Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0499: Behavioral Detection of Fallback or Alternate C2 Channels

This detection strategy matters because fallback command-and-control channels are about adversary resilience: if one communication path is blocked or disru...

EnterpriseDET0499Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because fallback command-and-control channels are about adversary resilience: if one communication path is blocked or disrupted, another may keep the intrusion alive. For leaders, the value is not in a single alert name but in validating whether the organization can see and investigate changes in outbound communication behavior that may indicate an actor is trying to preserve access.

Executive priority

Prioritize this as a resilience and incident-response readiness question: if security teams block or disrupt suspected command-and-control, can they determine whether the affected systems switch to alternate channels? This supports better containment decisions, control validation, and evidence for security operations maturity. Because the ATT&CK detection strategy has no official detection text or platforms specified, leadership should ask for environment-specific proof of telemetry and response playbooks rather than assuming coverage exists.

Technical view

DET0499 is a detection strategy for T1008 Fallback Channels, a command-and-control technique associated with ESXi, Linux, macOS, and Windows in the related ATT&CK object. SOC and detection teams should validate whether they can correlate endpoint, network, DNS, proxy, firewall, and remote-access telemetry to identify systems that change C2-like communication paths after a connection failure, block, sinkhole, or other disruption. Detection should focus on behavioral patterns such as repeated outbound connection attempts, protocol or destination shifts, unusual backup domains or IPs, and timing relationships around failed primary communications, while avoiding assumptions about any specific platform coverage from DET0499 itself.

Likely telemetry

  • Network connection metadata from endpoints, firewalls, proxies, or network sensors
  • DNS query and response logs
  • Web proxy and secure web gateway logs
  • Firewall allow, deny, and egress filtering logs
  • Endpoint process-to-network connection telemetry where available

Detection direction

  • Validate correlation across failed outbound communications and subsequent alternate outbound paths from the same host or workload.
  • Tune detections for timing relationships: a blocked, failed, or disrupted channel followed by new destinations, domains, ports, or protocols may be more meaningful than either event alone.
  • Review false positives from legitimate failover, software update services, load balancing, VPN reconnect behavior, and cloud service redundancy.
  • Use the related T1008 context to test visibility across Windows, Linux, macOS, and ESXi where those platforms are present, but do not assume DET0499 itself defines platform-specific logic.
  • Ensure alert triage preserves enough context to distinguish business continuity failover from suspicious command-and-control resilience.

Mitigation priorities

  • Confirm egress monitoring and logging coverage before relying on this detection strategy operationally.
  • Harden outbound access controls so only necessary destinations, protocols, and services are permitted where feasible.
  • Maintain incident response procedures for observing behavior after containment actions, including whether a host attempts alternate communications.
  • Use network segmentation and workload isolation to reduce the value of fallback channels if one path is disrupted.
  • Document telemetry sources, retention, and investigative steps as compliance and audit evidence for command-and-control monitoring readiness.
Analyst notes and limits

The supplied ATT&CK object is a detection strategy with no official description or detection text. The strongest supported context is its relationship to T1008 Fallback Channels under command-and-control. Treat this as a coverage validation theme rather than a complete analytic. Local baseline knowledge is essential because many legitimate systems use failover or alternate communication paths.

No official detection logic, data sources, platforms, tactics, or implementation guidance were provided for DET0499. Any deployment-specific detection must be derived from local telemetry, baselines, and the related T1008 technique context. This summary does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Behavioral Detection of Fallback or Alternate C2 Channels

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1008 Fallback Channels This object detects Fallback Channels.
Relationship explorer

All related ATT&CK context

detects · Technique T1008: Fallback Channels Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
87d37739b58795be...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 87d37739b587…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0499
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use