Ethical Hacking
Understanding the Cyber Kill Chain
A model developed by Lockheed Martin shows the cyber kill chain is a concept used to understand and prevent cyber attacks. It is a framework that outlines the stages of a cyber attack, including reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.
By understanding these stages, organizations can implement measures to detect and disrupt the attack at various points along the chain, ultimately enhancing their overall cybersecurity posture. Kill Chain analysis can identify a defensive course of action to counter the progress of an attack at each stage.
The Cyber Kill Chain is based on the MITRE ATT&CK framework. The MITER Corporation maintains a knowledge base that lists and explains specific adversary tactics, techniques, and common knowledge or procedures.
Reconnaissance
An attacker determines what methods can be used to complete the attack phase.
Resource Development: Get infrastructure information (via compromise or otherwise) → Build malware → Compromise accounts.
Initial Access: Phishing, Hardware placements, Supply chain compromise, Exploit public-facing apps, OSINT, Google Dorking, Shodan.
Weaponization
The attacker couples payload codes that enable access with exploit code that will use a vulnerability to execute on the target system.
Credential Access:
Brute force, access password managers, keylogging.
etc/passwd & etc/shadow.
Windows DCSync, Kerberos Gold & Silver tickets.
Clear-text creds in files/pastebin, etc.
Delivery
The attacker identifies a vector to transmit the weaponized code to the target environment.
Discovery: Network scanning, Finding accounts by listing policies, Finding remote systems, software, and system information, VM/sandbox.
Exploitation
The weaponized code is executed on the target system by this mechanism.
Execution: Shells and interpreters (PowerShell, Python, Javascript, etc.), Scheduled tasks, and Windows Management Instrumentation (WMI).
Privilege Escalation: Sudo, token/key theft, IAM/group policy modification. Many persistence exploits are PrivEsc methods, too.
Installation
This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.
Persistence: Additional accounts/creds. Start-up/log-on/boot scripts, modify launch agents, DLL side-loading, Webshells, Scheduled tasks.
Lateral Movement: SSH/RDP/SMB, Compromise shared content, internal spear phishing, Pass the hash/ticket, tokens, cookies.
Command and Control (C2)
The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack.
Command and Control (C2): Web service (dead drop resolvers, one-way/bi-directional traffic), encrypted channels, Removable media, Steganography, encoded commands.
Collection: Database dumps, Audio/video/screen capture, keylogging, Internal documentation, network shared drives, internal traffic interception.
Actions (Exfiltration)
Exfiltration: Removable media/USB, Bluetooth exfiltration, C2 channels, DNS exfil, web services like code repos & Cloud backup storage, Scheduled transfers.
Impact: Deleted accounts or data, encrypted data (like ransomware), Defacement, Denial of service, shutdown/reboot systems.
Defensive Evasion: Disable detection software & logging, Revert VM/Cloud instances, Process hollowing/injection, and rootkits.