Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0228: Detect Multi-Stage Command and Control Channels

DET0228 is a detection strategy for identifying command-and-control behavior where an adversary uses more than one stage or channel to make remote access a...

EnterpriseDET0228Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0228 is a detection strategy for identifying command-and-control behavior where an adversary uses more than one stage or channel to make remote access activity harder to recognize. The business issue is not just “malware calling home”; it is whether defenders can connect an initial callback with later tool updates, host information collection, file uploads, or additional remote access activity before the intrusion becomes harder to contain.

Executive priority

Prioritize this as a resilience and incident-response readiness question: can the SOC prove it can correlate staged command-and-control activity across network and endpoint evidence on Linux, macOS, Windows, and ESXi where those platforms are in scope? Because the ATT&CK object has no official detection text or platform field of its own, leaders should treat DET0228 as a validation prompt rather than a ready-made rule: confirm telemetry coverage, correlation capability, and response playbooks for multi-stage C2 associated with T1104 Multi-Stage Channels.

Technical view

This detection strategy detects ATT&CK technique T1104, Multi-Stage Channels, in the command-and-control tactic. SOC and detection teams should validate whether they can link a first-stage remote access callback to later behavior such as basic host information collection, tool updates, file uploads, or follow-on remote access activity. Since DET0228 provides no official detection logic, implementation should be based on local telemetry correlation across network egress, endpoint process activity, and file movement rather than a single indicator or single connection event.

Likely telemetry

  • Network egress records such as proxy, firewall, DNS, and flow metadata for callback patterns and changing destinations
  • Endpoint process-to-network telemetry showing which process initiated outbound command-and-control-like traffic
  • File creation, modification, upload, or transfer evidence associated with staged tooling or updates
  • Host inventory or system information collection events where available from endpoint telemetry
  • Correlation data linking an initial remote access callback with later network, process, and file activity on the same host

Detection direction

  • Validate correlation across stages rather than relying only on one suspicious destination, domain, or connection.
  • Look for sequences where an initial callback is followed by host information collection, tool update activity, file upload, or additional remote access behavior.
  • Tune for legitimate software update agents, remote administration tools, backup systems, and management platforms that may create multi-step network and file activity.
  • Confirm that ESXi and non-Windows systems are not blind spots if they are in the environment, because the related technique includes Linux, macOS, Windows, and ESXi.
  • Use DET0228 as a detection engineering requirement because the ATT&CK object does not provide official detection logic, analytics, or data source mappings.

Mitigation priorities

  • First establish telemetry coverage for outbound network activity, endpoint process activity, and file movement on systems where T1104-relevant platforms exist.
  • Next, improve SOC correlation so analysts can connect first-stage callbacks to later staged behavior on the same asset.
  • Then document triage and incident-response steps for suspected multi-stage command-and-control, including containment decision points and evidence preservation.
  • Review administrative remote access and update mechanisms so expected multi-stage behavior is known and can be separated from suspicious activity.
  • Use findings as compliance and audit evidence for monitoring coverage and incident-response readiness, while avoiding claims of coverage unless validated in the local environment.
Analyst notes and limits

The strongest use of this object is as a coverage assessment for detecting T1104 Multi-Stage Channels. The relationship context supplies the relevant tactic, platforms, and behavior pattern; DET0228 itself supplies the strategy name and external reference but no official detection procedure. Local baselining is essential because legitimate enterprise management tools can resemble staged communications.

Official description, official detection text, tactics, platforms, aliases, and labels are not provided on the DET0228 object. The related T1104 description is partially supplied and should not be expanded beyond the provided relationship context. This summary does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Detect Multi-Stage Command and Control Channels

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1104 Multi-Stage Channels This object detects Multi-Stage Channels.
Relationship explorer

All related ATT&CK context

detects · Technique T1104: Multi-Stage Channels Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f599e017b20b137e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f599e017b20b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0228
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use