Fundamentals

TA0043, TA0042, TA0041, TA0040

Kill Chain

The Lockheed Martin Cyber Kill Chain framework --- a working analyst's guide to mapping intrusions across seven stages and using the model to prioritize detection and response.

View on Graph

The Seven Stages of the Kill Chain

The Cyber Kill Chain was developed by Lockheed Martin in 2011. It models a cyber intrusion as seven sequential stages. If the defender breaks any single link in the chain, the attack fails. The Kill Chain gives you the phases; MITRE ATT&CK gives you the specific techniques within each phase.

Below, each stage is explained with: what the adversary does, the MITRE ATT&CK techniques that map to it, and the detection opportunities available to defenders.


Stage 1: Reconnaissance

What the adversary does: The attacker gathers information about the target before launching the attack. This can be technical (scanning networks, enumerating users) or human (monitoring social media, searching job postings).

MITRE ATT&CK mapping:

TechniqueIDWhat It Looks Like
Active ScanningT1595Port scans, vulnerability scans from external IPs
Search Open Technical DatabasesT1596WHOIS lookups, crt.sh certificate enumeration, Shodan/DNSDumpster
Gather Victim Identity InfoT1589Email harvesting from LinkedIn, corporate website scraping
Search Open Websites/DomainsT1593Job postings revealing tech stack, press releases naming vendors

Detection opportunities:

  • DNS logs: Spike in TXT/ANY queries for your domain from unknown resolvers
  • Firewall logs: Port scans from IPs in countries where your org has no business
  • Web proxy: Requests to WHOIS lookup sites, Shodan, crt.sh from non-approved users
  • Honeytokens: Web crawlers hitting fake pages or endpoints you seeded (e.g., a fake admin URL in job postings)

Mitigation: Rate-limit DNS zone transfers, implement CAPTCHA on public-facing data, monitor for scanning patterns.


Stage 2: Weaponization

What the adversary does: The attacker creates a deliverable payload. A vulnerability is paired with an exploit to create a weapon — typically a malicious document (PDF, Office macro) or a crafted exploit for a known vulnerability (CVE). This stage often happens entirely off your network and is invisible to defenders.

MITRE ATT&CK mapping:

TechniqueIDWhat It Looks Like
Develop CapabilitiesT1587Building custom malware, payloads, or exploits
Obtain CapabilitiesT1588Purchasing exploits, renting botnets, using commercial C2 frameworks
Stage CapabilitiesT1608Hosting payloads on staging servers or cloud storage

Detection opportunities: Virtually none at this stage — weaponization happens on the attacker’s infrastructure. However, threat intelligence can help identify known weaponization patterns (e.g., a specific CVE being actively exploited in the wild).

Mitigation: Patch management (reducing available CVEs), threat intelligence feeds for zero-day awareness.


Stage 3: Delivery

What the adversary does: The weapon is transmitted to the target. This is the first interaction with your network — the point where defenders have their best detection opportunity.

Delivery vectors:

  • Phishing (T1566) — Emails with malicious attachments or links. The most common delivery vector in ransomware and BEC.
  • Watering hole (T1189) — Compromising a website the target frequently visits.
  • Drive-by download (T1189) — Exploit kit on a compromised website.
  • Removable media (T1091) — USB drop attacks.
  • Software supply chain (T1195) — Compromising trusted software updates.

Detection opportunities:

  • Email gateway: Attachment analysis, URL reputation, DMARC/DKIM/SPF failures, sender reputation scoring
  • Proxy logs: User visits a known-phishing URL or downloads a file from an unusual domain
  • DNS logs: Domain resolution for a newly registered domain (registered < 30 days) or lookalike domain (e.g., wyzsec-wiki.com vs. wyzsec.com)
  • EDR: User opens email attachment, content is scanned by anti-malware

Mitigation: Email filtering, URL sandboxing, browser isolation, macro-blocking policies, user awareness training.


Stage 4: Exploitation

What the adversary does: The weapon is triggered, exploiting a vulnerability to gain code execution on the target system. The vulnerability may be in the application (e.g., a buffer overflow in Adobe Reader), in the operating system (e.g., EternalBlue — T1210), or in the user (e.g., social engineering to run a macro — T1204.002).

