Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Add

The add pattern

Intent

This is the fundamental graph operation for creating objects (vertices) dynamically within some context.

Motivation

Many adversarial actions include the notion of object addition, such as creating, uploading/downloading, and infecting objects. These actions reduce to the ability to add new objects to an existing model as a direct consequence. This pattern especially refers to simple objects.

Possible use cases

Use Add when creating:

  • Container objects, such as data or information objects.
  • An object that represents a new device.
  • Simple execution objects, such as applications, services, or scripts.
  • Simple configuration objects.
  • Simple principals, such as accounts and identities.
  • Simple authentication objects, such as keys and credentials.
  • Data transfers by adding an object to the receiver directly.
  • Simple malicious execution objects, such as an initial infection or malicious payload upload.
  • Malicious execution objects to be activated later.
  • Malicious executable logic that compromises the target, such as a backdoor.
  • Simple cxecution objects that represent artifact creation, such as the development of a custom application, exploit, or other script.
  • Manipulative container objects, such as forged or otherwise deceptive documents.
  • Certain simplified cryptographic objects, such as detachable signatures.

Code example

asset Host {
  | startApplication >
    A> self / applications

  | addFile >
    A> self / files

  | infectHost >
    A> self / malware
}

asset Application {[...]}
asset File {}
asset Malware {[...]}

associations {
  Host [host] 1 <-- Execution --> * [applications] Application
  Host [host] * <-- Storage --> * [files] File
  Host [host] 1 <-- Infection --> * [malware] Malware
}

Possible synonyms

•build •construct •craft •create •connect •deliver •develop •distribute •download •drop •sign [crypto] •forge •generate •hijack •implant •implement •include •infect •insert •install •place •plant •propagate •provide •provision •push •reply •request •schedule •send •spawn •start •store •update •upgrade •upload •write

Occurrences

ATT&CK

•Abuse elevation control mechanism •Account manipulation •Acquire access •Adversary-in-the-middle •Boot or logon autostart execution •Boot or logon ini- tialization scripts •Browser extensions •Browser session hijacking •Compromise client software binary •Compromise infrastructure •Content injection •Create account •Create or modify system process •Content injection •Data from information repository •Data destruction •Data encrypted for impact •Data manipulation •Direct volume access •Disk wipe •Develop Capabilities •Domain policy modification •Escape to host •Endpoint denial of service •Event triggered execution •Execution guardrails •Exploitation for credential access •Forced authentication •Forge web credentials •Hardware additions •Hide artifacts •Hijack execution flow •Impair defenses •Inter-process communications •Implant internal image •Modify authentication process •Native API •Modify system image •Multi-factor authentication request generation •Network boundary bridging •Obfuscate files or information •Office application startup •Phishing •Pre-OS boot •Process injection •Proxy •Replication through removable media •Scheduled task/job •Scheduled transfer •Serverless execution •Server software component •Steal application access token •Steal or forge authentication certificates •Steal or forge Kerberos tickets •Subvert trust controls •Supply chain compromise •System binary proxy execution •Taint shared content •System services •Use alternate authentication material •User execution •Valid account •Virtualization/sandbox evasion