The cyber kill chain is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The kill chain helps us understand and combat ransomware, security breaches, and advanced persistent attacks (APTs).
Lockheed Martin derived the kill chain framework from a military model – originally established to identify, prepare to attack, engage, and destroy the target. Since its inception, the kill chain has evolved to better anticipate and recognize insider threats, social engineering, advanced ransomware, and innovative attacks.
Let’s discuss each step in the kill chain in detail.
We have made a lot of assumptions about the security posture of Evil Corp to better describe things.
The attack campaign must be designed carefully and in a stepwise manner so that finer details can be taken into account. In this article, I will be using the popular Lockheed Martin Cyber Kill Chain (CKC) methodology to craft my attack process against Evil Corp. The general workflow is depicted in the figure given below.
This is the initial and the most important step that must be performed patiently for better output. Here, we will collect the information about the target as much as possible using Open Source Intelligence (OSINT) that includes company presence in social media, target mailing lists, and identifying open ports using active recon tools like Nmap or masscan.
The more you can collect with reconnaissance, the higher will be the chance of successful penetration into the target environment.
Using tools like Shodan and theHarvester, we can easily collect emails of the employees and analyze the naming scheme. If the naming scheme is known e.g email@example.com for John Smith. We can easily extend the mailing lists using this scheme and the company employees list which will be later used in the Delivery stage for phishing.
We can also try password spraying to the collected email lists using the data breaches credentials and see if we can get a hit. Due to the password reuse behaviors of people, this is likely to have a successful result.
This is the stage of crafting the malicious payloads that will actually execute inside the target workstations and everything must be done in a stealthy manner so that we don’t get caught. We need to disguise our malware in benign-looking payloads like PDFs, Word documents, or ZIP files.
In the case of our malware, it will be using the EternalBlue exploit at its core. I am pretty confident that this exploit will work because it uses SMB (samba in case of Linux) protocol to spread across the network and is pretty quiet. Since over 600 workstations of Evil Corp are directly connected with switches only, there must be a system in place for files and printer sharing that will definitely use this popular SMB protocol (port 139 and 445). Moreover, 10% of the system runs on Windows XP (windows support already ended) and most of them are still running Windows 7 that haven’t got security updates due to firewall issues, we have a good chance that our payload will work.
We will wrap this payload inside the SFX file with the .exe extension which is a self-extracting archive. So once the victim downloads the attachment in the email, the archive will automatically be extracted and the payload will be injected into the victim workstations.
No matter how state-of-the-art the malware is if there is not any way to deliver the payload to the target. We will be using spear-phishing as our delivery mechanism since we have already harvested enough employee emails from the reconnaissance stage. Targeting a single victim won’t work in our case since there is diversified use of operating systems and we won’t know who is running the machine that is vulnerable to EternalBlue.
The malicious email is depicted below.
We will disguise ourselves as the IT team and send phishing emails concerning the company’s security. We will make the victims believe that there have been malware infections inside the organization and they need to work together to make Evil Corp secure. The company’s logo is also included to make them feel at home. And the red banner is sure to catch the attention of the victims.
The loyal employee will surely feel his/her responsibility to protect the organization from any dangers by downloading the patch. The SFX will automatically extract itself and inject the EternalBlue into the system making our delivery stage successful.
After successful delivery, malware needs to find a way to launch itself on the victim machine. It will look for the vulnerability in the SMB protocol (139 and 445 ports) to exploit the system. The infected host will spread out the malware into the whole network using this protocol since every host will be listening to file shares and printing information all the time. If found, then comes the installation stage where the malware will seek higher privileges in order to maintain persistence.
If the vulnerability is not found in that host, the malware will remain in the dormant stage listening to the further commands from the Command and Control System.
Once the penetration to the network is successful, things won’t stop here. We must seek for ways to stabilize our malware and maintain a thorough persistence on the system so that the malware will survive even after reboot. We will transplant our malware inside the stable background service processes so that connection to C2 will remain at any conditions. Also, local enumeration will be done inside the Windows system to find any possible privilege escalations (lateral or vertical).
Along with the exploitation, the malware will give back a meterpreter session (reverse shell) to us for further commanding. This gives us as an attacker the ability to control the whole flow from a centralized system.
Command and Control
For effective communication with the malware and exfiltrating the confidential data out of the target, we need a centralized commanding server. Since our payload will give back us a reverse shell, there won’t be a problem creating a connection. But generally using a hardcoded IP address for the C2 server is bad practice since it could be easily blacklisted if suspected. In this case, our malware will use Domain Generation Algorithm (DGA) which will generate random domain names that are associated with a live C2 server. So that the domain blacklisting approach won’t work since the IT team won’t know what to block in advance.
Action on objectives
This is the strategic part of the campaign and all the previous steps were executed with the motivation of reaching this stage. The main objective for this attack is to exfiltrate the business data and the employee’s credentials so that we can create a huge business impact on Evil Corp potentially taking down the whole company.
Founder of cybersecnerds.com. Electronics Engineer by profession, Security Engineer by passion.
I am a Linux Enthusiast and highly interested in the offensive side of the CyberSec industry. You will find me reading InfoSec blogs most of the time.