Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Insert

Intent

This pattern insert an object into a sequence of objects.

Motivation

There were some occurrences of actions based on inserting objects into some ordered sequence to achieve some effect. This was mostly the case when describing actions against lower-level systems. These types of insertions reduce to a special case of Transfer, effectively a linked list insertion.

Albeit a variant of Transfer, this particular use case may warrant a special mention.

Possible use cases

Use Insert when:

  • Appending or prepending objects to a sequence.
  • Inserting container objects into a sequence.
  • Inserting execution objects into a sequence of execution objects.
  • Poisoning a sequence by inserting malicious objects.

Code example

asset Host {
 | scheduleMalware >
    A> applications[Malware] /
    ~applications[Scheduler].tasks.next*previous
    ^ ~applications[Scheduler].tasks.next*next
    R> ~applications[Scheduler].tasks.next*next

asset Application {[...]}
asset Malware extends Application {[...]}
asset Scheduler extends Application {[...]}

associations {
  Host [host] 1 <-- Execution --> * [applications] Application
  Scheduler [scheduler] 1 <-- Schedule --> * [tasks] Application
  Application [previous] 1 <-- Order --> * [next] Application
}

Possible synonyms

•add •attach •hijack •include •infect •insert •place

Occurrences

ATT&CK

•Boot or logon initialization scripts •Data obfuscation •Event triggered execution •Hijack execution flow •Process injection •Taint shared content