The action phase of the cyber kill chain, also known as “actions on objectives,” is the final and most damaging stage of a cyberattack. In this phase, the attacker executes their intended goals, which could range from data theft and system sabotage to espionage, ransomware deployment, or long-term surveillance. By this point, the adversary has bypassed perimeter defenses, gained access, and maintained persistence within the network. The action phase is the culmination of the entire kill chain and often where the true impact of a cybersecurity breach is felt.
Actions on objectives can take many forms depending on the motivation of the attacker. In financially motivated cybercrime, this stage often includes stealing sensitive data such as credit card information, intellectual property, or customer records. In ransomware attacks, this is when encryption of files occurs and ransom demands are issued. In state-sponsored campaigns, the action phase could involve prolonged data exfiltration, manipulation of systems, or even kinetic impacts on physical infrastructure through cyber means.
Cybercriminals use a variety of tools during the action phase. For data exfiltration, tools like Exfiltration Over C2 Channel, rclone, rsync, and custom scripts are used to compress, encrypt, and transmit stolen data to external servers. Attackers often stage data in hidden directories before exfiltration, using tools like 7-Zip or WinRAR with password-protected archives to avoid detection.
In ransomware operations, attackers deploy tools like BitLocker, EFS (Encrypting File System), or custom ransomware binaries such as Conti, LockBit, or BlackCat. These tools are designed to encrypt files rapidly while evading endpoint protection systems. In advanced ransomware campaigns, attackers first identify high-value systems and backup servers to ensure maximum disruption and increase the likelihood of ransom payment.
For espionage and long-term access, attackers use post-exploitation frameworks like Cobalt Strike, Sliver, and Metasploit, often in combination with tools like Mimikatz for credential dumping and BloodHound for Active Directory mapping. These tools allow adversaries to move laterally within the network, escalate privileges, and harvest credentials, enabling deep and continuous access to sensitive resources.
Real-world cybersecurity breaches illustrate how devastating the action phase can be. In the 2014 Sony Pictures hack, after months of stealthy movement within the network, attackers from the Lazarus Group stole large volumes of confidential data and leaked it publicly. The final action included data destruction using wiper malware, which rendered hundreds of computers inoperable and caused significant operational and reputational damage to the company.
Another example is the 2021 Colonial Pipeline ransomware attack. The DarkSide group gained access through a compromised VPN account and eventually deployed ransomware that encrypted critical systems. The final action forced the shutdown of one of the largest fuel pipelines in the United States, resulting in fuel shortages and widespread disruption. The attackers also exfiltrated sensitive business data to use as leverage in ransom negotiations, showcasing how the action phase can include both data theft and operational disruption.
Defending against actions on objectives requires a combination of proactive detection, strong response capabilities, and thorough incident containment. Security operations centers (SOCs) need to monitor for indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) consistent with this phase. These may include unusual file access patterns, large outbound data transfers, sudden spikes in CPU usage from encryption routines, or the presence of known tools like Mimikatz and Cobalt Strike.
Organizations must also implement strong data loss prevention (DLP) strategies and network segmentation to limit attackers’ ability to reach critical assets. Regular backups stored offline are essential in mitigating the impact of ransomware during the action phase. Additionally, having an incident response plan in place can drastically reduce downtime and data loss when this stage of the kill chain is reached.
In conclusion, the action phase of the kill chain is where cyberattacks achieve their objectives and inflict real damage. Whether it’s data theft, system disruption, or extortion through ransomware, this phase defines the outcome of the intrusion. Cybersecurity teams must focus on early detection, response readiness, and minimizing the window of opportunity to prevent attackers from successfully completing the kill chain and causing irreparable harm.