Skip to content

Instantly share code, notes, and snippets.

@githubfoam

githubfoam/kill-chain model

Last active May 29, 2025 13:49
Show Gist options
  • Save githubfoam/b5c74429cf563dcbef8bf0283acccb1e to your computer and use it in GitHub Desktop.
Save githubfoam/b5c74429cf563dcbef8bf0283acccb1e to your computer and use it in GitHub Desktop.
Download ZIP
kill-chain model
Raw
kill-chain model
============================================================================
The kill-chain model, originally developed by Lockheed Martin as the Cyber Kill Chain, is a framework that helps Security Operations Center (SOC) engineers analyze cyberattacks in a structured way. It breaks down an attack into stages, allowing SOC engineers to understand, detect, and respond effectively.
How a SOC Engineer Uses the Kill-Chain Model
SOC engineers use the kill-chain model to:
Detect Threats Earlier: By recognizing attack patterns at different stages, they can stop an attack before it progresses.
Improve Incident Response: Helps prioritize threats based on their progression within the chain.
Strengthen Defenses: Identifies weaknesses in security systems to enhance protections.
Threat Hunting: Proactively searches for indicators of compromise (IoCs) at various stages of an attack.
Real-World Examples
Phishing Attack Prevention (Reconnaissance Stage)
A SOC engineer monitors network activity and email traffic, using tools like Threat Intelligence Platforms to detect phishing attempts targeting employees.
If an attacker is scanning for vulnerabilities (e.g., exposed email addresses or weak credentials), SOC teams can block suspicious IPs before phishing emails are delivered.
Stopping Ransomware (Delivery & Exploitation Stages)
Suppose an attacker sends a malicious link in an email to distribute ransomware.
The SOC engineer detects the suspicious payload using Email Filtering & Sandboxing, preventing the execution of harmful attachments.
If malware is executed, EDR (Endpoint Detection & Response) tools can isolate infected machines before encryption spreads across the network.
Blocking Lateral Movement in an Advanced Persistent Threat (Command & Control Stage)
An attacker who gains initial access (e.g., compromised credentials) may try to move laterally within the network.
SOC engineers monitor privileged account activities using SIEM (Security Information & Event Management) Systems, detecting anomalies.
They can stop the attack by enforcing Zero Trust policies, ensuring compromised accounts can't access sensitive areas.
By understanding the Kill Chain, SOC engineers can anticipate and disrupt cyberattacks efficiently, reducing damage and preventing future incidents.
============================================================================
Example: Defending Against Bank Heist Cyberattacks
Cybercriminals often target banks with sophisticated attacks, like SWIFT fraud, banking trojans, or credential theft. Here's how SOC engineers can stop them using the Kill-Chain Model:
1. Reconnaissance - Attackers Research Targets
Cybercriminals scan banking systems for weaknesses, looking for exposed login portals or vulnerable web apps.
A SOC engineer deploys Threat Intelligence Feeds to track indicators of compromise (IoCs) from known banking cybercriminals and blocks malicious IP addresses.
2. Weaponization - Attackers Develop Malware
Threat actors craft custom banking trojans like Dridex or TrickBot to steal credentials.
The SOC team tests malware samples in a sandbox environment to reverse-engineer the attack before it hits production systems.
3. Delivery - Malware Spreads to Bank Employees or Customers
Attackers use phishing emails with fake financial documents to trick employees into downloading malware.
SOC engineers use Email Filtering & AI-based Detection to block phishing attempts before they reach inboxes.
4. Exploitation - Attackers Gain Access
A bank employee unknowingly enters their credentials into a fake banking site.
Multi-Factor Authentication (MFA) prevents attackers from logging in with stolen credentials.
5. Installation - Malware Executes on the System
If malware is installed, attackers can move laterally to gain deeper access.
SOC teams deploy EDR/XDR solutions to detect and stop unauthorized access.
6. Command & Control - Hackers Communicate with Malware
Malware sends stolen credentials to a remote command-and-control server.
SOC engineers use Network Segmentation & Firewall Rules to cut off outbound traffic to malicious IPs.
7. Actions on Objectives - Attackers Steal Money
The final goal: hackers initiate fraudulent wire transfers, often via SWIFT.
SOC teams set up transaction monitoring & behavioral analytics to detect unusual activity and stop unauthorized transfers.
============================================================================
Core Concept: The Kill Chain breaks an attack into distinct stages (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control (C2), Actions on Objectives). Understanding these stages allows a SOC engineer to:
Detect Attacks Earlier: Identify malicious activity before the final destructive stage.
Prioritize Alerts: Assess the potential impact based on the stage detected.
Investigate Efficiently: Understand the attacker's progress and objectives.
Contain Effectively: Choose the most impactful containment actions.
Prevent Future Attacks: Identify weaknesses exploited at each stage.
Communicate Clearly: Explain the incident's severity and attacker's progress to management.
Real-World Examples of Kill Chain Application in the SOC:
Detecting & Blocking Early Stages (Recon, Weaponization, Delivery):
Scenario: SIEM alerts show a massive spike in failed login attempts (Reconnaissance) targeting VPN gateways from unusual geolocations.
Kill Chain Action: The engineer recognizes this as early recon, likely scanning for weak credentials. They:
Prioritize this alert highly (potential prelude to breach).
