threat intelligence

Analyzing Cyber Kill Chain

Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases an adversary has completed, where defenses succeeded or failed, and what controls would have interrupted the attack at earlier phases. Use when conducting post-incident analysis, building prevention-focused security controls, or mapping detection gaps to kill chain phases. Activates for requests involving kill chain analysis, intrusion kill chain, attack phase mapping, or Lockheed Martin kill chain framework.

defense-in-depthintrusion-analysiskill-chainlockheed-martinmitre-att&cknist-csf
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • Conducting post-incident analysis to determine how far an adversary progressed through an attack sequence
  • Designing layered defensive controls with the goal of interrupting attacks at the earliest possible phase
  • Producing threat intelligence reports that communicate attack progression to non-technical stakeholders

Do not use this skill as a standalone framework — combine with MITRE ATT&CK for technique-level granularity beyond what the 7-phase kill chain provides.

Prerequisites

  • Complete incident timeline with forensic artifacts mapped to specific adversary actions
  • MITRE ATT&CK Enterprise matrix for technique-level mapping within each kill chain phase
  • Access to threat intelligence on the suspected adversary group's typical kill chain progression
  • Post-incident report or IR timeline from responding team

Workflow

Step 1: Map Observed Actions to Kill Chain Phases

The Lockheed Martin Cyber Kill Chain consists of seven phases. Map all observed adversary actions:

Phase 1 - Reconnaissance: Adversary gathers target information before attack.

  • Indicators: DNS queries from adversary IP, LinkedIn scraping, job posting analysis, Shodan scans of organization infrastructure

Phase 2 - Weaponization: Adversary creates attack tool (malware + exploit).

  • Indicators: Malware compilation timestamps, exploit document metadata, builder artifacts in malware samples

Phase 3 - Delivery: Adversary transmits weapon to target.

  • Indicators: Phishing emails, malicious attachments, drive-by downloads, USB drops, supply chain compromise

Phase 4 - Exploitation: Adversary exploits vulnerability to execute code.

  • Indicators: CVE exploitation events in application/OS logs, memory corruption artifacts, shellcode execution

Phase 5 - Installation: Adversary establishes persistence on target.

  • Indicators: New scheduled tasks, registry run keys, service installation, web shells, bootkits

Phase 6 - Command & Control (C2): Adversary communicates with compromised system.

  • Indicators: Beaconing traffic (regular intervals), DNS tunneling, HTTPS to uncommon domains, C2 framework signatures (Cobalt Strike, Sliver)

Phase 7 - Actions on Objectives: Adversary achieves goals.

  • Indicators: Data staging/exfiltration, lateral movement, ransomware execution, destructive activity

Step 2: Identify Phase Completion and Detection Points

Create a phase matrix for the incident:

Phase 1: Recon        → Completed (undetected)
Phase 2: Weaponize    → Completed (undetected — pre-attack)
Phase 3: Delivery     → Completed; phishing email bypassed SEG
Phase 4: Exploit      → Completed; CVE-2023-23397 exploited
Phase 5: Install      → DETECTED: EDR flagged scheduled task creation (attack stalled here)
Phase 6: C2           → Not achieved (installation blocked)
Phase 7: Objectives   → Not achieved

For each phase completed without detection, document the defensive control gap.

Step 3: Map to MITRE ATT&CK for Technique Detail

Each kill chain phase maps to multiple ATT&CK tactics:

  • Delivery → Initial Access (TA0001)
  • Exploitation → Execution (TA0002)
  • Installation → Persistence (TA0003), Privilege Escalation (TA0004)
  • C2 → Command and Control (TA0011)
  • Actions on Objectives → Exfiltration (TA0010), Impact (TA0040)

Within each phase, enumerate specific ATT&CK techniques observed and map to existing detections.

Step 4: Identify Courses of Action per Phase

For each phase, document applicable defensive courses of action (COAs):

  • Detect COA: What detection would alert on adversary activity in this phase?
  • Deny COA: What control would prevent the adversary from completing this phase?
  • Disrupt COA: What control would interrupt the adversary mid-phase?
  • Degrade COA: What control would reduce the adversary's effectiveness in this phase?
  • Deceive COA: What deception (honeypots, canary tokens) would expose activity in this phase?
  • Destroy COA: What active defense capability would neutralize adversary infrastructure?

