Initial process initiates outbound connection to first-stage C2, receives payloads or commands, then spawns or injects into a second process that establishes a new outbound connection to an unrelated destination (second-stage C2).
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Correlate two-stage behavior occurring within a short window (e.g., 1-5 minutes) |
| ParentProcess | Tune to exclude known legitimate updaters and management agents |
| DestinationHostname | May be customized to exclude known corporate domains and CDNs |
Shell script or binary initiates curl/wget request to staging domain, writes output to disk or memory, and shortly afterward launches another process that establishes new outbound connection to a different IP or hostname.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve, connect |
| Network Traffic Flow (DC0078) | iptables:LOG | OUTBOUND |
| Field | Description |
|---|---|
| BinaryPath | Tune for suspicious binaries like curl, wget, python, netcat |
| IPDistance | Detect multiple different external IPs contacted within short timeframe |
Initial process using NSURLSession or similar APIs reaches out to known staging domains, followed by creation of a reverse shell or RAT connecting to a second unrelated server.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_EXEC |
| Network Traffic Flow (DC0078) | macos:unifiedlog | tcp/udp |
| Field | Description |
|---|---|
| UserContext | Detect activity outside normal user behavior (e.g., automation or daemon context) |
| EntropyScore | Optional for detecting encoded payloads delivered via stage 1 |
CLI-based or API-based network call from the hypervisor to external staging host, shortly followed by a connection to a second external IP by a spawned process or scheduled task.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | esxi:hostd | CLI network calls |
| Process Creation (DC0032) | esxi:cron | process or cron activity |
| Field | Description |
|---|---|
| ScheduledTaskName | Detect unknown or obfuscated task names launching follow-up stages |
| DestinationIP | Scope multiple IP destinations outside corporate ranges in short sequence |