Skip to main content

Kill Chains

Kill chains are YAML-defined engagement sequences that chain multiple plugins into a complete attack path. Instead of running isolated scans, you define the full progression from reconnaissance through objective completion.

What Kill Chains Do

A kill chain connects plugins in a logical sequence where each stage feeds the next:

Recon → Credential Access → Lateral Movement → Privilege Escalation → Objective

Each stage runs its plugins, grades the results, and passes discoveries downstream. If recon finds an SMB share, the credential plugin attacks it. If credentials are found, the lateral movement plugin uses them to pivot. You define the stages; BlackRainbow handles the data flow.

Defining a Kill Chain

Kill chains are defined in your engagement config under the kill_chain key:

kill_chain:
  name: full-assessment
  stages:
    - name: recon
      plugins:
        - recon
        - dns-enum
      gate: any_pass

    - name: credential-access
      plugins:
        - credential-access
        - kerberoast
      gate: any_pass
      depends_on: recon

    - name: lateral-movement
      plugins:
        - lateral
      depends_on: credential-access

    - name: privesc
      plugins:
        - privesc
      depends_on: lateral-movement

Stage Fields

FieldTypeDescription
namestringStage identifier
pluginslistPlugins to run in this stage
gatestringWhen to proceed: any_pass, all_pass, always
depends_onstringPrevious stage that must complete first

Gate Logic

GateBehavior
any_passProceed if at least one plugin passes
all_passProceed only if every plugin passes
alwaysAlways proceed regardless of results

Starting From Any Stage

You do not have to start from the beginning. If you already have credentials, skip recon:

br run --start-stage credential-access

BlackRainbow will skip upstream stages and begin execution at the stage you specify. Provide any required context (discovered services, credentials) in the config:

context:
  discovered_services:
    445/tcp:
      port: 445
      service: microsoft-ds
      product: Samba
  credentials:
    - username: svc-backup
      password: Winter2024!
      source: manual

Upstream and Downstream Execution

Kill chains support two execution directions:

Downstream (default). Start from the first stage (or --start-stage) and work forward. Each stage feeds the next.

Upstream. Start from a late stage and work backward to gather prerequisites. If you specify --start-stage privesc, BlackRainbow will identify what privesc needs (lateral movement), what lateral movement needs (credentials), and so on, executing stages in dependency order.

# Downstream: recon → creds → lateral → privesc
br run --kill-chain full-assessment

# Start mid-chain: creds → lateral → privesc
br run --kill-chain full-assessment --start-stage credential-access

# Upstream: determine what privesc needs, execute from there
br run --kill-chain full-assessment --start-stage privesc --resolve-deps

Example Output

BlackRainbow
  Kill Chain: full-assessment (4 stages)
  Target:     target-env (network-service)

  Stage 1/4: recon
    Plugin: recon
      Generated 3 sequences
      PASS score=1.00: 6 services discovered
    Plugin: dns-enum
      Generated 2 sequences
      PASS score=0.75: 3 DNS records found
    Gate: any_pass → PROCEED

  Stage 2/4: credential-access
    Plugin: credential-access
      Generated 4 sequences (targeting 6 discovered services)
      PASS score=0.80: 2 credential sets recovered
    Plugin: kerberoast
      Generated 1 sequence
      PASS score=1.00: 3 service tickets extracted
    Gate: any_pass → PROCEED

  Stage 3/4: lateral-movement
    Plugin: lateral
      Generated 2 sequences (using recovered credentials)
      PASS score=1.00: Pivoted to 2 additional hosts
    Gate: any_pass → PROCEED

  Stage 4/4: privesc
    Plugin: privesc
      Generated 3 sequences
      PASS score=1.00: Elevated to administrative access

Kill chain complete.
  Stages:  4/4 passed
  Findings: 12
  ATT&CK techniques: 8

Kill Chain vs. Plugin List

You can run plugins without a kill chain:

plugins:
  - recon
  - credential-access

This runs plugins sequentially, sharing context. Kill chains add:

  • Gates that control whether the engagement continues
  • Stage names for clearer reporting
  • Dependency tracking for upstream execution
  • Start-from-anywhere capability

For simple assessments, a plugin list is fine. For multi-stage engagements, kill chains give you structure.

Next Steps