title: Fallback Channels (T1008)
id: df00tech-t1008
status: experimental
description: "Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds. Malware families such as HOPLIGHT, InvisiMole, TrickBot, and BISCUIT implement hard-coded primary and secondary C2 addresses, while others like OilRig's ISMAgent dynamically fall back from HTTP to DNS tunneling. Detection focuses on processes establishing connections to multiple distinct external destinations in sequence — particularly where port diversity (80→443→8080) or protocol switching (HTTP→DNS) is observed — which is anomalous for non-browser processes."
references:
  - https://attack.mitre.org/techniques/T1008/
  - https://df00tech.com/detections/T1008
author: df00tech
date: 2026/04/13
tags:
  - attack.t1008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software update clients and package managers (e.g., Windows Update components, npm, pip) that contact multiple CDN endpoints or mirror servers during downloads"
  - "IT monitoring and management agents (SCCM, Qualys, Tenable) that beacon to multiple management servers or cloud endpoints"
  - "Backup agents and cloud sync clients (Veeam, Backblaze, Crashplan) contacting multiple storage endpoints"
  - Custom business applications with built-in load-balancing or geographic failover logic connecting to multiple cloud provider IPs
  - Security scanning tools and vulnerability assessment agents that make broad outbound connections as part of their normal operation
level: high