Block the source IP ranges at the firewall.
Enforce stricter temporary login attempt limits.
Initiate hunting for other recon activity (e.g., port scans, subdomain enumeration).
Benefit: Attack potentially stopped before delivery/exploitation.
Identifying & Analyzing Delivery & Exploitation (Phishing):
Scenario: Email Security Gateway flags a suspicious email with a macro-enabled attachment (Delivery). An analyst investigates, but the sandbox shows ambiguous results.
Kill Chain Action: The engineer thinks ahead:
Exploitation: Searches endpoints for signs the macro executed (unusual processes spawned, registry changes).
Installation: Looks for persistence mechanisms (new scheduled tasks, services, files dropped in %AppData% or %Temp%).
C2: Checks firewall/proxy logs for connections to known-bad IPs or unusual domains immediately after the email was opened.
Benefit: Focuses the investigation on key indicators post-delivery, confirming compromise faster than just analyzing the email itself. If C2 is found, containment becomes urgent.
Containing an Active Compromise Based on Stage:
Scenario: EDR alert triggers on an endpoint for lsass.exe memory dumping (Actions on Objectives - credential theft).
Kill Chain Action: The engineer assesses the stage:
Seeing Actions on Objectives means earlier stages succeeded.
Critical: Immediately isolate the affected endpoint to stop further damage.
Urgent: Hunt backwards through the chain:
How was it installed? (Check for dropped files, persistence)
How did exploitation occur? (Check for exploit logs, vulnerable software)
How was it delivered? (Check email logs, web downloads)
Was C2 established? (Check network flows for beaconing).
Containment: Block identified C2 domains/IPs at the firewall/Proxy/DNS.
Benefit: Understanding they are at a late stage drives immediate isolation and a broader hunt for the root cause and other compromised systems.
Hunting Proactively Using the Kill Chain:
Scenario: Threat Intel reports a new ransomware variant using specific C2 patterns (Command & Control).
Kill Chain Action: The engineer proactively hunts:
Searches network logs (firewall, proxy, NetFlow) for connections matching the C2 patterns.
If found, immediately investigates those systems:
Look for signs of Installation (ransomware binary, persistence).
Look for signs of Delivery/Exploitation (how did it get in? Phishing? Exploit?).
Searches before the C2 stage: Were there failed exploit attempts (Exploitation), suspicious downloads (Delivery), or recon activity targeting systems known to be vulnerable to the exploit used?
Benefit: Finds compromised systems before ransomware is executed (Actions on Objectives), potentially preventing a major incident.
Improving Defenses & Tuning Detection (Post-Incident):
Scenario: A breach occurred where attackers exfiltrated data (Actions on Objectives).
Kill Chain Action: The engineer maps the attack through the stages:
Recon: How did they find the target? (Can we obscure info better?)
Delivery: Was it phishing? (Need better email filtering/user training?).
Exploitation: What vulnerability was used? (Patch missing?).
Installation: How did they persist? (Can EDR rules detect this persistence mechanism?).
C2: What C2 channels? (Can IDS/NetSec block these domains/patterns faster?).
Actions: How was data found and exfiltrated? (Need DLP? Better access controls?).
Benefit: Provides a structured framework to identify exactly which defenses failed at which stage, enabling precise improvements (patches, new detection rules, configuration changes, training).
Key SOC Engineer Activities Enabled by Kill Chain Knowledge:
Writing Better Detection Rules: Crafting SIEM/IDS/EDR rules targeting specific behaviors at each stage (e.g., detecting large outbound data transfers for Exfiltration, specific registry keys for Installation, known exploit patterns for Exploitation).
Triage & Escalation: Quickly judging "How far along is this attack?" based on the alerts received. An alert for Delivery might be P2, while C2 or Data Exfiltration is P1/Critical.
Incident Reporting: Clearly stating "The attacker achieved Command & Control" or "We detected and blocked at the Delivery stage" provides crucial context on impact and defensive effectiveness.
Threat Intelligence Correlation: Mapping intel about adversary TTPs (Tactics, Techniques, Procedures) to the Kill Chain stages they relate to.
============================================================================
Here's how a SOC Engineer can use knowledge of the Kill Chain model with real-world examples:
1. Enhanced Threat Detection and Alert Prioritization:
Understanding the stages helps in identifying suspicious activities early. Instead of just looking for a successful breach, a SOC Engineer can look for activities associated with earlier Kill Chain stages.
Prioritizing alerts based on Kill Chain progression: Alerts indicating activities in later stages of the Kill Chain (e.g., C2, Actions on Objectives) might warrant higher priority than alerts for earlier stages (e.g., Reconnaissance, Weaponization), as they suggest an attack is further along.
Real-world Example:
Without Kill Chain knowledge: A SOC Engineer might see an alert for an unusual outbound network connection (possible C2) and another for a port scan (possible Reconnaissance) and treat them with similar urgency.
With Kill Chain knowledge: The engineer understands that the outbound connection signifies a later stage of the attack (Command and Control) and immediately prioritizes investigating that alert, as it indicates the attacker might have established a foothold. The port scan, while important, can be investigated after addressing the higher-priority C2 alert.
2. Improved Incident Response and Containment:
Tailoring response actions to the specific Kill Chain stage: The appropriate response to an attack depends heavily on where the attacker is in the Kill Chain.
