capec.txt

[
    {
        "CAPEC ID": "1",
        "ID": "Accessing Functionality Not Properly Constrained by ACLs",
        "group": 1,
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:122::NATURE:CanPrecede:CAPEC ID:17::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Survey] The attacker surveys the target application, possibly as a valid and authenticated userTECHNIQUE:Spidering web sites for all available links:TECHNIQUE:Brute force guessing of resource names:TECHNIQUE:Brute force guessing of user names / credentials:TECHNIQUE:Brute force guessing of function names / actions::STEP:2:PHASE:Explore:DESCRIPTION:[Identify Functionality] At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actionsTECHNIQUE:Use the web inventory of all forms and inputs and apply attack data to those inputs.:TECHNIQUE:Use a packet sniffer to capture and record network traffic:TECHNIQUE:Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.::STEP:3:PHASE:Experiment:DESCRIPTION:[Iterate over access capabilities] Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.TECHNIQUE:Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)::",
        "Prerequisites": "::The application must be navigable in a manner that associates elements (subsections) of the application with ACLs.::The various resources, or individual URLs, must be somehow discoverable by the attacker::The administrator must have forgotten to associate an ACL or has associated an inappropriately permissive ACL with a particular navigable resource.::",
        "Skills Required": "::SKILL:In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.:LEVEL:Low::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::In a J2EE setting, administrators can associate a role that is impossible for the authenticator to grant users, such as NoAccess, with all Servlets to which access is guarded by a limited number of servlets visible to, and accessible by, the user. Having done so, any direct access to those protected Servlets will be prohibited by the web container. In a more general setting, the administrator must mark every resource besides the ones supposed to be exposed to the user as accessible by a role impossible for the user to assume. The default security setting must be to deny access and then grant access only to those resources intended by business logic.::",
        "Example Instances": "::Implementing the Model-1-Controller (MVC) within Java EE's Servlet paradigm using a Single front controller pattern that demands that brokered HTTP requests be authenticated before hand-offs to other Action Servlets. If no security-constraint is placed on those Action Servlets, such that positively no one can access them, the front controller can be subverted.::",
        "Related Weaknesses": "::276::285::434::693::732::1191::1193::1220::1297::1311::1314::1315::1318::1320::1321::1327::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.010:ENTRY NAME:Hijack Execution Flow: ServicesFile Permissions Weakness::",
        "Notes": ""
    },
    {
        "CAPEC ID": "11",
        "ID": "Cause Web Server Misclassification",
        "group": 2,
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:635::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Footprint file input vectors] Manually or using an automated tool, an attacker searches for all input locations where a user has control over the filenames or MIME types of files submitted to the web server.TECHNIQUE:Attacker manually crawls application to identify file inputs:TECHNIQUE:Attacker uses an automated tool to crawl application identify file inputs:TECHNIQUE:Attacker manually assesses strength of access control protecting native application files from user control:TECHNIQUE:Attacker explores potential for submitting files directly to the web server via independently constructed HTTP Requests::STEP:2:PHASE:Experiment:DESCRIPTION:[File misclassification shotgunning] An attacker makes changes to file extensions and MIME types typically processed by web servers and looks for abnormal behavior.TECHNIQUE:Attacker submits files with switched extensions (e.g. .php on a .jsp file) to web server.:TECHNIQUE:Attacker adds extra characters (e.g. adding an extra . after the file extension) to filenames of files submitted to web server.::STEP:3:PHASE:Experiment:DESCRIPTION:[File misclassification sniping] Understanding how certain file types are processed by web servers, an attacker crafts varying file payloads and modifies their file extension or MIME type to be that of the targeted type to see if the web server is vulnerable to misclassification of that type.TECHNIQUE:Craft a malicious file payload, modify file extension to the targeted file type and submit it to the web server.:TECHNIQUE:Craft a malicious file payload, modify its associated MIME type to the targeted file type and submit it to the web server.::STEP:4:PHASE:Exploit:DESCRIPTION:[Disclose information] The attacker, by manipulating a file extension or MIME type is able to make the web server return raw information (not executed).TECHNIQUE:Manipulate the file names that are explicitly sent to the server.:TECHNIQUE:Manipulate the MIME sent in order to confuse the web server.::",
        "Prerequisites": "::Web server software must rely on file name or file extension for processing.::The attacker must be able to make HTTP requests to the web server.::",
        "Skills Required": "::SKILL:To modify file name or file extension:LEVEL:Low::SKILL:To use misclassification to force the Web server to disclose configuration information, source, or binary data:LEVEL:Medium::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Implementation: Server routines should be determined by content not determined by filename or file extension.::",
