Installation Phase of Cyber Kill Chain – The 5th Stage Explained

Written By Sambita Panigrahy  
Anuraag Singh
Approved By Anuraag Singh 
Published On October 9th, 2023
Reading Time 5 Minutes Reading
Overview: This is a continuation post of the kill chain model. In earlier posts, we discussed the initial stages of the cybersecurity framework i.e. Reconnaissance, Weaponization, Delivery, & Exploitation. Here we will take a look into the 5th stage i.e. Installation Phase of Cyber Kill Chain.

Usually, in a persistent attack strategy, adversaries gather information about a potential victim, develop tools that can exploit the present security loopholes, then carefully deliver the exploit and launch the same. When they successfully access and take control of the victim’s IT environment, their next aim is to maintain the access for an extended period of time.

Installation in Cyber Attack – How do Attackers Work in This Phase?

After the exploitation phase is a success, the installation step provides a foothold in the environment to the attackers. Even if a single account is compromised, it could lead to other systems being fickle. Further, the unknowns within the compromised environment could cause a threat actor to be booted out of the network by chance or by design.

In addition, the threat actors take advantage of this situation to create a backdoor through which they can easily re-enter the environment whenever they like and bring additional malware into an environment to compromise other systems.

installation phase of cyber kill chain

Installation Tactics Used by Adversaries

Since the end goal of the attackers is to install a persistent secret door to maintain access for an extended period of time, they follow various techniques to make that a success. Such as;

  • Install Web Shell on a web server: The purpose here is to insert malicious scripts which will enable attackers to compromise the web server and launch additional attacks using the same gateway.
  • Deploy a backdoor or implant in the victim environment
  • Create different persistent points by adding services, Autorun Keys, etc.

Apart from that some adversaries trick their victims. They “time stomp” the file to make the malware appear as if it is a part of the standard operating system installs. 

Sometimes cyberattackers target external-facing systems which they use as part of a botnet. Then, they combine the victim organization’s resources into a larger botnet to maintain access to compromised systems for a very long time.

Meanwhile, the attackers also look for opportunities to establish persistence during the installation step by hiding malware files in system directories and creating a scheduled task. Later, that can trigger the malware to re-establish its connection to the botnet at set intervals of time. As a result, the adversaries can go back to the victim’s environment stealthily at any point in time or if they got disconnected somehow.

Even though the installation phase comes under the last phase of detection, the kill chain can be broken at this stage with correct measures and strategies.

Installation in Cyber Kill Chain – What Security Measures Defenders Take?

 In this stage, adversaries embed themselves more deeply into the target’s environment. So, as defenders, they follow a common but effective defense strategy against the installation stage i.e. understanding the organization’s own environment with practical limitations such as resource allocation and funding. Because analyzing what’s in and beyond your scope is essential in mitigating the risk.

Note: With Attack Surface Management and proper ASM tools, it becomes easier to address cyberattacks before malware could be further embedded into their systems.f

Many cyber experts believe that being proactive is better than being reactive. That’s why they keep in touch with the pulses of trends in cyberattacks through open-source intelligence and examining codes used by the threat actors.

If the security team can detect unusual behavior in the IT environment then eradicating the threat from the root could be easier. Thus, security practitioners recommend companies equip themselves effectively to detect the attacker’s activity.

It can be achieved through:

  • Investing in robust monitoring services like SOC.
  • Regularly testing security products in place with the help of VAPT to identify any gaps in network visibility.

Pro-Tip: The conventional incident response process initiates after the exploit phase. Hence, For companies that have detected a threat actor during the Installation step, should reach out to a professional response team.

Final Verdict

Adversaries, if successfully reach the installation step then their main objective would be to remain in the victim’s environment & keep on accessing and installing other malware without notice. However, at this stage, it’s possible to stop them from causing further damage. With proper preventive measures, it’s possible to detect the attacker’s activity and perform the next steps such as isolating the system or the systems in question. As a result, it becomes easier to catch the threat actor.


Q- What common types of malware do adversaries use in the installation phase?

Generally, they include Trojans, Rootkits, Backdoors, and other malicious software in this phase. Additionally, they do this to maintain access and control of the target’s infrastructure. 

Q- Is the installation phase the only way through which attackers gain access?

No. An adversary can gain access through other means such as lateral movement within a network, privilege escalation, exploiting misconfiguration, etc.

Q- How to detect the installation phase?

Organizations may use different techniques such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM) Solutions, threat hunting, etc to detect adversaries who want to gain illegal access to a system. 

Q- What should be the next steps of the organization if it suspects an installation phase attack?

After identifying the attack, the very first step an organization should take is to isolate affected systems and investigate the incident. Later apply some strong security techniques to remove the adversary’s presence. Then, implement some robust security measures to prevent such an attack.

Q- How can organizations defend against the dangers of the installation phase?

They can prevent and defend this phase by employing patch management, performing regular software updates, educating the staff by using professional cybersecurity training, etc.