Cyber Kill Chain - Chrono's Cyber Chronicles

| Title | Author | Created | Published | Tags | | ---------------- | ---------- | ------------------ | ------------------ | -------------------------------------------- | | Cyber Kill Chain | Jon Marien | September 08, 2025 | September 08, 2025 | [[#soc\|#soc]], [[#arcticwolf\|#arcticwolf]] | # Cyber Kill Chain ![[image-942.png]] # Learning Objectives In this room, you will learn about each phase of the Cyber Kill Chain Framework, the advantages and disadvantages of the traditional Cyber Kill Chain. # Outcome As a result, you will be ready to recognize different phases or stages of the attack carried out by an adversary and be able to break the "kill chain." ## 'Kill Chain' Term Info The term kill chain is a military concept related to the structure of an attack. It consists of target identification, decision and order to attack the target, and finally the target destruction. Thanks to Lockheed Martin, a global security and aerospace company, that established the Cyber Kill Chain® framework for the cybersecurity industry in 2011 based on the military concept. The framework defines the steps used by adversaries or malicious actors in cyberspace. To succeed, an adversary needs to go through all phases of the Kill Chain. We will go through the attack phases and help you better understand adversaries and their techniques used in the attack to defend yourself. So, why is it important to understand how Cyber Kill Chain works? The Cyber Kill Chain will help you understand and protect against ransomware attacks, security breaches as well as Advanced Persistent Threats (APTs). You can use the Cyber Kill Chain to assess your network and system security by identifying missing security controls and closing certain security gaps based on your company's infrastructure. By understanding the Kill Chain as a SOC Analyst, Security Researcher, Threat Hunter, or Incident Responder, you will be able to recognize the intrusion attempts and understand the intruder's goals and objectives. We will be exploring the following attack phases in this room: ## Topics **1. Reconnaissance** **2. Weaponization** **3. Delivery** **4. Exploitation** **5. Installation** **6. Command & Control** **7. Actions on Objectives** --- ## Reconnaissance Reconnaissance is all about finding and gathering information about a system or a target. For attackers, this is like their planning stage. One important part of reconnaissance is **OSINT**, which stands for Open-Source Intelligence. OSINT is **usually** the first thing an attacker does before moving on to other steps in their attack. The attacker will collect as much public information as possible about the company and its employees—like company size, email addresses, and phone numbers—using resources that are available to everyone. This helps them pick the best target for their attack. Imagine a hacker who calls himself "Megatron." Megatron has spent years planning a complex attack, learning about different hacking tools and methods. But, like any attacker, he has to start with the Reconnaissance phase. To begin, Megatron conducts OSINT. One example of this is something called email harvesting, which is when someone gathers email addresses from public or private sources. Attackers use email harvesting to launch phishing attacks—these are scams meant to steal things like passwords or credit card details. There are many tools attackers can use for reconnaissance, such as: - **theHarvester:** Finds emails, names, subdomains, IP addresses, and website links from many public sources. - **Hunter.io:** Lets attackers look up contact details linked to a website’s domain. - **OSINT Framework:** Collects lots of OSINT tools, sorted into different categories. Attackers also look at social media sites like LinkedIn, Facebook, Twitter, and Instagram to find out more about potential victims or companies. The details they find on social media can be very helpful when planning phishing attacks. --- ## Weaponization After finishing their research phase, "Megatron" moves on to building a malicious tool. Instead of reaching out to the victim directly, he uses something called a "weaponizer," which, according to Lockheed Martin, is a tool that combines harmful software (malware) with a method for exploiting a weakness (an exploit) into one package that can be delivered to the victim. Most attackers use automated tools to create this malware, or they buy it from the Dark Web. Highly skilled hackers or groups supported by governments (known as APTs, or Advanced Persistent Threat Groups) might write their own custom malware so that it is unique and harder for defenders to detect. --- ### Key Definitions - **Malware:** Software created to damage, disrupt, or break into a computer system without permission. - **Exploit:** Code or a program that takes advantage of a weakness in an application or system. - **Payload:** The part of the malicious code that runs on the victim’s system. --- He then decides to buy a ready-made payload off the Dark Web, so he can focus on the other parts of his plan. In this Weaponization phase, an attacker might: - Build a Microsoft Office document that contains a hidden malicious macro or VBA script. - Create a virus or malicious program and put it on USB sticks, leaving them out where people might pick them up and plug them in. - Decide how to use "Command and Control" (C2) methods to talk to