        "Example Instances": "::J2EE application servers are supposed to execute Java Server Pages (JSP). There have been disclosure issues relating to Orion Application Server, where an attacker that appends either a period (.) or space characters to the end of a legitimate Http request, then the server displays the full source code in the attackers' web browser. http://victim.site/login.jsp. Since remote data and directory access may be accessed directly from the JSP, this is a potentially very serious issue. [REF-6]::",
        "Related Weaknesses": "::430::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.006:ENTRY NAME:Masquerading: Space after Filename::",
        "Notes": ""
    },
    {
        "CAPEC ID": "112",
        "ID": "Brute Force",
        "group": 3,
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine secret testing procedure] Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.TECHNIQUE:Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded.::STEP:2:PHASE:Explore:DESCRIPTION:[Reduce search space] Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.TECHNIQUE:If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.):TECHNIQUE:If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space.:TECHNIQUE:If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas.:TECHNIQUE:Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret.::STEP:3:PHASE:Explore:DESCRIPTION:[Expand victory conditions] It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value.::STEP:4:PHASE:Exploit:DESCRIPTION:[Gather information so attack can be performed independently.] If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords).::",
        "Prerequisites": "::The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct.::",
        "Skills Required": "::SKILL:The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located.:LEVEL:Low::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures.::",
        "Indicators": "::Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys.::Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files.::If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing.::",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.::Use a secret space that is well known and with no known patterns that may reduce functional size.::Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext.::",
        "Example Instances": "",
        "Related Weaknesses": "::330::326::521::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1110:ENTRY NAME:Brute Force::::TAXONOMY NAME:WASC:ENTRY ID:11:ENTRY NAME:Brute Force::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Brute force attack::",
        "Notes": ""
    },
    {
        "CAPEC ID": "114",
        "ID": "Authentication Abuse",
        "group": 4,
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way.::",
        "Skills Required": "",
        "Resources Required": "::A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::287::1244::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1548:ENTRY NAME:Abuse Elevation Control Mechanism::",
        "Notes": ""
    },
    {
        "CAPEC ID": "115",
        "ID": "Authentication Bypass",
        "group": 5,
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc.::",
        "Skills Required": "",
        "Resources Required": "::A client application, such as a web browser, or a scripting language capable of interacting with the target.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::287::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1548:ENTRY NAME:Abuse Elevation Control Mechanism::",
        "Notes": ""
    },
    {
        "CAPEC ID": "122",
        "ID": "Privilege Abuse",
        "group": 6,
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:CanPrecede:CAPEC ID:664::",
        "Execution Flow": "",
        "Prerequisites": "::The target must have misconfigured their access control mechanisms such that sensitive information, which should only be accessible to more trusted users, remains accessible to less trusted users.::The adversary must have access to the target, albeit with an account that is less privileged than would be appropriate for the targeted resources.::",
        "Skills Required": "::SKILL:Adversary can leverage privileged features they already have access to without additional effort or skill. Adversary is only required to have access to an account with improper priveleges.:LEVEL:Low::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack. The ability to access the target is required.::",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Authorization Execute Unauthorized Commands Run Arbitrary Code::SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::",
        "Mitigations": "::Configure account privileges such privileged/administrator functionality is not exposed to non-privileged/lower accounts.::",
        "Example Instances": "::Improperly configured account privileges allowed unauthorized users on a hospital's network to access the medical records for over 3,000 patients. Thus compromising data integrity and confidentiality in addition to HIPAA violations.::",
        "Related Weaknesses": "::269::732::1317::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1548:ENTRY NAME:Abuse Elevation Control Mechanism::",
        "Notes": ""
    },
    {
        "CAPEC ID": "125",
        "ID": "Flooding",
        "group": 7,
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::Any target that services requests is vulnerable to this attack on some level of scale.::",
        "Skills Required": "",
        "Resources Required": "::A script or program capable of generating more requests than the target can handle, or a network or cluster of objects all capable of making simultaneous requests.::",
