percorso: Home

Installation phase - establishing persistence


The Installation Phase in the Cyber Kill Chain: Establishing Persistence After Exploitation

The Cyber Kill Chain, a model developed by Lockheed Martin, is one of the most widely used frameworks in cybersecurity. It divides an attack into seven stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives.

Each phase represents a crucial step in a successful intrusion. Once the attacker has exploited a vulnerability and gained initial access, the next goal is to maintain that access — this is where the Installation phase comes into play. It’s the moment when attackers ensure they can stay connected to the compromised system, even if the victim reboots or performs security updates.

What Is the Installation Phase?

The Installation phase is the process of deploying malicious code or software on a target system to establish persistence and control. The purpose is not just to infiltrate but to remain undetected and functional for as long as possible.

During this phase, the attacker installs malware such as Remote Access Trojans (RATs), rootkits, or backdoors, enabling ongoing communication with the compromised machine. This step effectively converts a one-time breach into a long-term foothold.

For cybersecurity professionals, understanding the Installation phase is vital because it marks the beginning of sustained compromise. Detecting or preventing it can stop attackers from moving to the next stages — Command and Control and Actions on Objectives.

Objectives of the Installation Phase

Persistence:
The attacker ensures that malicious components automatically restart after system reboot or updates.

Stealth:
The installation must remain invisible to the user and undetectable by antivirus or monitoring tools.

Reliability:
The malware must remain stable and reconnect even after disconnection or network changes.

Privilege Retention:
The installed components often require administrative rights to modify registry entries or system files.

How Installation Works

After successful exploitation, the attacker has a brief window of elevated privilege. They use this opportunity to install malicious files or services that will re-establish access later. Common actions include:

  • Creating scheduled tasks or startup entries so malware runs automatically.
  • Modifying registry keys in Windows to load a payload every time the system boots.
  • Installing service binaries disguised as legitimate processes.
  • Dropping backdoors that connect back to the attacker’s command server.
  • Replacing or injecting code into trusted applications to hide execution.

This stage is often automated by the exploit payload itself, ensuring persistence even if the attacker disconnects temporarily.

Common Techniques Used in Installation

Remote Access Trojans (RATs)
One of the most common forms of persistence, RATs allow attackers to control the system remotely. They can log keystrokes, capture screens, and transfer files without detection.

Rootkits and Bootkits
These operate at a low system level, hiding processes, files, and registry entries from the operating system itself. Bootkits infect the system’s boot sector to activate even before the OS loads.

Backdoors
Attackers create secret access points, often by opening unused network ports or embedding hidden user accounts, ensuring they can return later.

DLL Injection
Malicious code is inserted into legitimate processes, helping the payload blend with trusted applications and avoid detection.

Fileless Malware
Increasingly common, this method avoids writing files to disk. Instead, it stores malicious scripts in memory, registry entries, or legitimate system tools like PowerShell.

Browser Extensions or Plug-ins
In corporate environments, attackers may install malicious browser extensions to harvest credentials or monitor network activity.

Indicators of Installation in Progress

Recognizing when malware is being installed is challenging but not impossible. Security analysts monitor systems for these warning signs:

  • Unusual creation of new services or scheduled tasks
  • Unknown startup programs or modified registry entries
  • Suspicious outbound network connections to unfamiliar IP addresses
  • Unexpected files in system folders or temporary directories
  • Antivirus alerts followed by process termination failures
  • Legitimate system tools (like cmd.exe, powershell.exe, or wscript.exe) executing scripts unexpectedly

These behaviors often indicate that an attacker is attempting to embed malware for persistence.

Defensive Measures Against Installation

Stopping an attacker at the Installation stage requires layered defense mechanisms and continuous monitoring.

1. Endpoint Protection Platforms (EPP) and EDR:
Next-generation endpoint tools can detect behavioral anomalies, preventing malware installation or persistence.

2. Application Whitelisting:
Restricting execution to approved applications helps block unauthorized installations.

3. System Hardening:
Disable unnecessary services, restrict user permissions, and enforce strong group policies to reduce exploitable entry points.

4. Regular File Integrity Monitoring:
Tools that track changes to system files, registry keys, and configurations can detect when unauthorized software is added.

5. Network Monitoring:
Detect abnormal outbound connections to known malicious domains or unusual ports. Command-and-control traffic often begins immediately after installation.

6. Patch Management:
Keep all systems, software, and firmware updated to minimize vulnerabilities that enable malware persistence.

7. Incident Response Readiness:
Maintain clear procedures for isolating infected devices, removing malware, and verifying system integrity after restoration.

Installation in Ethical Hacking and Penetration Testing

For ethical hackers and penetration testers, the Installation phase is part of simulating real-world attack chains under strict authorization. During this phase, testers deploy benign payloads to demonstrate how persistence mechanisms could be established.

Tools such as Metasploit, Empire, and Cobalt Strike are often used to simulate persistence through service creation or scheduled tasks. The objective is to assess how well security controls detect, block, or log such activity.

These controlled tests help organizations strengthen defenses by patching gaps, improving monitoring, and refining incident response plans. Understanding how attackers install and maintain access enables defenders to remove potential footholds before real intrusions occur.

The Role of Installation in the Cyber Kill Chain

The Installation phase connects Exploitation to Command and Control. Once exploitation gives the attacker code execution, installation ensures that execution persists beyond a single session. From here, attackers can communicate with remote servers, exfiltrate data, or deploy additional malware modules.

From a defensive standpoint, this stage represents a critical containment opportunity. Detecting and neutralizing malware before it establishes persistence prevents long-term compromise and data exfiltration.

In the broader kill-chain perspective, effective detection at the Installation stage often means the difference between a contained incident and a full-scale breach.