/ _ \ \_\(_)/_/ _//"\\_ more on JOHLEM.net / \ 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 --------------------------------------------------- CYBER KILL CHAIN CHEATSHEET --------------------------------------------------- OVERVIEW: - Framework for identifying and preventing network intrusions. - Based on military "kill chain" concept (target, attack, destroy). - Established by Lockheed Martin in 2011. - Helps detect ransomware, breaches, and APTs. PHASES OF THE CYBER KILL CHAIN: --------------------------------------------------- 1. **Reconnaissance**: - Goal: Gather information on the target. - Techniques: - OSINT: Collect public data (emails, phone numbers, company size). - Tools: - `theHarvester`: Emails, subdomains, IPs, URLs. - `Hunter.io`: Domain contact details. - `OSINT Framework`: Categorized OSINT tools. - Social Media: LinkedIn, Facebook, etc. - Example: Email harvesting for phishing attacks. --------------------------------------------------- 2. **Weaponization**: - Goal: Create a malicious payload. - Components: - **Malware**: Disrupt or access systems. - **Exploit**: Use system vulnerabilities. - **Payload**: Malicious code execution. - Examples: - Infected MS Office docs with macros. - USB drives with malware. - C2 techniques for remote control. --------------------------------------------------- 3. **Delivery**: - Goal: Transmit the payload. - Methods: - Phishing Emails: Fake invoices, targeted spear-phishing. - USB Drops: Infected drives left in public places. - Watering Hole Attacks: Compromised websites leading to downloads. - Example: Fake Office 365 login page link. --------------------------------------------------- 4. **Exploitation**: - Goal: Exploit system vulnerabilities. - Techniques: - Phishing links or malicious attachments. - Zero-day Exploits: Unknown vulnerabilities. - Lateral Movement: Expand network access. - Example: Victim opens malicious email attachment. --------------------------------------------------- 5. **Installation**: - Goal: Achieve persistence on the victim's system. - Methods: - Web Shells: Malicious scripts on servers. - Backdoors: Continuous access points. - Windows Services Modification: Execute scripts regularly. - Registry Keys: Payload execution on startup. - Example: `Meterpreter` for backdoor installation. --------------------------------------------------- 6. **Command & Control (C2)**: - Goal: Remote control of infected systems. - Channels: - **HTTP/HTTPS**: Evade detection with legitimate traffic. - **DNS Tunneling**: Malicious DNS requests. - Example: Malware communicates with external C2 server. --------------------------------------------------- 7. **Actions on Objectives**: - Goal: Fulfill the attacker’s objectives. - Activities: - Credential theft. - Privilege escalation. - Internal reconnaissance. - Lateral movement. - Data exfiltration. - Backup deletion or data corruption. - Example: Stealing sensitive company data. --------------------------------------------------- LIMITATIONS & RECOMMENDATIONS: --------------------------------------------------- - Traditional Cyber Kill Chain focuses on malware and network threats. - **Limitations**: - Doesn't address insider threats. - Lacks updates since 2011. - **Recommendations**: - Use MITRE ATT&CK & Unified Kill Chain for broader defense. - Leverage AI and behavioral analytics. --------------------------------------------------- KEY RESOURCES & TOOLS: --------------------------------------------------- - **OSINT Tools**: `theHarvester`, `Hunter.io`, `OSINT Framework`. - **C2 Tools**: Knowledge of beaconing (e.g., HTTP, DNS). - **Persistence Techniques**: Refer to MITRE ATT&CK T1543.003. --------------------------------------------------- OUTCOME: - Recognize attack phases. - Break the kill chain to defend systems effectively. - Combine traditional frameworks with modern approaches. ---------------------------------------------------