        "Indicators": "",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Unreliable Execution:TECHNICAL IMPACT:Resource Consumption:NOTE:Availability Unreliable Execution Resource Consumption A successful flooding attack compromises the availability of the target system's service by exhausting its available resources.::",
        "Mitigations": "::Ensure that protocols have specific limits of scale configured.::Specify expectations for capabilities and dictate which behaviors are acceptable when resource allocation reaches limits.::Uniformly throttle all requests in order to make it more difficult to consume resources more quickly than they can again be freed.::",
        "Example Instances": "",
        "Related Weaknesses": "::404::770::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1498.001:ENTRY NAME:Network Denial of Service: Direct Network Flood::::TAXONOMY NAME:ATTACK:ENTRY ID:1499:ENTRY NAME:Endpoint Denial of Service::::TAXONOMY NAME:WASC:ENTRY ID:10:ENTRY NAME:Denial of Service::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Traffic flood::",
        "Notes": ""
    },
    {
        "CAPEC ID": "127",
        "ID": "Directory Indexing",
        "group": 8,
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:54::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Directory Discovery] Use a method, either manual, scripted, or automated to discover the directories on the server by making requests for directories that may possibly exist. During this phase the adversary is less concerned with whether a directory can be accessed or indexed and more focused on simply discovering what directories do exist on the target.TECHNIQUE:Send requests to the web server for common directory names:TECHNIQUE:If directories are discovered that are native to a server type further refine the directory search to include directories usually present on those types of servers.:TECHNIQUE:Search for uncommon or potentially user created directories that may be present.::STEP:2:PHASE:Experiment:DESCRIPTION:[Iteratively explore directory/file structures] The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methodsTECHNIQUE:Use a scanner tool to dynamically add directories/files to include their scan based upon data obtained in initial probes.:TECHNIQUE:Use a browser to manually explore the website by issuing a request ending the URL in a slash '/'.:TECHNIQUE:Attempt to bypass ACLs on directories by using methods that known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.:TECHNIQUE:Sequentially request a list of common base files to each directory discovered.:TECHNIQUE:Try multiple fuzzing techniques to list directory contents for directories that will not reveal their contents with a / request::STEP:3:PHASE:Exploit:DESCRIPTION:[Read directories or files which are not intended for public viewing.] The adversary attempts to access the discovered directories that allow access and may attempt to bypass server or application level ACLs by using manual or automated methodsTECHNIQUE:Try multiple exploit techniques to list directory contents for directories that will not reveal their contents with a / request:TECHNIQUE:Try other known exploits to elevate privileges sufficient to bypass protected directories.:TECHNIQUE:List the files in the directory by issuing a request with the URL ending in a / slash.:TECHNIQUE:Access the files via direct URL and capture contents.:TECHNIQUE:Attempt to bypass ACLs on directories by using methods that are known to work against some server types by appending data to the directory request. For instance, appending a Null byte to the end of the request which may cause an ACL to fail and allow access.:TECHNIQUE:Sequentially request a list of common base files to each directory discovered.::",
        "Prerequisites": "::The target must be misconfigured to return a list of a directory's content when it receives a request that ends in a directory name rather than a file name.::The adversary must be able to control the path that is requested of the target.::The administrator must have failed to properly configure an ACL or has associated an overly permissive ACL with a particular directory.::The server version or patch level must not inherently prevent known directory listing attacks from working.::",
        "Skills Required": "::SKILL:To issue the request to URL without given a specific file name:LEVEL:Low::SKILL:To bypass the access control of the directory of listings:LEVEL:High::",
        "Resources Required": "::Ability to send HTTP requests to a web application.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data Information Leakage::",
        "Mitigations": "::1. Using blank index.html: putting blank index.html simply prevent directory listings from displaying to site visitors.::2. Preventing with .htaccess in Apache web server: In .htaccess, write Options-indexes.::3. Suppressing error messages: using error 403 Forbidden message exactly like error 404 Not Found message.::",
        "Example Instances": "::The adversary uses directory listing to view sensitive files in the application. This is an example of accessing the backup file. The attack issues a request for http://www.example.com/admin/ and receives the following dynamic directory indexing content in the response: Index of /admin Name Last Modified Size Description backup/ 31-May-2007 08:18 - Apache/ 2.0.55 Server at www.example.com Port 80 The target application does not have direct hyperlink to the backup directory in the normal html webpage, however the attacker has learned of this directory due to indexing the content. The client then requests the backup directory URL and receives output which has a db_dump.php file in it. This sensitive data should not be disclosed publicly.::",
