Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Pack

Pack pattern

Intent

This patterns transfers an object to another super-object to express a grouping or aggregate.

Motivation

There are many occurrences of actions that group or collect objects inside other objects, such as when compressing, compiling, embedding, obfuscating, encoding, and encrypting objects. These actions reduce to transferring multiple sub-objects under a super-object.

Possible use cases

Use Pack when:

  • Collecting and handling an aggregate of objects.
  • When translating objects into another intermediate format.
  • When hiding objects inside other objects.
  • When collecting multiple objects as an archive.
  • When compressing multiple objects into a single object.
  • When encoding objects in a different form.
  • When encrypting objects.
  • When embedding some objects inside another object.
  • When hiding execution objects inside some other executable parent.
  • When encapsulating some objects inside another object.

Code example

asset Host {
 | compress >
    A> self / files[Compressed]
    A> files[Compressed] / ~files.super

 | encrypt >
    A> keys / cipertext
    A> keys.ciphertext / ~files.super
    R> keys.ciphertext / ~sub.host
}

asset File {}
asset Compressed extends File {}
asset EncryptionKey {}

associations {
  Host [host] 1 <-- Contains --> * [files] File
  File [super] 1 <-- Nesting --> * [sub] File
  Host [host] * <-- Carry --> * [keys] Key
  Key [key] 1 <-- Crypto --> * [ciphertext] File
}

Possible synonyms

•add •attach •archive •create •collect •compile •compress •conceal •embed •encapsulate •encode •encrypt •hide •inject •mine •obfuscate •overwrite •package •poison •smuggle

Occurrences

ATT&CK

•Archive collected data •Automated collection •Clipboard data •Command and scripting interpreter •Data destruction •Data encoding •Data encrypted for impact •Data from cloud storage •Data from configuration repository •Data from information repository •Data from local system •Data from network shared drive •Data from removable drive •Data staged •Data obfuscation •Disk wipe •Email collection •Encrypted channel •Execution guardrails •Exfiltration over alternative protocol •Exfiltration over web service •Firmware corruption •Hide artifacts •Hijack execution flow •Inter-process communications •Modify authentication process •Multi-stage channel •Obfuscated files or information •Phishing •Phishing for information •Protocol tunneling •Steal or forge authentication certificates •Subvert trust controls •System binary proxy execution •Template injection •XSL script processing