Identifying the "last point of compromise" for effective containment: By understanding the Kill Chain, the SOC Engineer can pinpoint where the attack was most effectively stopped or contained.
Real-world Example:
Scenario A (Weaponization/Delivery): A SOC Engineer identifies an email attachment containing a malicious macro being delivered to an employee's inbox. Knowing this is the "Delivery" stage, the immediate response is to block the email, remove it from all inboxes, and update email filters to prevent similar attacks. There's no need to hunt for active exploits on endpoints yet, as the attack hasn't progressed to that stage.
Scenario B (Actions on Objectives): A SOC Engineer detects unauthorized data exfiltration from a critical server. This is clearly the "Actions on Objectives" stage. The response shifts to isolating the compromised server, revoking credentials, tracing the exfiltration path, and initiating data recovery/backup procedures, rather than focusing on initial compromise vectors.
3. Proactive Threat Hunting:
Anticipating attacker next steps: By understanding the logical progression of an attack, a SOC Engineer can proactively search for indicators of subsequent stages.
Developing targeted hunt queries: The Kill Chain provides a framework for creating queries that look for specific behaviors at each stage.
Real-world Example:
A SOC Engineer observes a successful phishing attempt (Delivery stage). Instead of just cleaning the infected machine, they immediately start hunting for:
Exploitation: Are there any new processes launched from unusual locations on the compromised machine? (e.g., cmd.exe or powershell.exe run from a temporary directory after clicking a malicious link).
Installation: Are there any new persistence mechanisms established (e.g., new registry run keys, scheduled tasks)?
Command and Control: Are there any suspicious outbound connections to known C2 infrastructure or unusual ports?
This proactive hunting, guided by the Kill Chain, helps uncover the full extent of the compromise and prevent further progression.
4. Forensic Analysis and Root Cause Identification:
Structuring forensic investigations: The Kill Chain provides a systematic approach to reconstructing an attack, helping to identify how the adversary moved through the network.
Pinpointing the initial access vector: Understanding the Kill Chain helps in tracing back to the very first stage where the attacker gained entry.
Real-world Example:
During a post-incident investigation, a SOC Engineer finds evidence of data exfiltration (Actions on Objectives). By applying the Kill Chain, they work backward:
How did the attacker gain control of the system for exfiltration (C2)?
How was the malware installed (Installation)?
What vulnerability or exploit was used (Exploitation)?
How was the initial malicious payload delivered (Delivery)?
What initial reconnaissance was performed (Reconnaissance)?
This structured approach helps identify the root cause of the breach and allows for implementation of preventative measures.
5. Developing and Refining Security Controls:
Mapping security controls to Kill Chain stages: SOC Engineers can identify gaps in their defenses by seeing which Kill Chain stages are not adequately covered by existing security tools or processes.
Implementing controls that disrupt the Kill Chain at multiple points: This makes it harder for attackers to progress.
Real-world Example:
After reviewing several incidents, a SOC Engineer notices that many attacks are progressing through the "Installation" stage because their endpoint detection and response (EDR) solution isn't catching all persistence mechanisms.
Based on Kill Chain knowledge, they recommend implementing more robust host-based intrusion prevention systems (HIPS) or enhancing EDR rules to specifically monitor for common persistence techniques (e.g., suspicious modifications to HKCU\Software\Microsoft\Windows\CurrentVersion\Run, creation of new services). They might also push for stronger application whitelisting to prevent unauthorized executables from running (Exploitation/Installation).
============================================================================
Here's how a SOC engineer should work through this scenario using the kill-chain model:
Step 1: Identify Current Kill-Chain Stage
Stage: Delivery (Stage 3)
The malicious email attachment represents the delivery phase where the weaponized payload is being transmitted to the target. The SOC engineer recognizes this isn't the beginning of the attack - reconnaissance and weaponization have already occurred.
Step 2: Immediate Containment Actions
Block the email at the mail gateway to prevent delivery to other recipients
Quarantine the attachment in the security sandbox
Alert the recipient not to open the attachment if already delivered
Search for similar emails across the organization using email security tools
Step 3: Analyze Previous Kill-Chain Stages
Reconnaissance Investigation:
Review email headers and sender information
Check threat intelligence feeds for known malicious domains/IPs
Analyze if this appears to be targeted spear-phishing or mass campaign
Weaponization Analysis:
Submit the macro-enabled attachment to malware analysis sandbox
Reverse engineer the macro code to understand its payload
Identify what malware family or technique is being used
Step 4: Prepare for Next Kill-Chain Stages
Exploitation Monitoring:
Monitor the recipient's endpoint for signs of macro execution
Set up enhanced logging on the target system
Prepare incident response procedures if exploitation occurs
Installation Prevention:
Ensure endpoint detection and response (EDR) tools are active
Verify antivirus signatures are updated
Check application whitelisting policies
Step 5: Proactive Defense Implementation
Command & Control Preparation:
Block known C2 domains/IPs associated with this malware family
Monitor network traffic for suspicious outbound connections
Configure DNS monitoring for domain generation algorithms if applicable
Actions on Objectives Prevention:
Review data loss prevention (DLP) policies
Ensure file integrity monitoring is active on critical systems
Prepare network segmentation if breach occurs
Step 6: Threat Hunting Activities
Hunt for indicators of previous stages that might have been missed
Search for similar attacks that may have succeeded in the past
Review logs for reconnaissance activities targeting the organization
Step 7: Documentation and Intelligence Sharing
Document the attack vector and indicators of compromise (IOCs)
Update threat intelligence platforms with new indicators
Share findings with threat intelligence community if applicable
Update security awareness training based on attack techniques observed
Step 8: Continuous Monitoring
Monitor for any signs the attack progressed beyond delivery
Watch for the recipient or other users exhibiting compromise indicators
Continue threat hunting for related activity over the following days/weeks
This kill-chain approach ensures the SOC engineer doesn't just react to the immediate threat, but considers the entire attack lifecycle to provide comprehensive protection and prepare for potential escalation.
============================================================================
Email Headers Analysis Example
Sample Email Headers:
From: [email protected]
Reply-To: [email protected]
Return-Path: [email protected]
X-Originating-IP: 185.220.101.45
Received: from mail.bulk-sender-xyz.com (185.220.101.45)
Message-ID: <[email protected]>
Subject: Urgent: Invoice Payment Required - Action Needed
X-Mailer: Mass Mail Pro v3.2
What the SOC Engineer Identifies:
Domain spoofing: "amazom.com" instead of "amazon.com" - classic typosquatting
Mismatched sender paths: From address differs from Reply-To and Return-Path
Bulk mailing infrastructure: X-Mailer shows mass mailing software
Suspicious originating IP: 185.220.101.45 needs investigation
Threat Intelligence Feed Check
SOC Engineer's Investigation Process:
Step 1: IP Address Lookup
Checks VirusTotal: 185.220.101.45 flagged by 12/89 security vendors
MISP threat intelligence: IP associated with "Emotet" malware campaigns
Shodan search: Shows this IP hosts multiple suspicious domains
Step 2: Domain Analysis
"amazom.com" found in multiple threat feeds as known phishing domain
Domain registered 3 days ago with privacy protection
DNS history shows rapid changes in A records (infrastructure rotation)
Step 3: Hash Analysis
Attachment hash: MD5: a1b2c3d4e5f6...
VirusTotal shows 45/70 detections as "Trojan.MacroDownloader"
Matches known Emotet delivery mechanisms in threat intelligence
Campaign Analysis: Targeted vs. Mass
Evidence Suggesting Mass Campaign:
Technical Indicators:
Bulk mailing software signature in headers
Generic subject line: "Urgent: Invoice Payment Required"
No personalization beyond recipient email address
Message-ID shows batch processing format
Same attachment hash seen in 200+ similar emails across multiple organizations
Targeting Analysis:
Recipients span multiple departments and organizations
No evidence of prior reconnaissance on specific individuals
Generic business language without company-specific details
SOC Engineer's Assessment:
CAMPAIGN TYPE: Mass Phishing Campaign
THREAT ACTOR: Likely Emotet botnet operators
SOPHISTICATION: Medium (domain spoofing + macro payload)
TARGETING: Opportunistic rather than targeted
RECOMMENDATION: Implement domain-wide blocks and user awareness
Real-World Decision Making
Based on this analysis, the SOC engineer determines:
Immediate Actions:
Block the sending domain and IP across all email security tools
Search for and quarantine all similar emails organization-wide
This is likely part of a broader campaign affecting multiple organizations
Threat Hunting Scope:
Focus on finding other emails from the same infrastructure
Look for successful compromises from similar campaigns in recent weeks
No need for targeted threat hunting on specific high-value individuals
Communication Strategy:
Issue general security awareness reminder about invoice phishing
No need for targeted warnings to specific executives or departments
Share IOCs with industry threat sharing groups
This analysis approach helps the SOC engineer understand they're dealing with a volume-based opportunistic attack rather than a sophisticated targeted campaign, allowing them to adjust their response strategy and resource allocation accordingly
============================================================================
SCENARIO:
A phishing email with a malicious macro attachment is delivered to an employee's inbox.
1. Reconnaissance
What the attacker does: Gathers information about the target organization and employees (e.g., via LinkedIn, website, past breaches).
SOC Action: This step often happens outside your visibility. But with threat intelligence, you can detect if your org is being targeted.
SOC Engineer Tasks:
Review recent threat intel reports that mention your sector or organization.
Check if there’s been recent domain typosquatting or spoofing of your email domain.
2. Weaponization
What the attacker does: Prepares the malicious document (e.g., a Word file with embedded VBA macro).
SOC Action: If you have a sandbox or threat intel integration, analyze the malicious payload.
SOC Engineer Tasks:
Submit the attachment to a sandbox (e.g., Cuckoo, VirusTotal, FireEye) for dynamic behavior analysis.
Check for known Indicators of Compromise (IOCs): hash, macro content, command patterns.
3. Delivery
What the attacker does: Sends the phishing email with the malicious macro attachment.
SOC Action: This is where you likely first detect the issue.
SOC Engineer Tasks:
Alert is generated from:
Email security gateway (e.g., Proofpoint, Microsoft Defender for Office 365).
SIEM correlation rules (e.g., "suspicious attachment delivered").
Actions:
Quarantine the email if it hasn’t been opened.
Identify and list all recipients of the email.
Extract email headers to identify sending IP/domain and add it to blocklists if needed.
4. Exploitation
What the attacker does: The user opens the attachment and enables the macro, executing the malicious code.
SOC Action: Detect and investigate signs of execution.
SOC Engineer Tasks:
Check endpoint logs or EDR (e.g., CrowdStrike, SentinelOne) for:
Execution of WINWORD.EXE followed by powershell.exe or cmd.exe.
Creation of new scheduled tasks or registry changes.
Create or trigger SIEM use cases that flag Office process spawning unusual children (e.g., Word spawning PowerShell).
5. Installation
What the attacker does: Malware installs itself or creates persistence (e.g., registry run key, scheduled task).
SOC Action: Confirm whether persistence mechanisms were added.
SOC Engineer Tasks:
Use tools like Osquery or Wazuh to inspect for:
New startup entries.
Suspicious scheduled tasks or services.
Dropped binaries or backdoors.
If malware was installed, isolate the endpoint immediately.
6. Command and Control (C2)
What the attacker does: The malware communicates with an external server to receive commands.
SOC Action: Monitor network traffic and detect beaconing behavior.
SOC Engineer Tasks:
Inspect proxy/firewall logs for outbound traffic to suspicious or newly-registered domains.
Use Zeek (Bro) or Suricata to detect:
Regular timed beaconing.
DNS tunneling or uncommon protocols.
If C2 is detected, block domain/IP at firewall and DNS levels.
7. Actions on Objectives
What the attacker does: Begins lateral movement, data exfiltration, or credential theft.
SOC Action: Determine whether attacker achieved objectives.
SOC Engineer Tasks:
Check for lateral movement (RDP, SMB connections) from the affected host.
Look for large outbound file transfers (FTP, HTTP POST) after initial compromise.
Review DLP logs or cloud access logs (e.g., Microsoft 365, Google Workspace) for anomalies.
Incident Response Actions Throughout the Kill Chain
At various stages, the SOC Engineer should:
| Stage | Incident Response Action |
| --------------- | ------------------------------------------------------------- |
| Delivery | Quarantine email, block sender domain/IP |
| Exploitation | Alert on macro execution, isolate endpoint |
| Installation | Remove malware, stop persistence mechanisms |
| C2 | Block C2 communications, extract IOCs for threat sharing |
| Actions on Obj. | Contain affected accounts/systems, preserve forensic evidence |
Post-Incident Activities
Conduct a Root Cause Analysis and Impact Assessment.
Update SIEM rules and detection signatures (YARA, Snort, Sigma).
Share IOCs with threat intel platforms or CERT.
Educate users to detect phishing (Security Awareness Training).
============================================================================
1. Reconnaissance (Pre-Delivery Awareness)
✅ Review threat intel feeds for active phishing/macro malware campaigns
✅ Monitor domain registration alerts for lookalike domains
✅ Inspect email spoofing or typo-squatting attempts targeting the org
✅ Update threat intelligence sources in SIEM/SOAR
2. Weaponization (Malware Identification)
✅ Submit suspicious attachment to sandbox (Cuckoo, VirusTotal, etc.)
✅ Extract macro code for analysis
✅ Identify IOCs: file hashes, embedded URLs, IPs, suspicious strings
✅ Tag artifact with malware family or campaign ID (if known)
3. Delivery (Email Received by User)
✅ Alert from email security gateway or SIEM rule triggers
✅ Quarantine email from all inboxes if not yet opened
✅ Collect email metadata: sender IP, domain, subject, timestamp
✅ Block sender domain/IP in email security system
✅ Search for similar emails in mail logs (vertical/horizontal phishing spread)
4. Exploitation (Macro Executed)
✅ Check EDR or endpoint logs for:
WINWORD.EXE launching powershell.exe, cmd.exe, or mshta.exe
Registry changes, suspicious file drops
✅ Trigger/validate SIEM rules for Office child process anomalies
✅ Isolate affected host from the network
✅ Notify user not to interact further with the file or devic
5. Installation (Persistence Mechanisms)
✅ Investigate persistence techniques (via Osquery, Wazuh, or EDR):
New services, scheduled tasks, autoruns, or registry run keys
✅ Remove malware and persistence artifacts
✅ Capture memory/disk image if forensic analysis is needed
✅ Re-image endpoint if compromise is confirmed
6. Command and Control (C2 Activity)
✅ Monitor network logs (proxy, DNS, firewall) for:
Connections to unknown/suspicious IPs or domains
DNS beaconing, strange protocols (e.g., HTTP POST with encoded payloads)
✅ Block C2 IPs/domains at firewall/DNS level
✅ Extract traffic PCAPs for deeper analysis
✅ Create network IOCs and update detection rules
7. Actions on Objectives (Lateral Movement, Exfiltration)
✅ Review logs for:
Unauthorized lateral movement (SMB, RDP, WMI)
Data exfiltration (FTP, HTTP POST, cloud storage uploads)
✅ Check for credential dumping tools (e.g., mimikatz, LSASS access)
✅ Suspend compromised accounts, reset credentials
✅ Notify DLP/forensics teams if sensitive data may have been exfiltrated
Post-Incident Actions
✅ Conduct Root Cause Analysis (RCA)
✅ Document TTPs observed in MITRE ATT&CK format
✅ Share IOCs with national CERT or industry ISAC
✅ Update SIEM rules and threat detection content
✅ Brief IT/security teams and management
✅ Organize targeted phishing awareness training for affected users
============================================================================
Here is your structured Markdown playbook for the Malicious Macro Email Incident, following the Cyber Kill Chain model. It's suitable for:
SOC internal documentation
SOAR platforms (like TheHive or Cortex)
Integration into ticketing systems or wikis
Conversion to PDF or HTML if needed
# 🚨 Incident Response Playbook: Malicious Macro Email (SOC Use)
## 🔐 Overview
This playbook guides SOC Engineers through detection, containment, and response to a malicious macro embedded in an email attachment, using the Cyber Kill Chain model.
