Stage One Product

Offensive cyber security designed to defend you!

Stage One’s purpose is to help companies in their journey of assessing the security of their enterprise systems. The tool gives tremendous visibility into the security posture of organizations, assessing the effectiveness of their security and allowing them to fix the gaps before a cyber-criminal exploits them.

When StageOne is deployed in the security infrastructure, it continuously tests different security measures in order to validate security controls using attack emulations. These emulations assist Red and Blue Teams to measure the effectiveness of security controls and find the gaps existent in the infrastructure before a hacker does it.

The chances of suffering a breach are lowered considerably and our product will help to increase the sophistication of the defenses able to make a target unattractive for a hacker. In this way an organization becomes more secure in the face of an advanced type of attack and can constantly upgrade its defensive systems to sustain new type of attack strategies.

StageOne is an adversarial attack simulation framework designed to emulate the modus operandi of Advanced Persistent Threats (from here on mentioned as APT) based on MITRE ATT&CK™, which is a globally - accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATTACK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

Our framework, StageOne, consists of two main components:

An attack implant designed to be infiltrated into client networks and move laterally across different devices, looking for data to be exfiltrated while maintaining stealth and persistence. This gives the possibility for our client to test and tweak security measures in place such as IDS/Firewall software and the response procedures of the security operations center designed to deal with APTs and other threats.

A Command & Control (from here on mentioned as C2) interface for the attack simulation operators, so that they may actively control the above mentioned software implants. The C2 interface is also designed to collect statistics from the attack campaign, so that they may be presented to the client when the operation is finished.

The implant, after it is infiltrated into the target network, will query the C2 server periodically for commands, which will be then executed on the “victim” devices/network. The red team operator in charge of the attack simulation will be in control of the C2 server. We have a system in place so that when the red team assessment is finished, the implants and any other offensive gadgets installed by the operator, will automatically be cleaned up from the client network, so that our assessment will not damage the client in any way. Below is a visual representation of an attack scenario involving a phishing campaign as initial access method:


  • Stealthy communication channels between implant and C2. We use protocols that do not raise red flags and mix with regular traffic:
    • HTTP / HTTPS
    • DNS
    • ICMP
  • Encrypted communication - we use asymmetric encryption so that our traffic can not be intercepted
  • Designed for collaboration - the C2 interface is developed so that it may be used by multiple operators, on multiple attack campaigns.
  • C2 statistics and command logging - After completing an attack scenario, the C2 will offer a timeline of the attack so that the security operations team of the client may assess their response and correct any errors.
  • Multiple technical capabilities of the malware implant
    • Upload and download files
    • In-memory keylogging
    • Run assemblies in-memory
    • Run powershell in-memory
    • Automated pivoting techniques between devices
    • Credential extraction via memory dumping
    • Reverse Proxy to avoid 2FA
    • Capture desktop screenshots and webcam snapshots
  • Undetected Implant signature - our implants are constantly updated so that the assembly signature is not present in any antivirus database, this will ensure that any signature-based detection from AV software is nullified, and the security operations center of the client will have to detect the attack based on network monitoring and security processes, which is a similar scenario to a real APT intrusion.
  • Bypassing behaviour-based detection - our team constantly studies AV behaviour-based detection techniques and adapts our implant to bypass them so that the operators will have the highest success rate in any campaign.

Have something that might challenge the legion of Brasus?

Contact us