Home/ATT&CK Technique/Multi-Stage Channels
ATT&CK Technique

Multi-Stage Channels

T1104 · command-and-control

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. Remote access tools will call back to the first-stage command and control server for instructions.

The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or Fallback Channels in case the original first-stage communication path is discovered and blocked.

LinuxmacOSWindowsESXi

Actors Using This

3
chinaAPT41
north_koreaLazarus Group
russiaTurla

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
execution earlier
T1047 · Windows Management Instrumentation ×4.25
persistence earlier
T1505 · Server Software Component ×3.05
privilege-escalation earlier
T1134 · Access Token Manipulation ×4.41T1055 · Process Injection ×2.98
credential-access earlier
T1110 · Brute Force ×3.09
discovery earlier
T1680 · Local Storage Discovery ×47.60T1012 · Query Registry ×4.18
collection earlier
T1560.001 · Archive via Utility ×2.83
command-and-control same
T1008 · Fallback Channels ×39.67T1001 · Data Obfuscation ×26.44T1105 · Ingress Tool Transfer ×2.87
exfiltration later
T1048.003 · Exfiltration Over Unencrypted Non-C2 Protocol ×4.67T1048 · Exfiltration Over Alternative Protocol ×2.48
other same
T1036.004 · Masquerade Task or Service ×3.17T1553 · Subvert Trust Controls ×3.05

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1031Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-04, CA-07, CM-02, CM-06, CM-07, SC-07, SI-03, SI-04
D3FEND11 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin