Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Link

Link pattern

Intent

This is the fundamental graph operation for creating a link (association) between two objects (vertices).

Motivation

Many adversarial actions include the notion of establishing new relationships between existing objects, such as when adding, attaching, assigning. binding, copying, giving, sending, and transferring objects.

This pattern is a special case among the atomic patterns since it is an operation on node pairs, which resembles closing a triangle.

Possible use cases

  • Setting up a communication channel between two objects, such as a computer network connection.
  • Connect a device to an existing object.
  • Setting up a malicious covert channel between two objects, such as a backdoor.
  • Placing benign or executable objects in some location.
  • Placing inert objects, such as when storing data objects.
  • Designating an executable object for another entity.
  • Designating a target object for a configuration object, indirectly changing some execution flow or logic.
  • Declaring or granting ownership or rights for certain objects, such as authentication or data objects.
  • Assigning authentication objects to a principal, such as assigning a policy to an identity.
  • Attach an object to another as a foothold, especially when expressing infections.
  • Attach malicious executable object to another object, a form of viral infection.
  • Copying some object from one location to another by expressing its presence in multiple locations.
  • Stealing or exfiltrating objects without removing the original object.
  • Creating an additional relationship to the same object, such as data having primary storage and backup storage relationships.
  • Attaching otherwise meaningful objects, such as signatures.

Code example

iasset Host {
  | connectToHost
    A> self / ~network.hosts.receiveFrom

  | copyFiles
    A> files / ~network.hosts.host
}

asset Malware {
  | activate
    -> infectHosts, host.connectToHost, copyFiles
  | infectHosts
    A> self / ~ host.network.hosts.malware
}
asset Network {}
asset File {}

associations {
  Host [hosts] * <-- Placement --> 1 [network] Network
  Host [receiveFrom] * <-- Party --> [sendTo] * Host
  Host [host] * <-- Storage --> * [files] File
  Host [host] 1 <-- Infection --> * [malware] Malware
}

Possible synonyms

•acquire •add •apply •assign •associate •attach •backdoor •backup •bind •clone •collect •copy •create •delegate •deliver •distribute •download •duplicate •drop •enroll •establish •exfiltrate •export •forward •give •grant •hijack •hook •implant •import •include •inherit •infect •inject •insert •install •intercept •introduce •load •mirror •mount •obtain •pass •place •plant •point •poison •propagate •push •register •replicate •request •retrieve •set •share •sign •spawn •specify •spread •steal •store •subscribe •transfer •transmit •update •upload •write

Occurrences

ATT&CK

•Abuse elevation control mechanism •Account manipulation •Access token manipulation •Acquire access •Acquire infrastructure •Adversary-in-the-middle •Archive collected data •Automated collection •Automated exfiltration •BITS jobs •Browser extensions •Browser session hijacking •Boot or logon autostart execution •Boot or logon initialization script •Build image on host •Create account •Create or modify system process •Command and scripting interpreter •Compromise accounts •Compromise client software binary •Content injection •Data destruction •Data encrypted for impact •Data from information repository •Data from removable media •Data staged •Data transfer limits •Deploy container •Direct volume access •Disk wipe •Drive-by compromise •Domain policy modification •Dynamic resolution •Email collection •Escape to host •Event triggered execution •Execution guardrails •Exfiltration over alternative protocol •Exfiltration over C2 channel •Transfer data to cloud account •Exfiltration over other network medium •Exfiltration over physical medium •Exfiltration over web service •Exploitation for credential access •Exploitationfor client execution •Exploitation for privilege escalation •Forced authentication •Forge web credentials •Hardware additions •Hide artifacts •Hijack execution flow •Impair defenses •Implant internal image •Ingress tool transfer •Input capture •Inter-process communication •Internal spearphishing •Lateral tool transfer •Log enumeration •Masquerading •Modify authentication process •Modify cloud computer infrastructure •Modify system image •Multi-stage channel •Network sniffing •Obfuscated files or information •OS credential dumping •Phishing •Plist file modification •Pre-OS boot •Process injection •Reflective code loading •Remote access software •Replication through removable media •Rogue domain controller •Scheduled task/job •Scheduled transfer •Serverless exeuction •Server software component •Stage capabilities •Steal application access token •Steal or forge authentication certificates •Steal or forge Kerberos tickets •Steal web session cookie •Subvert trust controls •Supply chain compromise •System binary proxy execution •Taint shared content •Template injection •Traffic signaling •Transfer data to cloud account •Process injection •Unsecured credentials •Use alternative authentication material •User execution •Video capture •Virtualization/sandbox evasion