Installation in the Cyber Kill Chain
Climbing the Cyber Kill Chain
If you have worked through the more dangerous stages of a cyberattack, you probably know there’s a method to the adversarial madness. Attackers follow a loose sequence of steps to get from “target spotted” to “data exfiltrated” or “system held hostage.” The Cyber Kill Chain is, obviously, one way of describing this sequence. It’s not a law of nature, and attackers don’t always follow it like a checklist, but it helps analysts break down and understand what’s happening.
Installation sits right in the middle of the CKC, right after delivery and exploitation, but before command and control. If you think about it, this stage is where the attacker’s relationship with your system becomes a bit more “personal”. They've knocked on the door, found a way in, and now they're putting down roots. Let’s learn to deal with the issue and how to overcome the problem.
What Adversarial Installation Is
Installation, in this context, is the attacker’s way of gaining and keeping a foothold on the system. It's not just running a script once or dropping a payload that explodes and vanishes. Installation is about establishing persistence. Think of it like a guest who finds the hidden key under your doormat, sneaks in, and sets up a hidden room in your basement. They don’t want you to know they’re there, and they want to be able to come and go even if you change the locks.
From a technical perspective, installation means placing malware, or sometimes just configuring a built-in tool, that gives the attacker future access. It might be a backdoor, a remote access trojan, or a piece of software that connects the compromised system to a larger network of controlled machines. At this stage, attackers want two things: they want to stay under the radar, and they want to ensure that if the system reboots, they still have access afterwards.
The installation phase is all about preparing for what comes next. They’re laying the groundwork for movement, escalation, or stealing data. But nothing that comes after really works unless the installation is successful. If delivery fails, nothing gets in. If exploitation fails, the payload won’t run. But if installation fails, then the attacker is still just a transient glitch in the system. No foothold, no persistence, no long-term control. Not all of us have such luck, but you might just get lucky.
The Cyber Kill Chain’s Take on Installation
Within the Cyber Kill Chain, installation is the fifth stage out of seven. It comes after reconnaissance, weaponisation, delivery, and exploitation. Up to this point, the attacker has gathered information, built a malicious payload, sent it on its way, and tricked the system into running it. But now, the attacker needs to make sure that what they’ve deployed doesn’t just execute once and vanish.
Installation is the moment where malware becomes more than just a flash in the pan. It’s when it embeds into the host system. The CKC doesn’t treat installation as just one thing; it’s a phase that might look different depending on the tools and goals of the attacker. Sometimes it's obvious, like an executable that gets copied into a system directory and registered as a startup process. Other times it's more subtle, like a script hidden in a scheduled task, or a new service that masquerades as something legitimate.
The CKC emphasises installation because it’s often a turning point. It’s the first sign that the attacker isn’t just probing or testing—they’re committing. They’re going from opportunistic to strategic. Once something’s installed, the door is open for command and control traffic, lateral movement, privilege escalation, and everything else that follows.
Also, from a defence perspective, this is a useful place to focus. Unlike earlier phases, which often happen outside your network (like reconnaissance or weaponisation), installation happens inside. That means defenders have more visibility and more options for response. You can’t always stop delivery, and you might not catch exploitation as it happens, but you can detect installation if you’re looking in the right places.
What This Looks Like in Practice
Let’s step away from theory and into the real world for a minute. There’s no shortage of examples where installation played a central role in a breach.
Take the case of the SolarWinds attack. In that campaign, attackers managed to compromise the build process for a legitimate software product. The malicious update got delivered to thousands of organisations, and when it ran, it installed a backdoor that remained dormant for a while before activating. This is a textbook installation. It created persistence in environments that never suspected they were running anything malicious. Even more cleverly, the malware was installed in a way that blended in with the normal behaviour of the SolarWinds product. Detection was extremely difficult, and because it was installed as part of an approved update, it bypassed a lot of security checks.
Or consider the Emotet malware, which has been a persistent nuisance for years. It often arrives through phishing emails, and once the user is tricked into opening an attachment or enabling macros, the malware installs itself and then downloads additional payloads. It doesn’t just run once and leave—it creates registry entries, schedules tasks, and digs in for the long haul. That’s installation at work. Emotet also evolved over time to use modular components and obfuscation, making the installation harder to detect and remove.
You can also look at something like ransomware. Before files are encrypted and demands are made, there’s often an installation step where the malware ensures it can complete its objectives. Ransomware operators don’t just run the encryption module immediately. They install their tools, gain admin access, disable backups, and sometimes even exfiltrate data before locking systems down. Installation isn’t just about persistence in these cases—it’s about control.
Even in smaller incidents—say, a single compromised endpoint in a small business—you’ll often find signs of installation if you know what to look for. A newly added Windows service, a strange process running under a common name, or a Powershell script that keeps executing via Task Scheduler. The methods vary, but the intent is the same: stay embedded, stay undetected.
Ways to Respond and Reduce Risk
Now comes the question of what to do about it. If installation is such a critical step in the kill chain, how do you defend against it?
One of the most important things is to focus on behavior. Signatures and blacklists have their place, but attackers know how to change their code to avoid those. What’s harder to change is the behaviour of installation. If a user’s machine suddenly starts communicating with an external server at odd intervals, or if a new process is spawning command-line tools that are usually reserved for administrators, those are signs worth investigating. Endpoint detection and response (EDR) tools are helpful here, because they can track activities over time and correlate them into alerts.
Good system hygiene is also crucial. That means things like limiting user privileges, enforcing multi-factor authentication, and restricting access to sensitive systems. If an attacker gets in and tries to install something, you want to make it as difficult as possible for them to gain persistence or elevate their access.
Monitoring is a big part of this, too. Logs aren’t glamorous, but they’re one of your best allies. Watch for new services being created, unusual registry changes, unexpected scheduled tasks, and file writes to system directories. These aren’t definitive signs of compromise on their own, but together they can tell a story.
You also want to think about segmentation. If something does get installed on one endpoint, that shouldn’t give it the ability to pivot across your entire environment. Keep your network segmented, limit lateral movement, and use firewalls or access controls to keep systems isolated where possible.
Patch management matters, though it’s more relevant to earlier stages like exploitation. Still, if you make it harder for attackers to get in cleanly, you reduce the chances of them even reaching the installation stage. But don’t rely on this alone. Assume someone will eventually get through, and plan accordingly.
Finally, user awareness helps. Attackers rely heavily on human behaviour—clicking a link, opening a document, trusting an attachment. Educating users isn’t a silver bullet, but if someone reports a suspicious email or behaviour early, you might catch the installation before it becomes entrenched.
Getting Ahead of the Adversary
Installation isn’t the flashiest part of a cyber attack. It doesn’t always get the headlines, and you rarely hear about it outside of technical postmortems. But it’s one of the most important stages in the Cyber Kill Chain, and for defenders, it’s a window of opportunity.
Understanding how attackers approach installation gives you a chance to detect and disrupt them before they do serious damage. It’s where malware stops being hypothetical and starts becoming a resident in your network. Whether it’s a nation-state slipping in a silent backdoor or a low-level criminal group pushing commodity malware, the goal is the same: get in, stay in, and go unnoticed.
If you’re building a defensive strategy, pay attention to installation. It’s one of the points where you still have a decent shot at stopping an intrusion before it turns into a full-blown breach. You might not stop the email from landing in the inbox, and you might not prevent the exploit from firing, but if you catch the installation and kill the process before it establishes persistence, you can break the chain—and that makes all the difference.