Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.
The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1104 | Multi-Stage Channels |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.
References
|
| I&S-09 | Network Defense | mitigates | T1104 | Multi-Stage Channels |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or uncommon data flows can be used to mitigate activity at the network level.
References
|