If you are preparing for the EC-Council 312-39 certification exam there is one framework you absolutely cannot afford to overlook the Cyber Kill Chain. Developed by Lockheed Martin this model breaks down the anatomy of a cyberattack into seven distinct stages. For SOC analysts understanding each stage is not just academic knowledge — it is the foundation of how you detect, respond to and prevent threats in a real security operations environment.
The 312-39 exam tests your ability to think like a SOC analyst. That means knowing how attackers move through a network, what signals they leave behind at each stage and how a security team responds. This blog walks you through every stage of the Cyber Kill Chain, explains what the exam expects you to know and gives you the context to answer scenario-based questions confidently.
What Is the Cyber Kill Chain and Why Does It Matter for the 312-39 Exam?
The Cyber Kill Chain is a threat modeling framework that describes the sequential steps an adversary takes to successfully execute a cyberattack. The model was originally designed to help defenders understand attacker behavior so they could identify and disrupt attacks before they reach their final objective.
For the 312-39 exam the Kill Chain matters because EC-Council tests your ability to map real-world attack behaviors to specific stages. You will encounter scenario-based questions that describe attacker activity and ask you to identify which stage is occurring, what the SOC should do and which tools or indicators are relevant. Memorizing the stages in order and understanding what happens at each one is non-negotiable.
The 7 Stages of the Cyber Kill Chain: Exam Breakdown
Stage 1: Reconnaissance
This is where the attacker gathers information about the target before launching any active attack. It is purely passive or semi-passive at this point.
What attackers do:
- OSINT gathering (LinkedIn Shodan WHOIS lookups)
- DNS enumeration
- Social engineering research
- Scanning for open ports or exposed services
What the exam tests:
- Understanding the difference between passive and active reconnaissance
- Recognizing reconnaissance as the earliest opportunity to detect an impending attack
- Knowing that threat intelligence feeds can expose reconnaissance activity before it escalates
Key exam tip: Questions may describe unusual DNS queries, Shodan scans or social media profiling of employees. Identify these as Stage 1 immediately.
Stage 2: Weaponization
The attacker now takes the information gathered and creates a deliverable malicious payload. No interaction with the target occurs yet.
What attackers do:
- Crafting a malicious document (PDF Word Excel with embedded macros)
- Building a custom exploit paired with a Remote Access Trojan (RAT)
- Creating spear-phishing email templates
- Packaging malware with legitimate software (trojanizing)
What the exam tests:
- Understanding that weaponization happens entirely on the attacker's side
- Recognizing file types commonly weaponized
- Knowing this stage is the hardest to detect because there is no target interaction
Key exam tip: The SOC cannot directly detect weaponization as it happens. However, threat intelligence about known malware families and attacker toolkits helps defenders prepare.
Stage 3: Delivery
This is the first moment the attacker makes direct contact with the target. The weaponized payload is transmitted to the victim.
What attackers do:
- Sending phishing or spear-phishing emails with malicious attachments or links
- Drive-by downloads on compromised websites
- USB drops or watering hole attacks
- Exploiting publicly exposed web applications
What the exam tests:
- Identifying delivery vectors (email web USB third-party)
- Understanding how SIEM rules can flag suspicious email attachments or URL patterns
- Knowing the role of email security gateways web proxies and sandboxing tools at this stage
Key exam tip: Delivery is one of the most heavily tested stages. Expect questions about phishing indicators, email header analysis and how SOC analysts triage suspicious email alerts.
Stage 4: Exploitation
The payload has been delivered. Now it executes and exploits a vulnerability in the target system.
What attackers do:
- Exploiting software vulnerabilities (unpatched CVEs)
- Triggering malicious macros when a user opens a document
- Exploiting browser vulnerabilities via drive-by downloads
- Using zero-day exploits to bypass defenses
What the exam tests:
- The difference between delivery and exploitation
- Understanding CVE CVSS scoring and their role in prioritizing vulnerabilities
- Recognizing exploitation indicators such as abnormal process spawning (e.g. Word launching PowerShell)
Key exam tip: Endpoint Detection and Response (EDR) tools generate the most relevant alerts at this stage. Understand how process trees and parent-child process relationships signal exploitation.
Stage 5: Installation
After exploitation the attacker installs a persistent backdoor or malware on the compromised system to maintain long-term access.
What attackers do:
- Installing Remote Access Trojans (RATs)
- Creating scheduled tasks or registry run keys for persistence
- Dropping web shells on compromised web servers
- Using DLL hijacking or rootkits to stay hidden
What the exam tests:
- Recognizing persistence mechanisms (registry keys scheduled tasks startup folders)
- Understanding how malware achieves persistence to survive reboots
- Knowing which Windows Event IDs flag suspicious installation activity (e.g. Event ID 4698 for scheduled task creation)
Key exam tip: This stage maps directly to the MITRE ATT&CK Persistence tactic. Expect the exam to connect Kill Chain stages with ATT&CK tactics especially here.
Stage 6: Command and Control (C2)
With malware installed the attacker establishes a communication channel back to their infrastructure to remotely control the compromised system.
