Explore the Cyber Kill Chain by Lockheed Martin
Task 1 – Introduction
Inspired by the military kill chains, the Cyber Kill Chain is a cyber security framework introduced by Lockheed Martin in 2011. It is created to help organisations defend against cyber attacks by understanding how they are conducted. The Cyber Kill Chain divides an attack into seven stages:
- Reconnaissance: In the first stage, the attacker gathers information about the target
- Weaponisation: Once proper reconnaissance is conducted, the attacker creates a deliverable payload or modifies an existing one based on the target system’s vulnerabilities
- Delivery: Once ready, the attacker sends the weaponised payload to the target
- Exploitation: Once executed, the payload exploits a vulnerability in the target’s system
- Installation: The exploitation enables the attacker to install a backdoor or malware to maintain persistence in the target’s environment
- Command & Control (C2): Using the installed backdoor, the attacker can control the compromised system
- Actions on Objectives: Reaching this far, the attacker can now carry out further actions such as data exfiltration or other systems’ exploitation
How many phases comprise the Cyber Kill Chain?
7
Task 2– Reconnaissance
Reconnaissance has its origins in the military and refers to the act of gathering information about a target. In cyber security, this stage collects information about the target’s vulnerabilities and weaknesses to discover potential entry points.
Reconnaissance can be divided into two types: passive and active. When carrying out passive reconnaissance, the attacker performs their activities without making any “noise,” for example, using open-source intelligence (OSINT). However, in the case of active reconnaissance, the attacker cannot remain completely quiet and invisible; it requires some form of interaction with the target organisation, such as using social engineering against the target’s personnel or scanning a target system for vulnerabilities.
What is the term for using search engines to reveal sensitive information and confidential files?
Google Dorking
What type of reconnaissance is it where the attacker checks the social media pages?
Passive Reconnaissance
Task 3- Weaponisation
Weaponsization is the process of turning something — such as software, data, or technology — into a tool for causing harm or gaining advantage,in cyber security.
Example:
In cybersecurity, a vulnerability in Microsoft Word can be weaponized by embedding malware in a document. When the victim opens the file, the malware executes and compromises their system.
What technique is mentioned to evade detection by making it challenging to analyse the malicious code?
Obfuscation
Obfuscation is used to hide malicious code or actions from security tools or analysts.
Example: A hacker obfuscates malware code by using symbols, junk code, or encryption so that antivirus software cannot easily detect it.
Instead of:
delete_all_files()
It might look like:
exec(''.join([chr(x) for x in [100, 101, 108, 101, 116, 101, 95, 97, 108, 108, 95, 102, 105, 108, 101, 115]]))
This makes the attack harder to detect or reverse-engineer.
What built-in feature makes creating a malicious MS Office document possible?
Macro
Task 4 –Delivery
In the previous stage, the attacker prepared a tailored payload, and now, they need to find a suitable way to transmit it to the target environment. They can pick an appropriate delivery method using the information gathered from reconnaissance.
Example:
An attacker sends a phishing email with an infected PDF attachment.
When the victim opens the PDF, the malware is delivered to their system.
What method involves showing advertisements on legitimate websites to redirect users to malicious pages?
Malvertising
What phishing attack sends text messages with malicious links or instructions to download malware?
SMS Phishing (Smishing)
Task 5-Exploitation
Following the successful delivery of the malicious payload comes the exploitation stage. Exploitation can take various forms, such as a software vulnerability, a weak password, or a system misconfiguration.
Exploitation: Examples
The attacker might use various ways to exploit a system. The most straightforward approach is targeting a password-based authentication system. If the password is a default or weak password, it is easy for the attacker to discover; alternatively, the attacker can use phishing or more sophisticated techniques to trick the user into submitting their password.
What type of exploit is used before the vendor becomes aware of a vulnerability?
Zero-day exploit
What technology is mentioned to prevent an attacker from gaining access even with valid login credentials?
MFA
Task 5-Installation
Following the successful exploitation of a target system, the installation phase ensures persistent access to the exploited system. Consequently, the attacker can return to the exploited system later without going through the exploitation phase again. The keyword here is persistence.
Installation means setting up the malware on the victim’s system so it can run and stay there.
Example:
After you click a fake software update, a virus gets installed quietly in the background and starts running every time you turn on your computer.
What tactic allows attackers to execute operating system commands on a target via a web browser interface?
Web shell
What technique is mentioned to prevent the execution of unauthorised or malicious software by only allowing approved applications to run?
allowlisting
Task 6-Command and Control (C2)
Command and Control (C2) is when the attacker takes control of the infected system and sends it instructions remotely.
Example:
After malware is installed on a victim’s computer, it connects to the attacker’s server. The attacker then sends commands like “steal files” or “download more malware” — all without the victim knowing.
What is the name of the tactic where data is hidden within DNS queries?
DNS tunnelling
What protocol would the attacker use to smuggle his data as encrypted web traffic?
HTTPS
Task 8- Actions on Objectives
After establishing a covert C2 communication channel, the attacker can carry out their original goals. In this phase, the attacker executes their original goals, which range from data exfiltration (information theft) to service disruption.
What is the term for stealing sensitive files from a target network?
Data Exfiltration
What principle limits who can access sensitive systems and data to minimise damage caused by an attacker?
principle of least privilege
What type of attack involves encrypting files and demanding payment in exchange for the decryption key?
Ransomware
Task 9-Conclusion
What is the flag after you complete the static site?
THM{CKC_NJHERDX327}
