.16.*" or dstDevice_ip matches "172.2*" or dstDevice_ip matches "172.30.*" or dstDevice_ip matches "172.31.*" or dstDevice_ip matches "192.168.*" or dstDevice_ip matches "127.*")
| where !(application_name matches "*chrome*" or application_name matches "*msedge*" or application_name matches "*firefox*" or application_name matches "*iexplore*" or application_name matches "*opera*" or application_name matches "*brave*" or application_name matches "*OneDrive*" or application_name matches "*Teams*" or application_name matches "*Outlook*" or application_name matches "*thunderbird*" or application_name matches "*svchost*" or application_name matches "*MsMpEng*" or application_name matches "*WaaSMedicAgent*")
| timeslice 24h
| stats
    dcount(dstDevice_ip) as unique_external_ips,
    values(dstDevice_ip) as ip_list,
    values(dstDevice_port) as port_list,
    count as connection_count,
    min(_messagetime) as first_contact,
    max(_messagetime) as last_contact
    by srcDevice_hostname, user_username, application_name, commandLine, _timeslice
| where unique_external_ips >= 2
| eval duration_mins = round((last_contact - first_contact) / 60000, 1)
| eval strong_indicator = if(unique_external_ips >= 3, "true", "false")
| eval detection_type = "SingleProcessMultiStageC2"
| fields _timeslice, srcDevice_hostname, user_username, application_name, commandLine, unique_external_ips, ip_list, port_list, connection_count, duration_mins, strong_indicator, detection_type
| sort by unique_external_ips desc

// Parent-child handoff (run as separate search and correlate via Signal)
// _index=sec_record*
// | where metadata_deviceEventId = "windows:sysmon:3"
// | where !(dstDevice_ip matches "10.*" or dstDevice_ip matches "192.168.*" or dstDevice_ip matches "127.*")
// | stats values(dstDevice_ip) as child_ips by srcDevice_hostname, parentPid, parentProcessName, application_name, commandLine, user_username
// | join (srcDevice_hostname, parentPid)
//     [_index=sec_record* | where metadata_deviceEventId = "windows:sysmon:3"
//      | stats values(dstDevice_ip) as parent_ips by srcDevice_hostname, pid as parentPid]
// | where !isNull(parent_ips) and !contains(child_ips, parent_ips)
// | eval detection_type = "ParentChildC2Handoff", strong_indicator = "true"

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise Windows Sysmon (via Sumo Logic agent) Sumo Logic Windows Source

Required Tables

sec_record (Cloud SIEM normalized index)

False Positives

Software deployment platforms (Chef, Puppet, Ansible) where a management agent polls a primary orchestrator IP and separately reports metrics to a monitoring endpoint
Multi-CDN content delivery where a download manager contacts multiple edge nodes (different IPs) to accelerate a large file transfer
VPN or proxy client software that first connects to an authentication server and then tunnels traffic through a separate VPN concentrator IP
Automated testing frameworks or CI/CD agents that connect to multiple external test infrastructure endpoints as part of parallel test execution

Google Chronicle / SecOps

yaral

rule t1104_multi_stage_channels_single_process {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1104 Multi-Stage Channels: a non-browser process connects to multiple distinct external IPs suggesting first-to-second-stage C2 infrastructure handoff"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1104"
    severity = "HIGH"
    priority = "HIGH"
    rule_version = "1.0"
    created = "2026-04-17"
    platforms = "Windows"

  events:
    $e1.metadata.event_type = "NETWORK_CONNECTION"
    $e1.principal.hostname = $host
    $e1.principal.process.file.full_path != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|OneDrive\.exe|Dropbox\.exe|Teams\.exe|Outlook\.exe|thunderbird\.exe|svchost\.exe|MsMpEng\.exe|DiagTrack\.exe|wuauclt\.exe|WaaSMedicAgent\.exe|SearchIndexer\.exe|backgroundTaskHost\.exe|RuntimeBroker\.exe)/
    $e1.principal.process.file.full_path = $proc_path
    $e1.principal.process.pid = $pid
    // Filter out RFC1918 and loopback destinations
    not $e1.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.|0\.0\.0\.0|::1)/
    $e1.target.ip = $first_ip

    $e2.metadata.event_type = "NETWORK_CONNECTION"
    $e2.principal.hostname = $host
    $e2.principal.process.file.full_path = $proc_path
    $e2.principal.process.pid = $pid
    not $e2.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.|0\.0\.0\.0|::1)/
    $e2.target.ip = $second_ip
    $second_ip != $first_ip

    $e1.metadata.event_timestamp.seconds <= $e2.metadata.event_timestamp.seconds
    $e2.metadata.event_timestamp.seconds - $e1.metadata.event_timestamp.seconds <= 86400

  match:
    $host, $proc_path, $pid over 24h

  outcome:
    $risk_score = max(if($e2.metadata.event_timestamp.seconds - $e1.metadata.event_timestamp.seconds < 300, 90, 70))
    $detection_type = "SingleProcessMultiStageC2"
    $process_name = $proc_path
    $first_stage_ip = array_distinct($first_ip)
    $second_stage_ip = array_distinct($second_ip)
    $hostname = $host

  condition:
    $e1 and $e2
}

rule t1104_parent_child_c2_handoff {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1104 Multi-Stage Channels parent-child handoff: parent process contacts external IP, spawns child that contacts a DIFFERENT external IP within 30 minutes"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1104"
    severity = "CRITICAL"
    priority = "HIGH"
    rule_version = "1.0"
    created = "2026-04-17"

  events:
    // Parent network connection to external IP
    $parent_net.metadata.event_type = "NETWORK_CONNECTION"
    $parent_net.principal.hostname = $host
    $parent_net.principal.process.pid = $parent_pid
    $parent_net.principal.process.file.full_path != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|svchost\.exe|MsMpEng\.exe)/
    not $parent_net.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.|::1)/
    $parent_net.target.ip = $parent_ip

