Fundamentals
TA0043, TA0042, TA0041, TA0040Kill Chain
The Lockheed Martin Cyber Kill Chain framework --- a working analyst's guide to mapping intrusions across seven stages and using the model to prioritize detection and response.
View on Graph
The Seven Stages of the Kill Chain
The Cyber Kill Chain was developed by Lockheed Martin in 2011. It models a cyber intrusion as seven sequential stages. If the defender breaks any single link in the chain, the attack fails. The Kill Chain gives you the phases; MITRE ATT&CK gives you the specific techniques within each phase.
Below, each stage is explained with: what the adversary does, the MITRE ATT&CK techniques that map to it, and the detection opportunities available to defenders.
Stage 1: Reconnaissance
What the adversary does: The attacker gathers information about the target before launching the attack. This can be technical (scanning networks, enumerating users) or human (monitoring social media, searching job postings).
MITRE ATT&CK mapping:
| Technique | ID | What It Looks Like |
|---|---|---|
| Active Scanning | T1595 | Port scans, vulnerability scans from external IPs |
| Search Open Technical Databases | T1596 | WHOIS lookups, crt.sh certificate enumeration, Shodan/DNSDumpster |
| Gather Victim Identity Info | T1589 | Email harvesting from LinkedIn, corporate website scraping |
| Search Open Websites/Domains | T1593 | Job postings revealing tech stack, press releases naming vendors |
Detection opportunities:
- DNS logs: Spike in TXT/ANY queries for your domain from unknown resolvers
- Firewall logs: Port scans from IPs in countries where your org has no business
- Web proxy: Requests to WHOIS lookup sites, Shodan, crt.sh from non-approved users
- Honeytokens: Web crawlers hitting fake pages or endpoints you seeded (e.g., a fake admin URL in job postings)
Mitigation: Rate-limit DNS zone transfers, implement CAPTCHA on public-facing data, monitor for scanning patterns.
Stage 2: Weaponization
What the adversary does: The attacker creates a deliverable payload. A vulnerability is paired with an exploit to create a weapon — typically a malicious document (PDF, Office macro) or a crafted exploit for a known vulnerability (CVE). This stage often happens entirely off your network and is invisible to defenders.
MITRE ATT&CK mapping:
| Technique | ID | What It Looks Like |
|---|---|---|
| Develop Capabilities | T1587 | Building custom malware, payloads, or exploits |
| Obtain Capabilities | T1588 | Purchasing exploits, renting botnets, using commercial C2 frameworks |
| Stage Capabilities | T1608 | Hosting payloads on staging servers or cloud storage |
Detection opportunities: Virtually none at this stage — weaponization happens on the attacker’s infrastructure. However, threat intelligence can help identify known weaponization patterns (e.g., a specific CVE being actively exploited in the wild).
Mitigation: Patch management (reducing available CVEs), threat intelligence feeds for zero-day awareness.
Stage 3: Delivery
What the adversary does: The weapon is transmitted to the target. This is the first interaction with your network — the point where defenders have their best detection opportunity.
Delivery vectors:
- Phishing (
T1566) — Emails with malicious attachments or links. The most common delivery vector in ransomware and BEC. - Watering hole (
T1189) — Compromising a website the target frequently visits. - Drive-by download (
T1189) — Exploit kit on a compromised website. - Removable media (
T1091) — USB drop attacks. - Software supply chain (
T1195) — Compromising trusted software updates.
Detection opportunities:
- Email gateway: Attachment analysis, URL reputation, DMARC/DKIM/SPF failures, sender reputation scoring
- Proxy logs: User visits a known-phishing URL or downloads a file from an unusual domain
- DNS logs: Domain resolution for a newly registered domain (registered < 30 days) or lookalike domain (e.g.,
wyzsec-wiki.comvs.wyzsec.com) - EDR: User opens email attachment, content is scanned by anti-malware
Mitigation: Email filtering, URL sandboxing, browser isolation, macro-blocking policies, user awareness training.
Stage 4: Exploitation
What the adversary does: The weapon is triggered, exploiting a vulnerability to gain code execution on the target system. The vulnerability may be in the application (e.g., a buffer overflow in Adobe Reader), in the operating system (e.g., EternalBlue — T1210), or in the user (e.g., social engineering to run a macro — T1204.002).
