The sub-techniques beta is now live! Read the release blog post for more info.

Multiband Communication

Some adversaries may split communications between different protocols. There could be one protocol for inbound command and control and another for outbound data, allowing it to bypass certain firewall restrictions. The split could also be random to simply avoid data threshold alerts on any one communication.

ID: T1026
Tactic: Command And Control
Platform: Linux, macOS, Windows
Data Sources: Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring
Requires Network:  Yes
Version: 1.0
Created: 31 May 2017
Last Modified: 18 July 2019

Procedure Examples

Name Description
Cobalt Strike

Cobalt Strike's "beacon" payload can receive C2 from one protocol and respond on another. This is typically a mixture of HTTP, HTTPS, and DNS traffic.[2]

Lazarus Group

Some Lazarus Group malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions.[4][5]


PlugX can be configured to use multiple network protocols to avoid network-based detection.[3]


Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[1]


Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [1] Correlating alerts between multiple communication channels can further help identify command-and-control behavior.