Ctrl+K

T1104 - Multi-Stage Channels

T1104 - Multi-Stage Channels#

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure. Relating subsequent actions that may result from Discovery of the system and network information or Lateral Movement to the originating process may also yield useful data.

Shield Active Defense#

Isolation#

Configure devices, systems, networks, etc. to contain activity and data in order to promote inspection or prevent expanding an engagement beyond desired limits.

Using isolation, a defender can prevent potentially malicious activity before it starts or limit its effectiveness and scope. A defender can observe behaviors of adversaries or their tools without exposing them to unintended targets.

Opportunity#

There is an opportunity to detect an unknown process that is being used for command and control and disrupt it.

Use Case#

A defender can isolate unknown processes that are being used for command and control and prevent them from being able to access the internet.

Procedures#

Unplug an infected system from the network and disable any other means of communication. Run all user applications in isolated containers to prevent a compromise from expanding beyond the container’s boundaries.

Contents