Threat actors may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.