Step 5: Produce Kill Chain Analysis Report

Structure findings as:

  1. Attack narrative (timeline of phases)
  2. Phase-by-phase analysis with evidence
  3. Detection point analysis (what worked, what failed)
  4. Defensive recommendation per phase prioritized by cost/effectiveness
  5. Control improvement roadmap

Key Concepts

Term Definition
Kill Chain Sequential model of adversary intrusion phases; breaking any link theoretically stops the attack
Courses of Action (COA) Defensive responses mapped to each kill chain phase: detect, deny, disrupt, degrade, deceive, destroy
Beaconing Regular, periodic C2 check-in pattern from compromised host to adversary server; detectable by frequency analysis
Phase Completion Adversary successfully finishes a kill chain phase and progresses to the next; defense-in-depth aims to prevent this
Intelligence Gain/Loss Analysis of whether detecting at Phase 5 (vs. Phase 3) reduced intelligence about adversary capabilities or intent

Tools & Systems

  • MITRE ATT&CK Navigator: Overlay kill chain phases with ATT&CK technique coverage for integrated analysis
  • Elastic Security EQL: Event Query Language for querying multi-phase attack sequences in Elastic SIEM
  • Splunk ES: Timeline visualization and correlation searches for kill chain phase sequencing
  • MISP: Kill chain tagging via galaxy clusters for structured incident event documentation

Common Pitfalls

  • Linear assumption: Adversaries don't always progress linearly — they may skip phases (weaponization already complete from previous campaign) or loop back (re-establish C2 after detection).
  • Ignoring Phases 1 and 2: Reconnaissance and weaponization occur before the defender has visibility. Intelligence about these phases requires external sources (OSINT, threat intelligence).
  • Missing insider threats: The kill chain was designed for external adversaries. Insider threats may skip directly to Phase 7 without traversing earlier phases.
  • Confusing with ATT&CK tactics: The 7-phase kill chain and 14 ATT&CK tactics are complementary but not directly equivalent. Maintain distinction to prevent analytic confusion.
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.7 KB

API Reference: Cyber Kill Chain Analysis Tools

Lockheed Martin Cyber Kill Chain Phases

Phase Name MITRE ATT&CK Tactic
1 Reconnaissance TA0043 Reconnaissance
2 Weaponization TA0042 Resource Development
3 Delivery TA0001 Initial Access
4 Exploitation TA0002 Execution
5 Installation TA0003 Persistence, TA0004 Privilege Escalation
6 Command & Control TA0011 Command and Control
7 Actions on Objectives TA0010 Exfiltration, TA0040 Impact

Courses of Action (COA) Matrix

COA Description
Detect Alert on adversary activity
Deny Prevent phase completion
Disrupt Interrupt adversary mid-phase
Degrade Reduce adversary effectiveness
Deceive Expose activity via deception
Destroy Neutralize adversary infrastructure

MITRE ATT&CK Navigator

JSON Layer Format

{
  "name": "Kill Chain Coverage",
  "versions": {"navigator": "4.8", "layer": "4.4", "attack": "13"},
  "domain": "enterprise-attack",
  "techniques": [
    {"techniqueID": "T1566", "color": "#ff6666", "comment": "Phase 3: Delivery"}
  ]
}

CLI Usage

# Export layer via ATT&CK Navigator API
curl -X POST https://mitre-attack.github.io/attack-navigator/api/layers \
  -d @layer.json -o coverage_map.svg

Splunk - Kill Chain Phase Queries

Phase 3 Detection (Delivery)

index=email sourcetype=exchange action=delivered
| eval has_macro=if(match(attachment, "\.(docm|xlsm|pptm)$"), 1, 0)
| where has_macro=1
| stats count by sender, subject, attachment

Phase 6 Detection (C2)

index=proxy OR index=firewall
| stats count AS connections, dc(dest) AS unique_dests by src_ip
| where connections > 100 AND unique_dests < 3
| sort - connections

Elastic Security EQL

Multi-Phase Detection

sequence by host.name with maxspan=1h
  [process where event.action == "start" and process.name == "WINWORD.EXE"]
  [process where event.action == "start" and process.parent.name == "WINWORD.EXE"]
  [network where destination.port == 443 and not destination.ip in ("known_good")]

MISP - Kill Chain Tagging

Galaxy Cluster Tags

misp-galaxy:kill-chain="reconnaissance"
misp-galaxy:kill-chain="delivery"
misp-galaxy:kill-chain="exploitation"
misp-galaxy:kill-chain="installation"
misp-galaxy:kill-chain="command-and-control"
misp-galaxy:kill-chain="actions-on-objectives"

PyMISP Event Tagging

from pymisp import PyMISP, MISPEvent
 
misp = PyMISP("https://misp.example.com", "API_KEY")
event = MISPEvent()
event.add_tag("kill-chain:delivery")
event.add_tag("mitre-attack-pattern:T1566 - Phishing")
misp.update_event(event)

Scripts 1

agent.py10.2 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Cyber Kill Chain analysis agent for mapping incidents to Lockheed Martin kill chain phases."""

