T1104: Multi-Stage Channels

Data from MITRE ATT&CK®:

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Network Traffic Flow (Network Traffic)

Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)

Network Connection Creation (Network Traffic)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

PowerShell DownloadFile

windows process creation