Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Assemble

Assemble pattern

Intent

This pattern creates one or more origin objects, then creates at least one or more layer of related objects starting from the origin objects.

Motivation

There are multiple occurrences of adversaries creating more elaborate structures in stages that can not be conveniently expressed through singular graph operations. Moreover, many elaborate structures start from a single new object, then adds more from there. Such actions reduce to multiple application of Add.

Realistically, elaborate structures may require multiple applications of Assemble in combination with other patterns, such as Install.

Possible use cases

Use Assemble when:

  • Creating more elaborate object structures in multiple stages.
  • Creating an object and at least one immediately related sub-object.
  • Creating a hierarchy of objects.
  • Creating and filling a container objects.
  • Creating a configuration object and its related sub-objects, such as a setting and a nominal value.
  • Creating an authentication object and its related sub-objects, such as an account and a key.
  • Creating an execution object packed with additional objects, such as further execution objects.
  • Deploying executors and executees, such as a container (executor) and its applications (executees).

Code example

asset Host {
 | createDirectories >
    A> self / dirs
    A> dirs / files

 | startContainer >
    A> self / applications[Container]
    A> applications[Container] / applications
}

asset File {}
asset Directory {}
asset Application {[...]}
asset Container extends Application {[...]}

associations {
  Host [host] * <-- Storage --> * [dirs] Directory
  Directory [dir] 1 <-- Contains --> * [files] File
  Host [host] 1 <-- Execution --> * [applications] Application
  Container [executor] 1 <-- Container --> * [executee] Application
}

Possible synonyms

•add •build •craft •create •deploy •run •update •upgrade

Occurrences

ATT&CK

•Abuse elevation control mechanisms •Account manipulation •Build image on host •Compromise infrastructure •Create account •Deploy container •Develop capabilities •Hide artifacts •Modify cloud compute infrastructure •Rogue domain controller •Scheduled task/job •Steal application access token