import datetime


KILL_CHAIN_PHASES = {
    1: {
        "name": "Reconnaissance",
        "description": "Adversary gathers target information",
        "indicators": [
            "DNS queries from adversary IP",
            "LinkedIn/social media scraping",
            "Shodan/Censys scans of infrastructure",
            "Job posting analysis for technology stack",
            "WHOIS lookups on organization domains",
        ],
        "mitre_tactics": ["TA0043 - Reconnaissance"],
        "coas": {
            "detect": "Monitor for anomalous DNS lookups and port scans from single sources",
            "deny": "Limit public-facing information, restrict DNS zone transfers",
            "disrupt": "Block scanning IPs at perimeter firewall",
            "degrade": "Return honeypot responses to recon probes",
            "deceive": "Deploy decoy infrastructure and fake employee profiles",
        },
    },
    2: {
        "name": "Weaponization",
        "description": "Adversary creates attack tool (malware + exploit)",
        "indicators": [
            "Malware compilation timestamps",
            "Exploit document metadata",
            "Builder tool artifacts in samples",
            "Reused infrastructure from previous campaigns",
        ],
        "mitre_tactics": ["TA0042 - Resource Development"],
        "coas": {
            "detect": "Threat intelligence on adversary tooling and TTPs",
            "deny": "Patch vulnerabilities targeted by known exploit kits",
            "disrupt": "N/A (occurs outside defender visibility)",
            "degrade": "Application hardening reduces exploit reliability",
            "deceive": "Share deceptive vulnerability information",
        },
    },
    3: {
        "name": "Delivery",
        "description": "Adversary transmits weapon to target",
        "indicators": [
            "Phishing emails with malicious attachments",
            "Drive-by download URLs",
            "USB device insertion events",
            "Supply chain compromise artifacts",
            "Watering hole website modifications",
        ],
        "mitre_tactics": ["TA0001 - Initial Access"],
        "coas": {
            "detect": "Email security gateway alerts, proxy URL filtering alerts",
            "deny": "Block malicious attachments, URL filtering, USB device control",
            "disrupt": "Quarantine suspicious emails before delivery",
            "degrade": "Sandbox detonation of attachments delays delivery",
            "deceive": "Canary documents in email attachments",
        },
    },
    4: {
        "name": "Exploitation",
        "description": "Adversary exploits vulnerability to execute code",
        "indicators": [
            "CVE exploitation in application logs",
            "Memory corruption crash dumps",
            "Shellcode execution artifacts",
            "Exploit kit landing page access",
        ],
        "mitre_tactics": ["TA0002 - Execution"],
        "coas": {
            "detect": "EDR behavioral detection, exploit guard alerts",
            "deny": "Patch management, application whitelisting",
            "disrupt": "ASLR, DEP, CFG memory protections",
            "degrade": "Sandboxed application execution (Protected View)",
            "deceive": "Honeypot applications with fake vulnerabilities",
        },
    },
    5: {
        "name": "Installation",
        "description": "Adversary establishes persistence on target",
        "indicators": [
            "New scheduled tasks or services",
            "Registry Run key modifications",
            "Web shell deployment",
            "Startup folder additions",
            "DLL search-order hijacking",
        ],
        "mitre_tactics": ["TA0003 - Persistence", "TA0004 - Privilege Escalation"],
        "coas": {
            "detect": "Sysmon EventID 11/12/13, EDR persistence monitoring",
            "deny": "Application whitelisting, UAC enforcement",
            "disrupt": "Real-time file integrity monitoring alerts",
            "degrade": "Restrict write access to system directories",
            "deceive": "Canary registry keys and file system canaries",
        },
    },
    6: {
        "name": "Command & Control",
        "description": "Adversary communicates with compromised system",
        "indicators": [
            "Beaconing traffic at regular intervals",
            "DNS tunneling (high entropy subdomain queries)",
            "HTTPS to newly registered domains",
            "Known C2 framework signatures",
        ],
        "mitre_tactics": ["TA0011 - Command and Control"],
        "coas": {
            "detect": "Network beacon analysis, JA3 fingerprinting, DNS monitoring",
            "deny": "DNS sinkholing, firewall egress filtering",
            "disrupt": "TLS inspection to identify C2 in encrypted traffic",
            "degrade": "Rate-limit suspicious outbound connections",
            "deceive": "C2 interception and response manipulation",
        },
    },
    7: {
        "name": "Actions on Objectives",
        "description": "Adversary achieves mission goals",
        "indicators": [
            "Data staging and exfiltration",
            "Lateral movement to additional systems",
            "Ransomware encryption activity",
            "Destructive operations (wiper malware)",
            "Credential dumping (LSASS access)",
        ],
        "mitre_tactics": ["TA0010 - Exfiltration", "TA0040 - Impact"],
        "coas": {
            "detect": "DLP alerts, anomalous data transfers, UEBA",
            "deny": "Network segmentation, data classification controls",
            "disrupt": "Isolate compromised systems, kill C2 connections",
            "degrade": "Encrypt sensitive data at rest (attacker gets ciphertext)",
            "deceive": "Canary files and honeytoken credentials",
        },
    },
}


