MITRE Technique [T1008] Fallback Channels

hendryadrian.com

hendryadrian.com

Description:

• Like a backup radio frequency a pilot switches to when the main channel is jammed, fallback channels give attackers an alternate path to stay in contact when their preferred route is blocked.
• Adversaries switch to alternate communication methods, ports, or protocols when the primary C2 is unavailable; this enables persistent control and data transfer while evading defenses, making detection and disruption harder.

Detection:

• Collect and analyze Network Traffic Flow and Network Connection Creation logs to spot sudden changes in flow direction or volume.
• Alert on clients that transmit significantly more data than they receive, using flow telemetry thresholds and baselining to reduce noise.
• Flag processes that initiate network connections but historically have no networking behavior; correlate with process creation events and binary reputation.
• Deep-inspect packets for protocol anomalies (e.g., HTTP on unusual ports, malformed TLS handshakes) using IDS/IPS or network packet capture tools.
• Monitor uncommon ports and protocols by maintaining an allowlist of expected services and alerting on deviations; adapt for cloud and virtualized ESXi environments.
• Use host and network correlation: match endpoint EDR process activity with network flows to validate suspicious channels and reduce false positives.
• Apply threat intelligence and YARA/signature rules to identify known fallback C2 patterns; investigate low-and-slow flows and intermittent beaconing behavior.

Tactics:
Command and Control

Platforms:
ESXi, Linux, Windows, macOS

Data Sources:
Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow

Relationship Citations:
(Citation: Mandiant APT1),(Citation: Crowdstrike GTR2020 Mar 2020),(Citation: McAfee Night Dragon),(Citation: FireEye APT41 Aug 2019),(Citation: Securelist MiniDuke Feb 2013),(Citation: FOX-IT May 2016 Mofang),(Citation: ESET InvisiMole June 2020),(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023),(Citation: Mythc Documentation),(Citation: ClearSky Siamesekitten August 2021),(Citation: US-CERT HOPLIGHT Apr 2019),(Citation: ESET OilRig Downloaders DEC 2023),(Citation: Mandiant APT29 Eye Spy Email Nov 22),(Citation: Novetta Blockbuster),(Citation: Cylance Dust Storm),(Citation: Malwarebytes Kimsuky June 2021),(Citation: Cyberreason Anchor December 2019),(Citation: Kaspersky Lyceum October 2021),(Citation: ESET Crutch December 2020),(Citation: Symantec Orangeworm April 2018),(Citation: Symantec Linfo May 2012),(Citation: ESET Sednit Part 2),(Citation: Fidelis Turbo),(Citation: ANSSI Sandworm January 2021),(Citation: Baumgartner Naikon 2015),(Citation: Unit 42 Valak July 2020),(Citation: ESET Sednit Part 1),(Citation: ESET Ebury Oct 2017),(Citation: Check Point APT35 CharmPower January 2022),(Citation: ESET InvisiMole June 2018),(Citation: ESET Machete July 2019),(Citation: NCC Group Team9 June 2020),(Citation: DustySky),(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020),(Citation: Mandiant APT1 Appendix),(Citation: Novetta Blockbuster RATs),(Citation: Unit 42 Kazuar May 2017),(Citation: Check Point APT34 April 2021),(Citation: ESET Dukes October 2019),(Citation: ESET Gelsemium June 2021),(Citation: Proofpoint Bumblebee April 2022),(Citation: Unit 42 QUADAGENT July 2018),(Citation: ESET PipeMon May 2020),(Citation: Unit42 RDAT July 2020),(Citation: Talos TinyTurla September 2021),(Citation: FireEye APT30),(Citation: Bitdefender Naikon April 2021),(Citation: Securelist BlackEnergy Nov 2014),(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011),(Citation: OilRig ISMAgent July 2017),(Citation: PaloAlto CardinalRat Apr 2017),(Citation: University of Birmingham C2)

Read More: https://attack.mitre.org/techniques/T1008