Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.
The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1104 | Multi-Stage Channels | |
| CA-7 | Continuous Monitoring | Protects | T1104 | Multi-Stage Channels | |
| CM-2 | Baseline Configuration | Protects | T1104 | Multi-Stage Channels | |
| CM-6 | Configuration Settings | Protects | T1104 | Multi-Stage Channels | |
| CM-7 | Least Functionality | Protects | T1104 | Multi-Stage Channels | |
| SC-7 | Boundary Protection | Protects | T1104 | Multi-Stage Channels | |
| SI-3 | Malicious Code Protection | Protects | T1104 | Multi-Stage Channels | |
| SI-4 | System Monitoring | Protects | T1104 | Multi-Stage Channels |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1104 | Multi-Stage Channels | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1104 | Multi-Stage Channels | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1104 | Multi-Stage Channels |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1104 | Multi-Stage Channels |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block communication with known command and control channels by filtering based on known bad IP addresses and domains. This mapping is given a score of Partial because it only protects against known channels and not channels yet to be identified.
References
|