Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.
The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement provides protection from Multi-Stage Channels by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1104 | Multi-Stage Channels |
Comments
This diagnostic statement protects against Multi-Stage Channels through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1104 | Multi-Stage Channels | |
| CM-06 | Configuration Settings | mitigates | T1104 | Multi-Stage Channels | |
| SI-03 | Malicious Code Protection | mitigates | T1104 | Multi-Stage Channels | |
| CM-02 | Baseline Configuration | mitigates | T1104 | Multi-Stage Channels | |
| CM-07 | Least Functionality | mitigates | T1104 | Multi-Stage Channels | |
| SI-04 | System Monitoring | mitigates | T1104 | Multi-Stage Channels | |
| AC-04 | Information Flow Enforcement | mitigates | T1104 | Multi-Stage Channels | |
| SC-07 | Boundary Protection | mitigates | T1104 | Multi-Stage Channels |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1104 | Multi-Stage Channels | |
| action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1104 | Multi-Stage Channels | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1104 | Multi-Stage Channels |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1104 | Multi-Stage Channels |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1104 | Multi-Stage Channels |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified.
References
|