Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Install

Install pattern

Intent

This pattern creates one or more origin objects, then links them to other existing items.

Motivation

There are multiple occurrences of creating objects then linking them to the surrounding context, which creates an elaborate structure. Such operations reduce to an application of Add followed by one or more applications of Link.

Possible use cases

Use Install when:

  • Adding a simple object followed by at least one new link.
  • Creating a configuration object and linking it to one or more objects.
  • Creating and immediately assigning authentication objects, such as a key.
  • Setting up execution objects on a system, i.e., installing it.
  • Creating and attaching execution objects to another object.
  • Creating an executor and linking it to its executees.
  • Creating an executee, then linking it to an executor.
  • Copying an object with more elaborate relationships.
  • Inserting container objects into more elaborate structures.
  • Attaching an object in a more elaborate manner, such as when creating and attaching cryptographic signature objects.

Code example

asset Host {
 | generateKey >
    A> self / keys
    A> identities / ~keys.owners

 | scheduleMalware >
    A> self / applications[Malware]
    A> applications[Malware] / applications[Scheduler].parent
}

asset Key {}
asset Account {}
asset Application {[...]}
asset Malware extends Application {[...]}
asset Scheduler extends Application {[...]}

associations {
  Host [host] * <-- Storage --> * [keys] Directory
  Host [host] 1 <-- Accounts --> * [identities] Identity
  Identity [owners] * <-- Identify --> * [keys] Key
  Host [host] 1 <-- Execution --> * [applications] Application
  Application [parent] 1 <-- Process --> * [child] Application
}

Possible synonyms

•add •backdoor •bring •clone •copy •create •deploy •download •duplicate •forge •generate •implant •implement •infect •inject •insert •intercept •introduce •load •make •obtain •place •plant •poison •propagate •provision •push •run •schedule •setup •sign [crypto] •spawn •start •update •upgrade

Occurrences

ATT&CK

•Access token manipulation •Account manipulation •Acquire access •Acquire infrastructure •Adversary-in-the-middle •Automated collection •Browser extensions •Browser session hijacking •Boot or logon autostart execution •Build image on host •Create account •Create or modify system process •Compromise client software binary •Data destruction •Data manipulation •Data staged •Deploy container •Develop capabilities •Direct volume access •Domain policy modification •Email collection •Escape to host •Event triggered execution •Execution guardrails •Exploitation for credential access •Exploitation for privilege escalation •Forge web credentials •Hide artifacts •Hijack execution flow •Impair defense •Implant internal image •Input capture •Install root certificate •Inter-process communications •Modify authentication process •Modify cloud compute infrastructure •Modify system image •Network boundary bridging •Native API •Office application startup •OS credential dumping •Pre-OS boot •Proxy •Remote access software •Replication through removable media •Rogue domain controller •Scheduled task/job •Scheduled transfer •Server software component •Serverless execution •Steal or forge authentication certificates •Steal or forge Kerberos tickets •Subvert trust controls •Supply chain compromise •System binary proxy execution •System services •Unused/unsupported cloud regions •Use alternate authentication material •Valid account