    // Child process spawned by parent
    $proc_create.metadata.event_type = "PROCESS_LAUNCH"
    $proc_create.principal.hostname = $host
    $proc_create.principal.process.pid = $parent_pid
    $proc_create.target.process.pid = $child_pid
    $proc_create.target.process.file.full_path != /(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|svchost\.exe)/

    // Child network connection to DIFFERENT external IP
    $child_net.metadata.event_type = "NETWORK_CONNECTION"
    $child_net.principal.hostname = $host
    $child_net.principal.process.pid = $child_pid
    not $child_net.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.|127\.|::1)/
    $child_net.target.ip = $child_ip
    $child_ip != $parent_ip

  match:
    $host, $parent_pid over 30m

  outcome:
    $risk_score = 95
    $detection_type = "ParentChildC2Handoff"
    $parent_c2_ip = array_distinct($parent_ip)
    $child_c2_ip = array_distinct($child_ip)
    $hostname = $host

  condition:
    $parent_net and $proc_create and $child_net
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows Sysmon ingested via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle ingestion

Required Tables

UDM events (NETWORK_CONNECTION, PROCESS_LAUNCH event types)

False Positives

Legitimate enterprise agent software (MDM, DLP, backup) that performs initial registration to a cloud enrollment server and then connects to a separate data transfer endpoint
Browser extension processes or electron-based apps that maintain connections to multiple cloud API endpoints simultaneously for feature functionality
DevOps tooling (Terraform, kubectl, Helm) that contacts a cloud provider control plane API and separately contacts a metrics/logging endpoint during provisioning
Security awareness training platforms that launch from an email client, contact their primary SaaS platform, and separately report completion data to an analytics service

CrowdStrike LogScale (CQL)

cql

// T1104 Multi-Stage Channels — CrowdStrike LogScale (Falcon CQL)
// Primary: non-browser process contacting 2+ distinct external IPs within a 24h window

#event_simpleName = NetworkConnectIP4
| !match(field=ImageFileName, values=["*\\chrome.exe", "*\\msedge.exe", "*\\firefox.exe", "*\\iexplore.exe", "*\\opera.exe", "*\\brave.exe", "*\\OneDrive.exe", "*\\Dropbox.exe", "*\\Teams.exe", "*\\Outlook.exe", "*\\thunderbird.exe", "*\\svchost.exe", "*\\MsMpEng.exe", "*\\DiagTrack.exe", "*\\wuauclt.exe", "*\\WaaSMedicAgent.exe", "*\\SearchIndexer.exe", "*\\backgroundTaskHost.exe", "*\\RuntimeBroker.exe"], ignoreCase=true)
// Exclude RFC1918, loopback, link-local
| !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])
// Aggregate by host and process to find multi-destination connections
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, TargetProcessId], function=[
    count() as ConnectionCount,
    count(RemoteAddressIP4, distinct=true) as UniqueExternalIPs,
    collect(RemoteAddressIP4, limit=15) as IPList,
    collect(RemotePort, limit=10) as PortList,
    min(@timestamp) as FirstContact,
    max(@timestamp) as LastContact
  ])
| UniqueExternalIPs >= 2
| DurationMins := (LastContact - FirstContact) / 60000
| StrongIndicator := if(UniqueExternalIPs >= 3, "true", "false")
| DetectionType := "SingleProcessMultiStageC2"
| sort(UniqueExternalIPs, order=desc)
| select([LastContact, ComputerName, UserName, ImageFileName, CommandLine, TargetProcessId, UniqueExternalIPs, IPList, PortList, ConnectionCount, DurationMins, StrongIndicator, DetectionType])

// ---
// Parent-child C2 handoff: correlate parent's external IPs with child's external IPs
// First query — collect parent network connections:
// #event_simpleName = NetworkConnectIP4
// | !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
// | !match(field=ImageFileName, values=["*\\chrome.exe", "*\\svchost.exe", "*\\MsMpEng.exe"], ignoreCase=true)
// | groupBy([ComputerName, TargetProcessId as ParentPID], function=[collect(RemoteAddressIP4) as ParentIPs])
// 
// Second query — collect child network connections and join:
// #event_simpleName = NetworkConnectIP4
// | !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
// | join({#event_simpleName=ProcessRollup2 | select([ComputerName, TargetProcessId as ChildPID, ParentProcessId as ParentPID, ImageFileName as ChildImage])},
//         field=[ComputerName, TargetProcessId], key=[ComputerName, ChildPID])
// | join(ParentIPQuery, field=[ComputerName, ParentPID], key=[ComputerName, ParentPID])
// | where !in(RemoteAddressIP4, values=ParentIPs)
// | eval DetectionType="ParentChildC2Handoff", StrongIndicator="true"

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon NetworkConnectIP4 events Falcon ProcessRollup2 events Falcon DnsRequest events

Required Tables

NetworkConnectIP4 ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself or other EDR agents making connections to multiple cloud telemetry and update endpoints simultaneously from the same sensor process
Enterprise software with split architecture where an installed client connects to a licensing server for authentication and separately connects to a delivery CDN for content (e.g., Adobe Creative Cloud, Autodesk)
IT management agents (BigFix, Tanium, ManageEngine) that poll a management server for instructions and separately upload inventory/compliance data to a different endpoint
Network monitoring agents that actively probe multiple external IPs as part of their normal latency or reachability monitoring functions

Last updated: 2026-04-17 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1104 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Multi-Stage Channels

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections