Multi-Stage Channels (T1104)

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features. The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.

Source: https://github.com/mitre/cti
Related Prelude attack chains
Release Date (Newest)
Filterfilter
Search for chains, TTPs, themes, and text

Browse By:

Platforms

  • All
  • Windows
  • Linux
  • Darwin
  • Global
  • Android

Themes

Tags

Licenses

APT40 defense industry

2022-04-12

/static/assets/windows-logo.svg
Emulating APT40's multi-stage macro-enabled documents.
B1-66ER (Discovery)

2021-10-12

/static/assets/linux-logo.svg
Perform discovery techniques to determine if an agent has access to a ML/DL environment.
Kaseya VSA Attack

2021-08-16

/static/assets/windows-logo.svg
Side-load an agent using components of the REvil ransomware attack kill chain.
Netsh Helper DLL

2021-08-10

/static/assets/windows-logo.svg
Create a Netsh helper DLL persistence.
Printnightmare

2021-08-10

/static/assets/windows-logo.svg
Escalate local privileges and spawn a SYSTEM-level agent by exploiting CVE-2021-34527 (PrintNightmare).