T1104 Multi-Stage Channels Mappings

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1104 Multi-Stage Channels
CA-7 Continuous Monitoring Protects T1104 Multi-Stage Channels
CM-2 Baseline Configuration Protects T1104 Multi-Stage Channels
CM-6 Configuration Settings Protects T1104 Multi-Stage Channels
CM-7 Least Functionality Protects T1104 Multi-Stage Channels
SC-7 Boundary Protection Protects T1104 Multi-Stage Channels
SI-3 Malicious Code Protection Protects T1104 Multi-Stage Channels
SI-4 System Monitoring Protects T1104 Multi-Stage Channels
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1104 Multi-Stage Channels
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1104 Multi-Stage Channels
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1104 Multi-Stage Channels
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1104 Multi-Stage Channels