MITRE ATT&CK mapping:
| Technique | ID | What It Looks Like |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Web app RCE, SQL injection, SSRF |
| Exploitation for Client Execution | T1203 | Browser exploits, document reader CVEs |
| User Execution | T1204 | Double-clicking a malicious attachment, allowing a macro |
| External Remote Services | T1133 | VPN/RDP compromise |
Detection opportunities:
- Sysmon Event ID 1: Process creation showing unusual parent-child relationships —
winword.exespawningcmd.exe(T1204.002) - EDR: Behavioral alerts — a PDF reader allocating memory with RWX permissions, then spawning a network connection
- Windows Event 4688: Process creation with suspicious command lines (
-EncodedCommand,IEX,DownloadString) - Sysmon Event ID 7: DLL loaded into a process from a suspicious path (AppData, Temp)
Stage 5: Installation
What the adversary does: After gaining initial code execution, the attacker establishes persistence — ensuring they can get back into the system even if the initial entry point is closed. This typically involves installing a backdoor, creating a service, or modifying auto-start locations.
MITRE ATT&CK mapping:
| Technique | ID | What It Looks Like |
|---|---|---|
| Registry Run Keys / Startup Folder | T1547.001 | Adding entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run |
| Scheduled Task/Job | T1053.005 | Creating a scheduled task to run malware at intervals |
| Service Creation | T1543.003 | Installing a new service or modifying an existing one |
| Boot or Logon Autostart Execution | T1547 | Modifying start-up locations |
| Web Shell | T1505.003 | Deploying a web shell on a public-facing server |
Detection opportunities:
- Sysmon Event ID 12-14: Registry changes to autostart locations
- Windows Event 4698: New scheduled task creation
- Windows Event 7045: A new service was installed
- EDR: New files written to
Startupfolders, registry modification at auto-start locations, IIS directory modification (web shells) - Sysmon Event ID 11: File creation in user profile directories or Windows startup directories
Stage 6: Command and Control (C2)
What the adversary does: The compromised host establishes communication with the attacker’s infrastructure to receive commands and exfiltrate data. This is where the attacker turns a compromised workstation into an interactive remote access tool.
MITRE ATT&CK mapping:
| Technique | ID | What It Looks Like |
|---|---|---|
| Web Protocols | T1071.001 | HTTP/HTTPS beacons to C2 servers |
| DNS | T1572 | DNS tunneling for C2 commands |
| Encrypted Channel | T1573 | Custom encryption or TLS connection to C2 |
| Non-Standard Port | T1571 | C2 traffic on ports 8080, 8443, or non-standard high ports |
| Multi-Stage Channels | T1104 | Beaconing with varying intervals and jitter |
Detection opportunities — the strongest detection stage:
- DNS logs: Regular queries to the same domain at consistent intervals (beaconing), long subdomain names (DNS tunneling), high NXDOMAIN rate (DGA), newly registered domains unlikely to be business-relevant
- Proxy logs: Regular outbound connections to a single IP over time, User-Agent strings not matching known browsers, POST requests with consistent payload sizes
- Sysmon Event ID 3: Process-based network connections — note which process is making outbound connections.
rundll32.exemaking network connections is a strong C2 indicator. - Sysmon Event ID 22: DNS queries per-process —
svchost.exequerying a domain is normal,calc.exequerying a domain is not - JA3/JA3S fingerprinting: TLS handshake fingerprints — C2 frameworks like Cobalt Strike, Metasploit, and Empire have distinctive JA3 hashes
Key C2 questions:
- Is the destination IP known-threat intel flagged?
- Is the domain registered recently (< 30 days)?
- Is the traffic pattern periodic (beaconing) or event-driven?
- Which process is making the connection? Is that normal for this host?
Stage 7: Actions on Objectives
What the adversary does: The attacker accomplishes their goal — data theft, ransomware deployment, system destruction, or long-term espionage. Everything prior was setup for this moment.