MITRE ATT&CK mapping:

TechniqueIDWhat It Looks Like
Exploit Public-Facing ApplicationT1190Web app RCE, SQL injection, SSRF
Exploitation for Client ExecutionT1203Browser exploits, document reader CVEs
User ExecutionT1204Double-clicking a malicious attachment, allowing a macro
External Remote ServicesT1133VPN/RDP compromise

Detection opportunities:

  • Sysmon Event ID 1: Process creation showing unusual parent-child relationships — winword.exe spawning cmd.exe (T1204.002)
  • EDR: Behavioral alerts — a PDF reader allocating memory with RWX permissions, then spawning a network connection
  • Windows Event 4688: Process creation with suspicious command lines (-EncodedCommand, IEX, DownloadString)
  • Sysmon Event ID 7: DLL loaded into a process from a suspicious path (AppData, Temp)

Stage 5: Installation

What the adversary does: After gaining initial code execution, the attacker establishes persistence — ensuring they can get back into the system even if the initial entry point is closed. This typically involves installing a backdoor, creating a service, or modifying auto-start locations.

MITRE ATT&CK mapping:

TechniqueIDWhat It Looks Like
Registry Run Keys / Startup FolderT1547.001Adding entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Scheduled Task/JobT1053.005Creating a scheduled task to run malware at intervals
Service CreationT1543.003Installing a new service or modifying an existing one
Boot or Logon Autostart ExecutionT1547Modifying start-up locations
Web ShellT1505.003Deploying a web shell on a public-facing server

Detection opportunities:

  • Sysmon Event ID 12-14: Registry changes to autostart locations
  • Windows Event 4698: New scheduled task creation
  • Windows Event 7045: A new service was installed
  • EDR: New files written to Startup folders, registry modification at auto-start locations, IIS directory modification (web shells)
  • Sysmon Event ID 11: File creation in user profile directories or Windows startup directories

Stage 6: Command and Control (C2)

What the adversary does: The compromised host establishes communication with the attacker’s infrastructure to receive commands and exfiltrate data. This is where the attacker turns a compromised workstation into an interactive remote access tool.

MITRE ATT&CK mapping:

TechniqueIDWhat It Looks Like
Web ProtocolsT1071.001HTTP/HTTPS beacons to C2 servers
DNST1572DNS tunneling for C2 commands
Encrypted ChannelT1573Custom encryption or TLS connection to C2
Non-Standard PortT1571C2 traffic on ports 8080, 8443, or non-standard high ports
Multi-Stage ChannelsT1104Beaconing with varying intervals and jitter

Detection opportunities — the strongest detection stage:

  • DNS logs: Regular queries to the same domain at consistent intervals (beaconing), long subdomain names (DNS tunneling), high NXDOMAIN rate (DGA), newly registered domains unlikely to be business-relevant
  • Proxy logs: Regular outbound connections to a single IP over time, User-Agent strings not matching known browsers, POST requests with consistent payload sizes
  • Sysmon Event ID 3: Process-based network connections — note which process is making outbound connections. rundll32.exe making network connections is a strong C2 indicator.
  • Sysmon Event ID 22: DNS queries per-process — svchost.exe querying a domain is normal, calc.exe querying a domain is not
  • JA3/JA3S fingerprinting: TLS handshake fingerprints — C2 frameworks like Cobalt Strike, Metasploit, and Empire have distinctive JA3 hashes

Key C2 questions:

  • Is the destination IP known-threat intel flagged?
  • Is the domain registered recently (< 30 days)?
  • Is the traffic pattern periodic (beaconing) or event-driven?
  • Which process is making the connection? Is that normal for this host?

Stage 7: Actions on Objectives

What the adversary does: The attacker accomplishes their goal — data theft, ransomware deployment, system destruction, or long-term espionage. Everything prior was setup for this moment.