---
## 🔍 1. Reconnaissance
**Objective**: Identify if your organization is being targeted before the attack is delivered.
### Actions:
- [ ] Monitor threat intelligence feeds for phishing or macro campaigns
- [ ] Identify spoofed or typo-squatted domains
- [ ] Review domain registration alerts
- [ ] Ensure SIEM has latest threat intel sources
---
## 📦 2. Weaponization
**Objective**: Analyze the malicious attachment and extract Indicators of Compromise (IOCs).
### Actions:
- [ ] Submit attachment to sandbox (e.g., VirusTotal, Hybrid Analysis, Cuckoo)
- [ ] Extract macro code for static analysis
- [ ] Identify IOCs: hashes, URLs, IPs, domain names
- [ ] Tag artifact with malware family or campaign name (if known)
---
## ✉️ 3. Delivery
**Objective**: Respond to the email delivery before exploitation.
### Actions:
- [ ] Quarantine the email from affected and related inboxes
- [ ] Collect metadata: sender IP, domain, headers, subject
- [ ] Search for similar emails in mail server logs
- [ ] Block sender domain/IP in email gateway or M365 security center
- [ ] Correlate email campaign scope
---
## ⚙️ 4. Exploitation
**Objective**: Detect and contain the execution of the malicious macro.
### Actions:
- [ ] Check EDR logs for:
- `WINWORD.EXE` launching `powershell.exe`, `cmd.exe`, `mshta.exe`
- Creation of unusual processes or scripts
- [ ] Trigger SIEM detection rules for suspicious Office behavior
- [ ] Isolate affected endpoint
- [ ] Notify the user and provide guidance
---
## 🧿 5. Installation
**Objective**: Remove persistence mechanisms if malware was installed.
### Actions:
- [ ] Use EDR, Wazuh, or Osquery to inspect:
- Registry run keys
- Scheduled tasks
- Services
- Auto-start locations
- [ ] Remove malware and persistence entries
- [ ] Capture disk or memory image if needed for forensics
- [ ] Re-image endpoint if full compromise is confirmed
---
## 🌐 6. Command and Control (C2)
**Objective**: Detect and disrupt external communications.
### Actions:
- [ ] Check proxy/firewall logs for outbound connections to unknown domains/IPs
- [ ] Monitor DNS logs for beaconing or tunneling activity
- [ ] Extract PCAPs or NetFlow for analysis
- [ ] Block C2 domains/IPs on perimeter devices
- [ ] Generate and distribute network IOCs
---
## 🎯 7. Actions on Objectives
**Objective**: Prevent data theft, account compromise, or lateral movement.
### Actions:
- [ ] Investigate lateral movement patterns: SMB, RDP, PSExec
- [ ] Check for evidence of credential theft (e.g., LSASS access)
- [ ] Monitor for sensitive file access or upload activity (DLP, cloud logs)
- [ ] Reset affected user credentials
- [ ] Suspend compromised accounts/devices
---
## 🛠️ Post-Incident Actions
### Actions:
- [ ] Perform Root Cause Analysis (RCA)
- [ ] Document all TTPs using MITRE ATT&CK
- [ ] Share IOCs with national CERT/ISAC
- [ ] Update SIEM detection rules
- [ ] Notify management with summary
- [ ] Conduct phishing awareness training for impacted users
---
## 📎 Attachments (Optional)
- IOC Sheet (CSV/XLS): `hashes`, `domains`, `URLs`, `IPs`
- Timeline of Incident (PDF)
- Forensic Report
- MITRE ATT&CK Mapping (table or diagram)
- Screenshots from EDR/Sandbox
============================================================================
The "Docker-compatible SOAR script base (optional)" in the context of a Security Operations Engineer job refers to using a pre-built, containerized environment to run security automation scripts as part of a Security Orchestration, Automation, and Response (SOAR) workflow.
Let’s break this down step by step using your malicious macro email example, and then explain how to create and use a Docker-compatible SOAR script.
What It Means
SOAR: Tools or scripts that automate incident detection, enrichment, response, and remediation.
Docker-compatible: Your script or automation can be containerized and executed in any environment that supports Docker (like XSOAR, TheHive + Cortex, Shuffle, or custom orchestrations).
Script base: The foundational structure to develop and run a repeatable automation workflow.
