Unlink

Intent

This is the fundamental graph operation for removing a link (association) between two objects (assets).

Motivation

Some adversarial actions include the notion of severing relationships between existing objects, such as when clearing, deleting, destroying, excluding, redirecting, and removing objects. These actions reduce to removing links between two objects, while leaving the objects themselves intact.

Possible use cases

Use Unlink when:

• Making objects unavailable for destructive effects while preserving the object in the model.
• Detaching executable objects to shut them down or otherwise impair a system.
• Detaching configuration objects to change behaviors or the flow of execution.
• Detaching simple authentication objects to prevent or block access.
• Detaching objects created during an attack to avoid leaving indicators of compromise.

Code example

asset Host {
  | disconnectHost >
    R> self / ~sendTo,
       self / ~receiveFrom,
       self / ~network

  | deleteFiles >
    A> self / ~files
}

asset Network {}
asset File {}

associations {
  Host [hosts] * <-- Placement --> 1 [network] Network
  Host [receiveFrom] * <-- Party --> [sendTo] * Host
  Host [host] * <-- Storage --> * [files] File
}

Possible synonyms

•clean •clear •delete •destroy •erase •exclude •hijack •kill •redirect •reformat •remove •shutdown •unhook •unregister •wipe

Occurrences

ATT&CK

•Account access removal •BITS jobs •Data destruction •Data manipulation •Disk wipe •File and directory permissions modification •Hijack execution flow •Impair defenses •Indicator removal •Inhibit system recovery •Modify authentication process •Modify cloud compute infrastructure •Native API •Obfuscated files or information •Resource hijacking •Service stop •System binary proxy execution