def map_event_to_phase(event_description):
    """Map an incident event description to the most likely kill chain phase."""
    event_lower = event_description.lower()
    keyword_phase_map = {
        1: ["recon", "scan", "enumerat", "shodan", "whois", "dns lookup"],
        2: ["weaponiz", "builder", "compile", "payload creat"],
        3: ["phish", "email", "deliver", "download", "usb", "attachment", "watering hole"],
        4: ["exploit", "cve-", "buffer overflow", "shellcode", "rce"],
        5: ["persist", "scheduled task", "registry", "run key", "service install",
            "web shell", "backdoor", "startup"],
        6: ["beacon", "c2", "c&c", "command and control", "callback", "dns tunnel"],
        7: ["exfiltrat", "lateral", "ransomware", "encrypt", "data stag", "credential dump",
            "mimikatz", "wiper"],
    }
    scores = {phase: 0 for phase in range(1, 8)}
    for phase, keywords in keyword_phase_map.items():
        for kw in keywords:
            if kw in event_lower:
                scores[phase] += 1
    best_phase = max(scores, key=scores.get)
    if scores[best_phase] == 0:
        return None
    return best_phase


def analyze_incident(events):
    """Analyze a list of incident events and map to kill chain phases."""
    analysis = {phase: {"events": [], "detected": False, "completed": False}
                for phase in range(1, 8)}
    for event in events:
        phase = map_event_to_phase(event.get("description", ""))
        if phase:
            analysis[phase]["events"].append(event)
            analysis[phase]["completed"] = True
            if event.get("detected", False):
                analysis[phase]["detected"] = True
    return analysis


def generate_report(analysis):
    """Generate a kill chain analysis report."""
    report_lines = [
        "CYBER KILL CHAIN ANALYSIS REPORT",
        "=" * 50,
        f"Generated: {datetime.datetime.utcnow().isoformat()}Z",
        "",
    ]
    deepest_phase = 0
    detection_phase = None
    for phase_num in range(1, 8):
        phase_data = analysis[phase_num]
        phase_info = KILL_CHAIN_PHASES[phase_num]
        if phase_data["completed"]:
            deepest_phase = phase_num
        if phase_data["detected"] and detection_phase is None:
            detection_phase = phase_num
        status = "COMPLETED" if phase_data["completed"] else "NOT REACHED"
        if phase_data["detected"]:
            status += " (DETECTED)"
        report_lines.append(f"Phase {phase_num}: {phase_info['name']} -> {status}")
        for evt in phase_data["events"]:
            report_lines.append(f"  - {evt.get('description', 'N/A')}")
    report_lines.extend([
        "",
        f"Deepest phase reached: {deepest_phase} ({KILL_CHAIN_PHASES.get(deepest_phase, {}).get('name', 'N/A')})",
        f"First detection at phase: {detection_phase or 'None'}",
        "",
        "RECOMMENDED COURSES OF ACTION:",
    ])
    for phase_num in range(1, deepest_phase + 1):
        phase_info = KILL_CHAIN_PHASES[phase_num]
        report_lines.append(f"\n  Phase {phase_num} - {phase_info['name']}:")
        for coa_type, coa_desc in phase_info["coas"].items():
            report_lines.append(f"    {coa_type.upper()}: {coa_desc}")
    return "\n".join(report_lines)


if __name__ == "__main__":
    print("=" * 60)
    print("Cyber Kill Chain Analysis Agent")
    print("Lockheed Martin framework mapping with MITRE ATT&CK integration")
    print("=" * 60)

    # Demo incident events
    demo_events = [
        {"description": "Shodan scans detected from 203.0.113.50 targeting web servers",
         "timestamp": "2025-09-10T08:00:00Z", "detected": False},
        {"description": "Phishing email with malicious .docm attachment delivered to 5 users",
         "timestamp": "2025-09-11T09:15:00Z", "detected": False},
        {"description": "CVE-2023-23397 exploitation detected in Outlook process crash",
         "timestamp": "2025-09-11T09:20:00Z", "detected": False},
        {"description": "Scheduled task created for persistence by malware dropper",
         "timestamp": "2025-09-11T09:25:00Z", "detected": True},
        {"description": "C2 beacon detected to 185.220.101.42 on port 443",
         "timestamp": "2025-09-11T09:30:00Z", "detected": True},
    ]

    print("\n[*] Analyzing demo incident events...")
    analysis = analyze_incident(demo_events)
    report = generate_report(analysis)
    print(f"\n{report}")
Keep exploring