TIARAS - T1104: Multi-Stage Channels

MITRE ATT&CK Technique

Command and Control T1104

Description

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult. Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features. The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.

Supported Platforms

Linux macOS Windows ESXi

Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data

{'created': '2017-05-31T21:31:15.935Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may create multiple stages for command and '
                'control that are employed under different conditions or for '
                'certain functions. Use of multiple stages may obfuscate the '
                'command and control channel to make detection more '
                'difficult.\n'
                '\n'
                'Remote access tools will call back to the first-stage command '
                'and control server for instructions. The first stage may have '
                'automated capabilities to collect basic host information, '
                'update tools, and upload additional files. A second remote '
                'access tool (RAT) could be uploaded at that point to redirect '
                'the host to the second-stage command and control server. The '
                'second stage will likely be more fully featured and allow the '
                'adversary to interact with the system through a reverse shell '
                'and additional RAT features.\n'
                '\n'
                'The different stages will likely be hosted separately with no '
                'overlapping infrastructure. The loader may also have backup '
                'first-stage callbacks or [Fallback '
                'Channels](https://attack.mitre.org/techniques/T1008) in case '
                'the original first-stage communication path is discovered and '
                'blocked.',
 'external_references': [{'external_id': 'T1104',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1104'}],
 'id': 'attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'command-and-control'}],
 'modified': '2025-10-24T17:49:03.646Z',
 'name': 'Multi-Stage Channels',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'ESXi'],
 'x_mitre_version': '1.1'}

Quick Actions

Edit TTP Update from Web

Related Threat Actors (4)

MuddyWater
High

Lazarus Group
High

APT41
High

APT3
High

Back to TTPs

Dashboard About