Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Remove

Remove pattern

Intent

This is the fundamental graph operation for removing objects (vertices) and their associations within some context.

Motivation

Some adversarial actions include the notion of deletion or destruciton, such as when clearing, deleting, destroying, killing, and stopping certain objects and entities. These actions are particularly common for obstructing defenders or causing destructive effects. This pattern is especially relevant for manipulating simple objects.

Possible use cases

Use Remove when deleting:

  • Container objects for destructive effects, such as data or information.
  • Container objects to hide or otherwise prevent it from reaching another entity.
  • Simple execution objects to impair a system, such as an application, service, or a script.
  • Simple configuration objects to impair or circumvent mechanisms.
  • Simple authentication objects to obstruct or for destructive effects, such as accounts and access keys.
  • Adversary-made simple objects to remove indicators of compromise.
  • Simple objects to deceive or otherwise trigger a response from another entity or agent.
  • Malicious objects in a self-destructive manner as a form of disengagement or to remove indicators of compromise.
  • Processes, applications, services, and possibly entire systems.

Code example

asset Malware {
  | stopApplications >
    R> host / applications

  | deleteFiles >
    R> host / files

  | disengage >
    A> self / self
}

asset Host {[...]}
asset Application {[...]}
asset File {}

associations {
  Host [host] 1 <-- Execution --> * [applications] Application
  Host [host] * <-- Storage --> * [files] File
  Host [host] 1 <-- Infection --> * [malware] Malware
}

Possible synonyms

•clean •clear •delete •disengage •kill •remove •shutdown •stop

Occurrences

ATT&CK

•Account access removal •BITS jobs •Data destruction •Data manipulation •Disk wipe •Debugger evasion •Hide artifacts •Impair defenses •Indicator removal •Inhibit system recovery •Input capture •Modify cloud compute infrastructure •Obfuscated files or information •Phishing for information •Power settings •Resource hijacking •Scheduled task/job •Service stop •System binary proxy execution •Virtualization/sandbox evasion