MITRE ATT&CK mapping:
| Technique | ID | What It Looks Like |
|---|---|---|
| Data Encrypted for Impact | T1486 | Ransomware execution — mass file encryption, extension changes |
| Exfiltration Over C2 Channel | T1041 | Data sent back over the existing C2 channel |
| Exfiltration Over Alternative Protocol | T1048 | Data exfiltration via DNS, HTTP, FTP to an external server |
| Exfiltration Over Web Service | T1567 | Data uploaded to cloud storage, file sharing, or paste sites |
| Account Access Removal | T1531 | Deleting or disabling user accounts |
| System Shutdown/Reboot | T1529 | Forcing reboots during ransomware recovery |
| Business Impact | T1485 | Data destruction — overwriting files with garbage |
Detection opportunities:
- Volume monitoring: Spike in outbound data volume per host (exfiltration), especially after hours or to unusual destinations
- File mass modification: Ransomware signature — thousands of file modification events in a short window
- SMB connection volume: Host connecting to many file shares in a short time — reconnaissance for exfiltration targets
- Cloud API events:
GetObjecton many S3 keys,Downloadon many SharePoint files - DLP alerts: Sensitive data leaving the network
Walkthrough: Ransomware Intrusion Mapped to the Kill Chain
Let’s walk a real-world ransomware attack through all seven stages.
Scenario: A law firm is hit by a ransomware attack attributed to the LockBit group.
| Stage | What Happened | Detection Point | How to Block Disruption |
|---|---|---|---|
| 1. Reconnaissance | Attacker scans the firm’s VPN gateway, finds open RDP on a non-standard port via Shodan. | Firewall logs show scanning from multiple IPs targeting ports 3389, 443, 22 over 48 hours. | Block: Rate-limit failed connections. Move RDP behind a VPN. |
| 2. Weaponization | Attacker prepares a LockBit binary with a C2 domain registered 5 days ago on Namecheap. | No direct detection (off-network). But threat intel may flag the new domain. | Block: Domain reputation feed blocks the C2 domain in DNS/proxy before delivery. |
| 3. Delivery | Attacker logs into RDP using credentials obtained from a past breach (credential stuffing). | Windows Event 4625 (failed logins) × 200, then 4624 (successful login) from a new IP. | Detect: Anomalous source IP + MFA prompt would stop this. |
| 4. Exploitation | Attacker runs a PowerShell download cradle from a typosquatted file-sharing domain. | Sysmon Event 1: powershell.exe -EncodedCommand... from RDP session. EDR: PowerShell connecting to suspicious domain. | Detect: Execution policies, AppLocker, Sysmon alert on encoded PowerShell. |
| 5. Installation | Attacker creates a scheduled task to re-launch the payload every hour and disables Windows Defender via registry. | Windows Event 4698 (task created). Sysmon Event 13 (Defender disable registry value set). | Detect: Alert on 4698 + registry modification to Defender settings. |
| 6. C2 | The binary beacons to evil-c2.lockbit[.]ru over HTTPS on port 443 every 60 minutes. | DNS log: regular query to unfamiliar domain. Proxy log: HTTPS POST with consistent payload size. | Block: DNS sinkhole the domain. Block the IP in the firewall. |
| 7. Actions on Objectives | Ransomware encrypts all file shares and mapped drives, drops ransom notes. 20 GB of data exfiltrated before encryption triggers. | EDR: mass file extension change (.lockbit). Volume monitoring: 20 GB outbound to external IP in 10 minutes. | Response: Isolate host, kill C2 process, take down file shares. |
Key takeaway: The best place to disrupt this attack was Stage 6 (C2). By the time actions on objectives start, data has already been stolen. Detection at Stage 3 (Delivery) or Stage 4 (Exploitation) prevents the most damage.
Kill Chain vs. MITRE ATT&CK — Why You Need Both
The Kill Chain and MITRE ATT&CK are complementary, not competing.
| Kill Chain | MITRE ATT&CK | |
|---|---|---|
| Perspective | Sequential (linear stages) | Matrix (tactic → technique) |
| Granularity | 7 stages | 14 tactics, hundreds of techniques |
| Best use | Top-down: “where in the intrusion are we?” | Bottom-up: “which specific technique is this?” |
| Defender focus | ”Break any link in the chain" | "Detect at each tactic” |
Working together: When you identify a technique, map it to a Kill Chain stage to understand the adversary’s progression. When you identify a Kill Chain stage, drill into MITRE ATT&CK for the specific techniques to detect.
Related
- Supply Chain Attack — detection and response for T1195 techniques
- Common Ports and Protocols — covers the common ports and protocols concepts
- DNS — detection and response for T1572, T1568 techniques
- API Attacks — OWASP API Top 10 — detection and response for T1190 techniques
- Container and Kubernetes Threats — detection and response for T1611, T1525, T1574.002 techniques