the victim’s computer, or send more bad files later (MITRE ATT&CK has a lot of info on C2). - Choose a "backdoor", which is a secret way to get around security and access the system again in the future. --- ## Delivery The Delivery phase is when "Megatron" decides how he’s going to send the malware or malicious file to the victim. He has several different ways to do this: - **Phishing email:** After researching his targets, the attacker writes a fake email to trick someone into opening a file or clicking a link that has malware. For example, if Megatron finds out that Nancy from Company A often interacts with Scott from Company B on LinkedIn, he might guess they talk over work email. He could send Nancy what looks like an email from Scott, using a similar company email address, and include a fake invoice with the malware hidden inside. - **Dropping infected USB drives:** Megatron could leave USB drives, loaded with malware, in public areas like coffee shops or parking lots. He might even go a step further by putting the company’s logo on the USB stick and mailing it to the company, pretending to be a friendly customer sending a gift. If someone plugs in the USB drive, their computer can get infected. - **Watering hole attack:** In this method, the attacker targets a website that certain employees or groups visit often. Megatron would try to break into that site and add something harmful, so that when visitors from the target company go to that website, they get redirected to another malicious site and download malware without realizing it. Sometimes the attacker will even send out "innocent" emails encouraging people to visit the site. This strategy, where malware is downloaded automatically when visiting a page, is called a "drive-by download." An example could be a fake browser extension popping up for download. spearphishing --- ## Exploitation To break into a system, an attacker has to take advantage of a weakness. In this stage, "Megatron" gets creative—he sends out two phishing emails: - one with a link that leads to a fake Office 365 login page, - and another with a file attachment that, when opened, runs ransomware. Both emails reach victims who end up clicking the link or opening the file, letting Megatron’s attacks succeed. Once the attacker is inside, they can look for more weaknesses in software, the operating system, or servers to gain more power (privileges) or move sideways through the network to access other systems. Lateral movement is when an attacker goes from the first machine they’ve broken into and tries to reach other valuable parts of the network, in search of sensitive data. Sometimes, attackers use a "**zero-day exploit**". This is a weakness in software or hardware that no one else knows about. Because no one is aware of it, there is no way to detect or stop the attack at the beginning. Zero-day exploits can cause problems before anyone even knows there’s a risk. Here are some examples of how attackers use exploits in this stage: - The victim opens a malicious email attachment or clicks on a dangerous link. - The attacker uses a zero-day exploit that hasn’t been discovered by defenders yet. - The attacker targets weaknesses in software, hardware, or uses tricks to fool people. - The attacker takes advantage of vulnerabilities on a server to run their malicious code. --- ## Installation After an attacker gets into a system, they want to make sure they can get back in later—even if they get kicked out, detected, or if the computer is fixed (patched). To do this, the attacker sets up what’s called a "persistent backdoor." This type of backdoor allows the attacker to return to the compromised system at any time in the future. Here are some common ways an attacker can maintain persistence: - **Installing a web shell on a web server:** A web shell is a dangerous script written in a programming language like ASP, PHP, or JSP. With a web shell, the attacker can control the system remotely. Because these files look like normal website files (like .php or .asp), they can be hard to spot. - **Setting up a backdoor on the victim’s machine:** For example, an attacker might use a tool called Meterpreter (part of Metasploit) to install this kind of backdoor. Meterpreter gives the attacker a way to remotely control and run commands on the victim’s device. - **Creating or changing Windows services:** This approach is tracked as T1543.003 by MITRE ATT&CK (a big database of hacking techniques). The attacker can make or change Windows services so their malicious scripts run often. They might use built-in Windows tools (like sc.exe to manage services, or Reg to change the registry), and disguise the service’s name to look like something normal so it’s less likely to be noticed. - **Adding a malicious file to the "run keys" in the Registry or to the Startup Folder:** This makes sure the bad program will run every time someone logs into the computer. There are specific places in the Registry and Startup Folder for different users and for all users. This ensures persistence no matter who logs in. Attackers may also use a method called "Timestomping" to avoid being caught. With timestomping, they change the file’s time stamps (when it was created, last accessed, or changed) to make the malware look like it belongs on the system, blending in with legitimate programs.Once an attacker has access to a system, they want to make sure they can get back in, even if they’re disconnected, discovered, or the original problem is fixed. To do this, the attacker installs something called a persistent backdoor, which allows them to return to the compromised system even after some time has passed. Persistence can be achieved in several ways: - **Installing a web shell:** This is a piece of malicious code placed on a web server. Written in programming languages like ASP, PHP, or JSP, a web shell acts as a remote control for the attacker. Because these files look like normal web files (.php, .asp, .aspx, .jsp, etc.), they can be hard to spot. - **Setting up a backdoor on the victim’s machine:** For example, the attacker could use Meterpreter, a tool from the Metasploit Framework, which gives the attacker a way to control and run commands on the target machine remotely. - **Creating or modifying Windows services:** Attackers can make new Windows services or change existing ones to regularly run their malware. They use tools like sc.exe (to manage Windows services) or Reg (to modify the Windows Registry). Sometimes they even name their bad service to look like a normal operating system process so it doesn’t stand out. - **Adding entries to "run keys" in the Registry or the Startup Folder:** By adding their malware to certain areas of the Registry or Startup Folder, the attacker makes sure it runs every time the computer starts, no matter who logs in. Attackers may also use a trick called timestomping. With timestomping, they change the timestamps (like when a file was created or last changed) on their malware, making it blend in and look like a normal program so it doesn’t attract attention from investigators. --- ## C2 (Command & Control Infrastructure) After the attacker has set up persistence and successfully run their malware, "Megatron" opens a Command and Control (C2) channel. This is a secret communication line that lets him remotely control the victim’s computer. This process is also called C&C or C2 Beaconing, which means the infected computer keeps in regular contact with the attacker’s remote server. Here’s how it works: the compromised device on the victim’s side talks to an external server owned by the attacker. Once this connection is up, the attacker can fully control the victim’s device. In the past, attackers often used IRC (Internet Relay Chat) channels for this, but these days it’s easy for security tools to spot IRC-based attacks so attackers use other methods. These days, attackers most often use: - **HTTP (port 80) and HTTPS (port 443):** These are normal web traffic channels, so using them helps attackers hide their malicious activity among regular internet usage. This makes it harder for firewalls and security systems to notice there’s a problem. - **DNS (Domain Name Server):** In DNS tunneling, the infected computer regularly sends special DNS requests to a server controlled by the attacker. This allows hidden communication between the attacker and the compromised machine. It’s also important to note that sometimes attackers will use another infected computer as the C2 server, instead of directly owning the infrastructure themselves.Once attackers have ensured they can get back into the system (persistence) and their malware is running, "Megatron" sets up a secret communication channel called Command and Control (C2). This lets him remotely control or give orders to the victim’s computer. The process is also called C2 Beaconing, because the infected system regularly checks in ("beacons") with the attacker’s server. The compromised computer keeps in touch with an external server set up by the attacker. After the connection is established, the attacker can do anything on the victim’s system, just like having full remote control. While attackers used to often use IRC (Internet Relay Chat) for this communication, modern security tools easily detect that method now, so attackers have moved to new approaches. Common C2 channels used today include: - **HTTP (port 80) and HTTPS (port 443):** These are common internet traffic channels, so using them helps hide the attacker’s communication among normal web activity, making it harder for defenders to notice. - **DNS (Domain Name System):** The infected system sends regular DNS queries to an attacker-controlled server. This method, called DNS Tunneling, helps hide the control channel inside ordinary-looking DNS traffic. Attackers might run these C2 servers themselves or even use another already-compromised machine as their control point. --- ## Exfiltration After completing the first six steps of the attack, "Megatron" finally reaches his main goal. Now that he has full control of the target’s system, he can take a variety of harmful actions, including: - Stealing login credentials from users. - Gaining even more power by taking over high-level accounts, like becoming a domain administrator by taking advantage of system misconfigurations. - Exploring the internal network and software to look for more weaknesses to exploit. - Moving further into the company’s network by hopping from one system to another (lateral movement). - Collecting and sending out (exfiltrating) sensitive company data. - Deleting existing backups and shadow copies (**Shadow Copy** is a Microsoft feature for making file and volume backups) to make recovery much harder for the company. - Overwriting or damaging files and data. --- ## Practical > [!check]- > ![[image-943.png]]