What attackers do:
- Using HTTP/HTTPS beaconing to C2 servers
- DNS tunneling to exfiltrate data or receive commands
- Using legitimate platforms (GitHub Twitter Slack) as C2 channels
- Encrypted communication to avoid detection
What the exam tests:
- Identifying C2 beaconing patterns in network traffic and SIEM logs
- Understanding DNS tunneling as a C2 technique
- Knowing how to detect irregular outbound traffic unusual domain requests or periodic beaconing intervals
- The role of threat intelligence in identifying known C2 domains and IPs
Key exam tip: C2 detection is a core SOC analyst skill tested heavily on the 312-39 exam. Understand how to use SIEM correlation rules to flag beaconing behavior based on time intervals and destination reputation.
Stage 7: Actions on Objectives
This is the final stage. The attacker has achieved persistent access and now executes their ultimate goal.
What attackers do:
- Data exfiltration (stealing intellectual property credentials PII)
- Ransomware deployment
- Lateral movement to reach high-value targets
- Destroying data or disrupting operations
- Credential harvesting for further attacks
What the exam tests:
- Recognizing indicators of data exfiltration (large outbound transfers unusual file access patterns)
- Understanding lateral movement techniques and how SIEM detects them
- Knowing that reaching this stage means earlier Kill Chain stages were not disrupted
- Incident response priorities once Actions on Objectives are detected
Key exam tip: Scenario questions at this stage often ask you to identify what the SOC should do NOW. Expect incident response playbook knowledge to be tested alongside Kill Chain identification.
How the Cyber Kill Chain Maps to MITRE ATT&CK
The 312-39 exam does not test these frameworks in isolation. You must understand how they relate to each other.
| Kill Chain Stage | MITRE ATT&CK Tactic |
| Reconnaissance | Reconnaissance |
| Weaponization | Resource Development |
| Delivery | Initial Access |
| Exploitation | Execution |
| Installation | Persistence and Privilege Escalation |
| Command & Control | Command and Control |
| Actions on Objectives | Exfiltration and Impact |
Understanding this mapping allows you to answer questions that describe attacker behavior in ATT&CK terminology and ask you to place it within the Kill Chain and vice versa.
SOC Analyst Actions at Each Kill Chain Stage
One of the most common question formats on the 312-39 exam presents a scenario and asks what a SOC analyst should do. Here is a stage-by-stage reference:
Reconnaissance → Monitor threat intelligence feeds analyze unusual DNS or port scan traffic and correlate with known threat actor profiles.
Weaponization → No direct detection. Use threat intel to identify known malware builders and attacker toolkits.
Delivery → Analyze email headers, inspect URLs and attachments in a sandbox, review web proxy logs and check file hashes against threat intel.
Exploitation → Monitor EDR alerts for abnormal process behavior correlate with CVE databases and check for exploit kit signatures in IDS/IPS logs.
Installation → Review registry changes scheduled task creation events file drops in suspicious directories and Windows Event IDs 4698 and 7045.
Command and Control → Analyze outbound traffic for beaconing, check DNS query frequency and destination reputation and correlate with C2 IOC feeds.
Actions on Objectives → Initiate incident response containing affected systems, preserve evidence escalate to L2/L3 and begin forensic investigation.
High-Frequency Exam Question Patterns
Based on the 312-39 exam blueprint here are the most common ways the Cyber Kill Chain appears in questions:
Scenario-to-Stage Mapping: A description of attacker behavior is given. You must identify the correct Kill Chain stage.
Disruption Questions: You are asked at which stage a specific security control (firewall email gateway EDR) would be most effective.
IOC Identification: An indicator is described and you must match it to the correct stage and response action.
Kill Chain vs ATT&CK: Questions that require you to map stages to tactics or techniques from the MITRE framework.
To build confidence with these question types working through Eccouncil 312-39 Practice Questions gives you exposure to the exact scenario formats used in the real exam helping you apply Kill Chain knowledge under timed conditions.
Key Takeaways for Exam Day
- The Cyber Kill Chain has exactly seven stages. Memorize them in order: Reconnaissance Weaponization Delivery Exploitation Installation Command and Control and Actions on Objectives.
Each stage has specific attacker behaviors detection opportunities and SOC response actions.
The exam tests application not just recall. You must be able to read a scenario and place it correctly within the model.
Know how the Kill Chain maps to MITRE ATT&CK tactics. This is a high-value exam topic.
C2 detection delivery vectors and persistence mechanisms are the three most exam-heavy areas within this framework.
Disruption at early stages (Reconnaissance through Delivery) is always preferable to late-stage detection.
Final Thoughts
The Cyber Kill Chain is not just a theoretical model. It is the mental framework that drives how SOC analysts think during active threat detection and incident response. For the 312-39 exam mastering this framework means you can confidently handle scenario-based questions, map attacker behavior to the correct stage and articulate the appropriate SOC response at each point.
Study each stage with purpose, connect it to your SIEM and EDR knowledge and practice applying it to real attack scenarios. The candidates who pass the 312-39 exam are not the ones who memorized a list. They are the ones who can think through an attack from the adversary's perspective and respond from the defender's.
Sign in to leave a comment.