Example: Malicious Macro Email Automation via Docker-Compatible SOAR Script
💡 Scenario:
You want to automate these tasks when a malicious macro email is detected:
Extract IOCs (e.g., URLs, IPs, hashes)
Submit the file to a sandbox
Quarantine the email
Notify the user
Block the domain or hash in security tools (e.g., EDR, firewall, O365)
Step-by-Step: Build and Use a Docker-Compatible SOAR Script
1. Create the Script (Python Example)
Create malicious_macro_handler.py:
import os
import requests
def extract_iocs(attachment_path):
# Dummy example of extracting a hash
with open(attachment_path, 'rb') as f:
file_hash = hash(f.read())
return {'hash': str(file_hash)}
def submit_to_sandbox(file_path):
# Dummy sandbox submission (placeholder)
print(f"[+] Submitting {file_path} to sandbox...")
def notify_user(email):
print(f"[+] Sending alert to {email}...")
def main():
attachment = os.environ.get("ATTACHMENT_PATH", "/opt/sample.docm")
user_email = os.environ.get("USER_EMAIL", "[email protected]")
print("[*] Starting malicious macro handler...")
iocs = extract_iocs(attachment)
submit_to_sandbox(attachment)
notify_user(user_email)
print("[+] Done. IOCs:", iocs)
if __name__ == "__main__":
main()
2. Create a Dockerfile
FROM python:3.10-slim
WORKDIR /app
COPY malicious_macro_handler.py .
CMD ["python", "malicious_macro_handler.py"]
3. Build the Docker Image
docker build -t macro-soar-script .
4. Run the Container with Environment Variables
docker run --rm \
-e ATTACHMENT_PATH="/opt/malicious.docm" \
-e USER_EMAIL="[email protected]" \
-v /your/path/to/attachments:/opt \
macro-soar-script
Integration Use Case
You can now plug this Docker-compatible script into:
| Platform | Use Case |
| ----------------------- | ---------------------------------------------------------------------- |
| **Shuffle SOAR** | Drag-and-drop Docker container to automate macro detection & response. |
| **TheHive + Cortex** | Configure as an analyzer to respond to alerts. |
| **XSOAR** | Use Docker as a base image for a custom playbook task. |
| **SIEM/Alert pipeline** | Trigger this container on IOC detection via cron/job or webhook. |
Benefits
Portable: Works on any Docker-compatible platform.
Repeatable: Same results in dev, test, prod.
Scalable: Can be auto-scaled as microservices.
Fast Response: Speeds up time to containment.
============================================================================
Scenario: SOC Engineer identifies an email with a malicious macro attachment delivered to an employee's inbox.
Goal: Contain the threat, prevent progression down the Kill Chain, investigate scope, and improve defenses.
Step-by-Step Response Aligned with Kill Chain Stages:
Confirm & Triage (Delivery Stage Focus):
Verify the Alert: Confirm the email security tool/SIEM alert is valid. Check sender address, subject, attachment name, hash (VirusTotal), and any sandbox analysis reports.
Assess Delivery Stage Impact: How many users received it? Was it quarantined or delivered? Did anyone open it? (Check email logs).
Initial Containment (Delivery):
Quarantine the Email: Immediately remove the email from all recipient inboxes using the email security gateway or EDR integration.
Block Sender/Domain/URLs: Block the sender, originating domain, and any embedded URLs at the email gateway and web proxy/firewall.
Triage Priority: Classify this as HIGH PRIORITY. Delivery succeeded; the threat is inside the perimeter.
Investigate Upstream (Reconnaissance & Weaponization):
Reconnaissance Analysis:
Analyze email headers for source IPs, routing, and X-headers. Was this part of a targeted spear-phishing campaign?
Check if the sender domain was recently registered or spoofed.
Search SIEM/logs for prior scanning activity (port scans, vulnerability scans) targeting the employee, their department, or related systems.
Weaponization Analysis:
Submit the attachment to advanced sandboxing (e.g., ANY.RUN, Joe Sandbox, Cuckoo) for deep behavioral analysis.
Analyze the macro code (if possible) for IOCs (IPs, domains, file paths, registry keys, unique strings).
Check threat intel feeds (VirusTotal, AlienVault OTX, commercial feeds) for known associations of the attachment hash, sender, or URLs.
Investigate Downstream (Exploitation & Installation):
Exploitation Check:
Crucial: Determine if the email was opened and the attachment executed. Check:
Email server/client logs (attachment access events).
Endpoint logs (EDR, Windows Event Logs like Security event 4688 Process Creation looking for winword.exe, excel.exe, powershell.exe, cmd.exe, wscript.exe, cscript.exe spawning suspicious child processes).
Macro execution settings: Are macros globally disabled? Was the user tricked into enabling them?
Installation Hunt:
If execution occurred, search endpoints (starting with the recipient's) for indicators from sandbox analysis:
Files dropped in %AppData%, %Temp%, ProgramData.
New registry entries for persistence (Run/RunOnce keys, services, scheduled tasks).
New user accounts or unusual process injections.
Query EDR/SIEM for process lineage involving Office apps spawning suspicious processes.
Hunt for Command & Control (C2):
Network Analysis: Search proxy, firewall, and NetFlow logs for connections originating from the recipient's endpoint (and any other suspected endpoints) to:
Known-bad IPs/Domains from threat intel or sandbox report.
New or rare domains (DGA patterns).
Beaconing patterns (regular, small packets to external IPs).
Connections to uncommon ports (e.g., 4444, 8080).
Endpoint Analysis: Check DNS cache (ipconfig /displaydns), active connections (netstat -ano), and EDR network telemetry on the endpoint.
Contain & Eradicate (Based on Findings):
If NO Execution Detected:
Confirm email is quarantined/deleted everywhere.