MITRE ATT&CK mapping:

TechniqueIDWhat It Looks Like
Data Encrypted for ImpactT1486Ransomware execution — mass file encryption, extension changes
Exfiltration Over C2 ChannelT1041Data sent back over the existing C2 channel
Exfiltration Over Alternative ProtocolT1048Data exfiltration via DNS, HTTP, FTP to an external server
Exfiltration Over Web ServiceT1567Data uploaded to cloud storage, file sharing, or paste sites
Account Access RemovalT1531Deleting or disabling user accounts
System Shutdown/RebootT1529Forcing reboots during ransomware recovery
Business ImpactT1485Data destruction — overwriting files with garbage

Detection opportunities:

  • Volume monitoring: Spike in outbound data volume per host (exfiltration), especially after hours or to unusual destinations
  • File mass modification: Ransomware signature — thousands of file modification events in a short window
  • SMB connection volume: Host connecting to many file shares in a short time — reconnaissance for exfiltration targets
  • Cloud API events: GetObject on many S3 keys, Download on many SharePoint files
  • DLP alerts: Sensitive data leaving the network

Walkthrough: Ransomware Intrusion Mapped to the Kill Chain

Let’s walk a real-world ransomware attack through all seven stages.

Scenario: A law firm is hit by a ransomware attack attributed to the LockBit group.

StageWhat HappenedDetection PointHow to Block Disruption
1. ReconnaissanceAttacker scans the firm’s VPN gateway, finds open RDP on a non-standard port via Shodan.Firewall logs show scanning from multiple IPs targeting ports 3389, 443, 22 over 48 hours.Block: Rate-limit failed connections. Move RDP behind a VPN.
2. WeaponizationAttacker prepares a LockBit binary with a C2 domain registered 5 days ago on Namecheap.No direct detection (off-network). But threat intel may flag the new domain.Block: Domain reputation feed blocks the C2 domain in DNS/proxy before delivery.
3. DeliveryAttacker logs into RDP using credentials obtained from a past breach (credential stuffing).Windows Event 4625 (failed logins) × 200, then 4624 (successful login) from a new IP.Detect: Anomalous source IP + MFA prompt would stop this.
4. ExploitationAttacker runs a PowerShell download cradle from a typosquatted file-sharing domain.Sysmon Event 1: powershell.exe -EncodedCommand... from RDP session. EDR: PowerShell connecting to suspicious domain.Detect: Execution policies, AppLocker, Sysmon alert on encoded PowerShell.
5. InstallationAttacker creates a scheduled task to re-launch the payload every hour and disables Windows Defender via registry.Windows Event 4698 (task created). Sysmon Event 13 (Defender disable registry value set).Detect: Alert on 4698 + registry modification to Defender settings.
6. C2The binary beacons to evil-c2.lockbit[.]ru over HTTPS on port 443 every 60 minutes.DNS log: regular query to unfamiliar domain. Proxy log: HTTPS POST with consistent payload size.Block: DNS sinkhole the domain. Block the IP in the firewall.
7. Actions on ObjectivesRansomware encrypts all file shares and mapped drives, drops ransom notes. 20 GB of data exfiltrated before encryption triggers.EDR: mass file extension change (.lockbit). Volume monitoring: 20 GB outbound to external IP in 10 minutes.Response: Isolate host, kill C2 process, take down file shares.

Key takeaway: The best place to disrupt this attack was Stage 6 (C2). By the time actions on objectives start, data has already been stolen. Detection at Stage 3 (Delivery) or Stage 4 (Exploitation) prevents the most damage.


Kill Chain vs. MITRE ATT&CK — Why You Need Both

The Kill Chain and MITRE ATT&CK are complementary, not competing.

Kill ChainMITRE ATT&CK
PerspectiveSequential (linear stages)Matrix (tactic → technique)
Granularity7 stages14 tactics, hundreds of techniques
Best useTop-down: “where in the intrusion are we?”Bottom-up: “which specific technique is this?”
Defender focus”Break any link in the chain""Detect at each tactic”

Working together: When you identify a technique, map it to a Kill Chain stage to understand the adversary’s progression. When you identify a Kill Chain stage, drill into MITRE ATT&CK for the specific techniques to detect.

Sources