Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Replace

Replace pattern

Intent

This pattern replaces an object with another without preserving the original.

Motivation

There are occasional instances of adversaries replacing or overwriting existing objects, both container and executable objects. This reduces to removing the original object, then adding a new one in its stead.

Possible use cases

Use Replace when:

  • Overwriting simple objects.
  • Replacing a benign execution object with a malicious counterpart.
  • Overwriting a simple object with a stronger/weaker version, such as when overwriting a weak policy with a privileged one.
  • Updating configuration objects when values are expressed as simple discrete objects.
  • One-way encrypting or similarly destroying simple objects.

Code example

asset Host {
 | replaceFiles >
    R> self / files
    A> self / files

 | plantMalware >
    R> self / applications
    A> self / applications[Malware]
 }

asset Application {[...]}
asset Malware extends Application {[...]}
asset File {}

associations {
  Host [host] 1 <-- Execution --> * [applications] Application
  Host [host] * <-- Storage --> * [files] File
}

Possible synonyms

•copy •encrypt •distribute •inject •install •overwrite

Occurrences

ATT&CK

•Boot or logon autostart execution •Compromise client software binary •Data destruction •Data encrypted for impact •Disk wipe •Event triggered execution •File and directory permissions modification •Firmware corruption •Hide artifacts •Hijack execution flow •Modify system image •Pre-OS boot •Process injection •Server software component •Supply chain compromise