Block all related IOCs.
Notify recipient(s) about the phishing attempt (reinforce training).
If EXECUTION Detected:
Isolate Affected Endpoint(s): Immediately disconnect from network via EDR or NAC.
Contain C2: Block identified C2 IPs/domains at firewall/proxy/DNS.
Eradicate Malware: Use EDR to kill malicious processes, delete dropped files, remove persistence mechanisms. Consider full disk wipe/re-image for high-confidence compromise.
Credential Reset: Force password reset for the affected user(s), especially if credential theft tools were seen.
Investigate Actions on Objectives:
Post-Execution Analysis: If exploitation occurred, determine what the malware did or tried to do:
Check for lateral movement attempts (SMB scans, RDP connections, PsExec usage).
Search for data access/exfiltration (large unexpected file transfers, connections to cloud storage, use of rar.exe/7z.exe).
Look for signs of reconnaissance/internal scanning from the compromised endpoint.
Check for privilege escalation attempts.
Post-Incident Activity & Prevention (All Stages):
Document: Create an incident report mapping the attack to the Kill Chain stages based on evidence.
Improve Detection:
Create/tune SIEM/EDR rules for observed TTPs (e.g., Office spawning powershell.exe/cmd.exe, specific registry keys, network IOCs).
Enhance email security rules for similar patterns.
Improve Prevention:
Delivery: Advocate for stricter macro policies (disable by default, trusted locations only), enhanced user training on macro risks.
Exploitation: Ensure endpoint hardening (macro security settings, application control/whitelisting, patching).
Installation/C2: Strengthen EDR policies, network segmentation, outbound traffic filtering.
Threat Hunting: Proactively hunt for similar IOCs or TTPs across the environment.
Communicate: Brief stakeholders on the incident, impact (if any), and steps taken to prevent recurrence.
Key Kill Chain Takeaways in this Scenario:
Detection Point: The SOC caught this at Delivery – a relatively early stage. This is ideal.
Critical Question: "Did it progress past Delivery?" The immediate focus shifts to determining if Exploitation occurred.
Containment Strategy: Depends entirely on the identified stage:
Delivery Only: Block email/IOCs, notify user.
Exploitation/Installation: Isolate endpoint, eradicate malware, reset creds.
C2/Actions: Aggressive containment, deep forensic investigation.
Investigation Flow: Move backwards to understand Recon/Weaponization and forwards to uncover Exploitation -> Installation -> C2 -> Actions.
Prevention Focus: Use findings to bolster defenses at the stage where the attack succeeded (e.g., better email filtering if Delivery succeeded; macro hardening if Exploitation occurred).
By systematically working through the Kill Chain stages, the SOC Engineer ensures no aspect of the attack is overlooked, containment is appropriate to the threat's progression, and lessons learned directly improve defenses against future attacks at the specific stages that were exploited
============================================================================
A SOC Engineer detecting a malicious macro in an email attachment is a serious security incident, and following the Kill-Chain Model step by step ensures a swift and effective response. Here's how they should handle the scenario:
Step-by-Step Approach Using the Kill-Chain Model
1. Reconnaissance – Attacker Gathers Information
The attacker first researches the company and its employees to craft a phishing email.
SOC Action: Use Threat Intelligence feeds to identify known phishing campaigns and attacker tactics.
2. Weaponization – Attacker Creates the Malicious Macro
The attacker embeds a macro in an Office document (e.g., Excel or Word) that, when enabled, executes malicious code.
SOC Action: Analyze email headers and file metadata to detect signs of obfuscation and suspicious payloads.
3. Delivery – Email Is Sent to the Target Employee
The phishing email reaches the employee's inbox, attempting to trick them into opening the attachment.
SOC Action:
Immediately quarantine the email and block the sender's domain using email filtering policies.
Conduct sandbox analysis to simulate opening the attachment in a controlled environment.
4. Exploitation – Employee Opens the File and Enables Macros
If the employee enables macros, the malicious script executes.
SOC Action:
Use Endpoint Detection & Response (EDR) tools to monitor and detect suspicious macro execution attempts.
Notify affected employees not to open similar emails, reinforcing cybersecurity awareness.
5. Installation – Malware Is Installed on the Machine
The macro installs a remote access trojan (RAT) or another form of malware.
SOC Action:
Run a forensic analysis to check for persistence mechanisms.
Apply EDR-based automated remediation to neutralize threats.
6. Command & Control – Attacker Gains Remote Access
The malware establishes communication with a command-and-control (C2) server, allowing remote control.
SOC Action:
Block C2 server connections using firewall rules and DNS filtering.
Isolate compromised systems immediately to prevent further spread.
7. Actions on Objectives – Attacker Executes Final Attack
The attacker may steal credentials, deploy ransomware, or escalate privileges.
SOC Action:
Investigate logs via SIEM (Security Information & Event Management) for lateral movement.
Ensure password resets and access revocations for affected accounts.
Final Remediation Steps
✅ Remove the malicious email from all inboxes. ✅ Scan all endpoints for similar threats. ✅ Implement Application Control Policies to restrict macro execution. ✅ Strengthen email security awareness training for employees.
By following these steps, SOC engineers can effectively prevent malware execution, detect anomalies, and block attacker access before major damage occurs.
============================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment