Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Deliver

Deliver pattern

Intent

Create an object, then transfer it elsewhere.

Motivation

There were some occurrences where the adversary prepared objects in one location, then sent them later. This maps to actions centered on sending, delivering, distributing, and placing objects. Such actions reduce to creating an object, then applying Transfer, either immediatly or at a later point in time.

Deliver can be approximated with other patterns that mimic transfers. However, the key is both creating and then transferring objects, the latter after a possible delay. Certain systems and tacticts specifically rely on setting up objects before transferring at a later point in time, too.

Possible use cases

Use Deliver when:

  • Preparing objects to be transferred in another time step.
  • Approximating message delivery, such as e-mail services.
  • Mimicking delivery setups, where an object is created in one location and fetched from another.
  • Mimicking trap setups, where one agent places a malicious object and another transfers it to their system.
  • Mimicking delegation, where a privileged system is responsible for generating and granting authentication objcets, such as tokens and tickets.

Code example

asset Host {
  | sendFile >
    A> self / files
    A> files / ~sendTo.files
    R self / ~files

  // On a malicious host
  | prepareMalware >
    A> self / application[Malware]

  // On a target host
  | downloadApplication >
    A> self / ~network.hosts.applications.hosts
}

asset Network {}
asset File {}
asset Application {[...]}
asset Malware extends Application {[...]}

associations {
  Host [hosts] * <-- Placement --> 1 [network] Network
  Host [receiveFrom] * <-- Party --> [sendTo] * Host
  Host [host] * <-- Storage --> * [files] File
  Host [host] 1 <-- Execution --> * [applications] Application
}

Possible synonyms

•create •send •distribute •download •generate •infect •obtain •place •poison •propagate •provide •push •request •send •spread •steal •transfer •upload

Occurrences

ATT&CK

•Account manipulation •Acquire infrastructure •Adversary-in-the-middle •Browser extensions •Domain policy modification •Endpoint denial of service •Event trig- gered execution •Forge web credentials •Ingress tool transfer •Internal spearphish- ing •Multi-factor authentication request generation •Network denial of service •Obfuscated files or information •Phishing •Phishing for information •Stage capabilities •Steal application access token •Steal or forge Kerberos tickets •Subvert trust controls •Taint shared content •Transfer data to cloud account •Use alternate authentication material