        "Related Weaknesses": "::424::425::288::285::732::276::693::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1083:ENTRY NAME:File and Directory Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "13",
        "ID": "Subverting Environment Variable Values",
        "group": 9,
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:77::NATURE:CanPrecede:CAPEC ID:14::NATURE:PeerOf:CAPEC ID:10::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Probe target application] The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used by the underlying software, or even the application itself.::STEP:2:PHASE:Experiment:DESCRIPTION:[Find user-controlled environment variables] Using the information found by probing the application, the adversary attempts to manipulate any user-controlled environment variables they have found are being used by the application, or suspect are being used by the application, and observe the effects of these changes. If the adversary notices any significant changes to the application, they will know that a certain environment variable is important to the application behavior and indicates a possible attack vector.TECHNIQUE:Alter known environment variables such as $PATH, $HOSTNAME, or LD_LIBRARY_PATH and see if application behavior changes.::STEP:3:PHASE:Exploit:DESCRIPTION:[Manipulate user-controlled environment variables] The adversary manipulates the found environment variable(s) to abuse the normal flow of processes or to gain access to privileged resources.::",
        "Prerequisites": "::An environment variable is accessible to the user.::An environment variable used by the application can be tainted with user supplied data.::Input data used in an environment variable is not validated properly.::The variables encapsulation is not done properly. For instance setting a variable as public in a class makes it visible and an adversary may attempt to manipulate that variable.::",
        "Skills Required": "::SKILL:In a web based scenario, the client controls the data that it submitted to the server. So anybody can try to send malicious data and try to bypass the authentication mechanism.:LEVEL:Low::SKILL:Some more advanced attacks may require knowledge about protocols and probing technique which help controlling a variable. The malicious user may try to understand the authentication mechanism in order to defeat it.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Confidentiality Integrity Availability Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:AvailabilityTECHNICAL IMPACT:Unreliable Execution::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:AccountabilityTECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "::Protect environment variables against unauthorized read and write access.::Protect the configuration files which contain environment variables against illegitimate read and write access.::Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system.::Apply the least privilege principles. If a process has no legitimate reason to read an environment variable do not give that privilege.::",
        "Example Instances": "::Changing the LD_LIBRARY_PATH environment variable in TELNET will cause TELNET to use an alternate (possibly Trojan) version of a function library. The Trojan library must be accessible using the target file system and should include Trojan code that will allow the user to log in with a bad password. This requires that the adversary upload the Trojan library to a specific location on the target. As an alternative to uploading a Trojan file, some file systems support file paths that include remote addresses, such as 172.16.2.100shared_filestrojan_dll.dll. See also: Path Manipulation (CVE-1999-0073)::The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to ignorespace. HISTCONTROL can also be set to ignore duplicate commands by setting it to ignoredups. In some Linux systems, this is set by default to ignoreboth which covers both of the previous examples. This means that ls will not be saved, but ls would be saved by history. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.::",
        "Related Weaknesses": "::353::285::302::74::15::73::20::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1562.003:ENTRY NAME:Impair Defenses:Impair Command History Logging::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.006:ENTRY NAME:Hijack Execution Flow:Dynamic Linker Hijacking::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.007:ENTRY NAME:Hijack Execution Flow:Path Interception by PATH Environment Variable::",
        "Notes": ""
    },
    {
        "CAPEC ID": "130",
        "ID": "Excessive Allocation",
        "group": 10,
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::The target must accept service requests from the attacker and the adversary must be able to control the resource allocation associated with this request to be in excess of the normal allocation. The latter is usually accomplished through the presence of a bug on the target that allows the adversary to manipulate variables used in the allocation.::",
        "Skills Required": "",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Resource Consumption:NOTE:Availability Resource Consumption A successful excessive allocation attack forces the target system to exhaust its resources, thereby compromising the availability of its service.::",
        "Mitigations": "::Limit the amount of resources that are accessible to unprivileged users.::Assume all input is malicious. Consider all potentially relevant properties when validating input.::Consider uniformly throttling all requests in order to make it more difficult to consume resources more quickly than they can again be freed.::Use resource-limiting settings, if possible.::",
        "Example Instances": "::In an Integer Attack, the adversary could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target.::",
        "Related Weaknesses": "::404::770::1325::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499.003:ENTRY NAME:Endpoint Denial of Service:Application Exhaustion Flood::::TAXONOMY NAME:WASC:ENTRY ID:10:ENTRY NAME:Denial of Service::",
        "Notes": ""
    },
    {
        "CAPEC ID": "131",
        "ID": "Resource Leak Exposure",
        "group": 11,
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::The target must have a resource leak that the adversary can repeatedly trigger.::",
        "Skills Required": "",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Unreliable Execution:TECHNICAL IMPACT:Resource Consumption:NOTE:Availability Unreliable Execution Resource Consumption A successful resource leak exposure attack compromises the availability of the target system's services.::",
        "Mitigations": "::If possible, leverage coding language(s) that do not allow this weakness to occur (e.g., Java, Ruby, and Python all perform automatic garbage collection that releases memory for objects that have been deallocated).::Memory should always be allocated/freed using matching functions (e.g., malloc/free, new/delete, etc.)::Implement best practices with respect to memory management, including the freeing of all allocated resources at all exit points and ensuring consistency with how and where memory is freed in a function.::",
        "Example Instances": "",
        "Related Weaknesses": "::404::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499:ENTRY NAME:Endpoint Denial of Service::::TAXONOMY NAME:WASC:ENTRY ID:10:ENTRY NAME:Denial of Service::",
        "Notes": ""
    },
    {
        "CAPEC ID": "132",
        "ID": "Symlink Attack",
        "group": 12,
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:159::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify Target] Adversary identifies the target application by determining whether there is sufficient check before writing data to a file and creating symlinks to files in different directories.TECHNIQUE:The adversary writes to files in different directories to check whether the application has sufficient checking before file operations.:TECHNIQUE:The adversary creates symlinks to files in different directories.::STEP:2:PHASE:Experiment:DESCRIPTION:[Try to create symlinks to different files] The adversary then uses a variety of techniques, such as monitoring or guessing to create symlinks to the files accessed by the target application in the directories which are identified in the explore phase.TECHNIQUE:The adversary monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the adversary can delay the operations by using sleep(2) and usleep() to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.:TECHNIQUE:The adversary may need a little guesswork on the filenames on which the target application would operate.:TECHNIQUE:The adversary tries to create symlinks to the various filenames.::STEP:3:PHASE:Exploit:DESCRIPTION:[Target application operates on created symlinks to sensitive files] The adversary is able to create symlinks to sensitive files while the target application is operating on the file.TECHNIQUE:Create the symlink to the sensitive file such as configuration files, etc.::",
        "Prerequisites": "::The targeted application must perform the desired activities on a file without checking whether the file is a symbolic link or not. The adversary must be able to predict the name of the file the target application is modifying and be able to create a new symbolic link where that file would appear.::",
        "Skills Required": "::SKILL:To create symlinks:LEVEL:Low::SKILL:To identify the files and create the symlinks during the file operation time window:LEVEL:High::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack. The only requirement is the ability to create the necessary symbolic link.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other:NOTE:Confidentiality Other Information Leakage::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Authorization Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Accountability:SCOPE:Authentication:SCOPE:Authorization:SCOPE:Non-RepudiationTECHNICAL IMPACT:Gain Privileges::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:AvailabilityTECHNICAL IMPACT:Unreliable Execution::",
        "Mitigations": "::Design: Check for the existence of files to be created, if in existence verify they are neither symlinks nor hard links before opening them.::Implementation: Use randomly generated file names for temporary files. Give the files restrictive permissions.::",
        "Example Instances": "::The adversary creates a symlink with the same name as the file which the application is intending to write to. The application will write to the file- causing the data to be written where the symlink is pointing. An attack like this can be demonstrated as follows: root# vulprog myFile {...program does some processing...] adversary# ln \u2013s /etc/nologin myFile [...program writes to 'myFile', which points to /etc/nologin...] In the above example, the root user ran a program with poorly written file handling routines, providing the filename myFile to vulnprog for the relevant data to be written to. However, the adversary happened to be looking over the shoulder of root at the time, and created a link from myFile to /etc/nologin. The attack would make no user be able to login.::",
        "Related Weaknesses": "::59::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1547.009:ENTRY NAME:Boot or Logon Autostart Execution:Shortcut Modification::",
        "Notes": ""
    },
    {
        "CAPEC ID": "141",
        "ID": "Cache Poisoning",
        "group": 13
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:161::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify and explore caches] Use tools to sniff traffic and scan a network in order to locate application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache) that may have vulnerabilities. Look for poisoning point in cache table entries.TECHNIQUE:Run tools that check available entries in the cache.::STEP:2:PHASE:Experiment:DESCRIPTION:[Cause specific data to be cached] An attacker sends bogus request to the target, and then floods responses that trick a cache to remember malicious responses, which are wrong answers of queries.TECHNIQUE:Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).::STEP:3:PHASE:Exploit:DESCRIPTION:[Redirect users to malicious website] As the attacker succeeds in exploiting the vulnerability, they are able to manipulate and interpose malicious response data to targeted victim queries.TECHNIQUE:Intercept or modify a query, or send a bogus query with known credentials (such as transaction ID).:TECHNIQUE:Adversary-in-the-Middle attacks (CAPEC-94) intercept secure communication between two parties.::",
        "Prerequisites": "::The attacker must be able to modify the value stored in a cache to match a desired value.::The targeted application must not be able to detect the illicit modification of the cache and must trust the cache value in its calculations.::",
        "Skills Required": "::SKILL:To overwrite/modify targeted cache:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Configuration: Disable client side caching.::Implementation: Listens for query replies on a network, and sends a notification via email when an entry changes.::",
        "Example Instances": "::In this example, an attacker sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7. Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the attacker floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.::",
        "Related Weaknesses": "::348::345::349::346::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1557.002:ENTRY NAME:Adversary-in-the-Middle: ARP Cache Poisoning::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Cache Poisoning::",
        "Notes": ""
    },
    {
        "CAPEC ID": "142",
        "ID": "DNS Cache Poisoning",
        "group": 14,
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:141::NATURE:CanPrecede:CAPEC ID:89::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Explore resolver caches] Check DNS caches on local DNS server and client's browser with DNS cache enabled.TECHNIQUE:Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.:TECHNIQUE:Figure out if the client's browser has DNS cache enabled.::STEP:2:PHASE:Experiment:DESCRIPTION:[Attempt sending crafted records to DNS cache] A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.TECHNIQUE:Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.:TECHNIQUE:If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction:TECHNIQUE:Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address.::STEP:3:PHASE:Exploit:DESCRIPTION:[Redirect users to malicious website] As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.TECHNIQUE:Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.:TECHNIQUE:Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties.::",
        "Prerequisites": "::A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions.::",
        "Skills Required": "::SKILL:To overwrite/modify targeted DNS cache:LEVEL:Medium::",
        "Resources Required": "::The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Configuration: Make sure your DNS servers have been updated to the latest versions::Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.::Configuration: Disable client side DNS caching.::",
        "Example Instances": "::In this example, an adversary sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7. Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the adversary floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack.::",
        "Related Weaknesses": "::348::345::349::346::350::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1584.002:ENTRY NAME:Compromise Infrastructure: DNS Server::",
        "Notes": ""
    },
    {
        "CAPEC ID": "148",
        "ID": "Content Spoofing",
        "group": 15,
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages.::",
        "Skills Required": "",
        "Resources Required": "::If the content is to be modified in transit, the adversary requires a tool capable of intercepting the target's communication and generating/creating custom packets to impact the communications. In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker requires the necessary resources to host the replacement content.::",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data:NOTE:Integrity Modify Data A successful content spoofing attack compromises the integrity of the application data.::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::345::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1491:ENTRY NAME:Defacement::::TAXONOMY NAME:WASC:ENTRY ID:12:ENTRY NAME:Content Spoofing::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Content Spoofing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "150",
        "ID": "Collect Data from Common Resource Locations",
        "group": 16,
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:116::",
        "Execution Flow": "",
        "Prerequisites": "::The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type.::",
        "Skills Required": "",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "::An adversary can use a technique called Bluesnarfing to retrieve data from Bluetooth enabled devices in which they know where the data is located. This is done by connecting to the device\u2019s Object Exchange (OBEX) Push Profile and making OBEX GET requests for known filenames (contact lists, photos, recent calls). Bluesnarfing was patched shortly after its discovery in 2003 and will only work on devices created before or during this time.::",
        "Related Weaknesses": "::552::1239::1258::1266::1272::1323::1324::1330::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1003:ENTRY NAME:OS Credential Dumping::::TAXONOMY NAME:ATTACK:ENTRY ID:1119:ENTRY NAME:Automated Collection::::TAXONOMY NAME:ATTACK:ENTRY ID:1213:ENTRY NAME:Data from Information Repositories::::TAXONOMY NAME:ATTACK:ENTRY ID:1530:ENTRY NAME:Data from Cloud Storage Object::::TAXONOMY NAME:ATTACK:ENTRY ID:1555:ENTRY NAME:Credentials from Password Stores::::TAXONOMY NAME:ATTACK:ENTRY ID:1602:ENTRY NAME:Data from Configuration Repository::",
        "Notes": ""
    },
    {
        "CAPEC ID": "158",
        "ID": "Sniffing Network Traffic",
        "group": 17,
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:157::",
        "Execution Flow": "",
        "Prerequisites": "::The target must be communicating on a network protocol visible by a network sniffing application.::The adversary must obtain a logical position on the network from intercepting target network traffic is possible. Depending on the network topology, traffic sniffing may be simple or challenging. If both the target sender and target recipient are members of a single subnet, the adversary must also be on that subnet in order to see their traffic communication.::",
        "Skills Required": "::SKILL:Adversaries can obtain and set up open-source network sniffing tools easily.:LEVEL:Low::",
        "Resources Required": "::A tool with the capability of presenting network communication traffic (e.g., Wireshark, tcpdump, Cain and Abel, etc.).::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Obfuscate network traffic through encryption to prevent its readability by network sniffers.::Employ appropriate levels of segmentation to your network in accordance with best practices.::",
        "Example Instances": "",
        "Related Weaknesses": "::311::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1040:ENTRY NAME:Network Sniffing::::TAXONOMY NAME:ATTACK:ENTRY ID:1111:ENTRY NAME:Multi-Factor Authentication Interception::",
        "Notes": ""
    },
    {
        "CAPEC ID": "159",
        "ID": "Redirect Access to Libraries",
        "group": 18,
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:154::NATURE:CanPrecede:CAPEC ID:185::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify Target] The adversary identifies the target application and determines what libraries are being used.TECHNIQUE:Find public source code and identify library dependencies.:TECHNIQUE:Gain access to the system hosting the application and look for libraries in common locations.::STEP:2:PHASE:Experiment:DESCRIPTION:[Deploy Malicious Libraries] The adversary crafts malicious libraries and deploys them on the system where the application is running, or in a remote location that can be loaded by the application.::STEP:3:PHASE:Exploit:DESCRIPTION:[Redirect Library Calls to Malicious Library] Once the malicious library crafted by the adversary is deployed, the adversary will manipulate the flow of the application such that it calls the malicious library. This can be done in a variety of ways based on how the application is loading and calling libraries.TECHNIQUE:Poison the DNS cache of the system so that it loads a malicious library from a remote location hosted by the adversary instead of the legitimate location:TECHNIQUE:Create a symlink that tricks the application into thinking that a malicious library is the legitimate library.:TECHNIQUE:Use DLL side-loading to place a malicious verison of a DLL in the windows directory.::",
        "Prerequisites": "::The target must utilize external libraries and must fail to verify the integrity of these libraries before using them.::",
        "Skills Required": "::SKILL:To modify the entries in the configuration file pointing to malicious libraries:LEVEL:Low::SKILL:To force symlink and timing issues for redirecting access to libraries:LEVEL:Medium::SKILL:To reverse engineering the libraries and inject malicious code into the libraries:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Authorization Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::",
        "Mitigations": "::Implementation: Restrict the permission to modify the entries in the configuration file.::Implementation: Check the integrity of the dynamically linked libraries before use them.::Implementation: Use obfuscation and other techniques to prevent reverse engineering the libraries.::",
        "Example Instances": "::In this example, the attacker using ELF infection that redirects the Procedure Linkage Table (PLT) of an executable allowing redirection to be resident outside of the infected executable. The algorithm at the entry point code is as follows... \u2022 mark the text segment writeable \u2022 save the PLT(GOT) entry \u2022 replace the PLT(GOT) entry with the address of the new lib call The algorithm in the new library call is as follows... \u2022 do the payload of the new lib call \u2022 restore the original PLT(GOT) entry \u2022 call the lib call \u2022 save the PLT(GOT) entry again (if its changed) \u2022 replace the PLT(GOT) entry with the address of the new lib call::",
        "Related Weaknesses": "::706::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.008:ENTRY NAME:Hijack Execution Flow:Path Interception by Search Order Hijacking::",
        "Notes": ""
    },
    {
        "CAPEC ID": "163",
        "ID": "Spear Phishing",
        "group": 19,
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:98::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Obtain useful contextual detailed information about the targeted user or organization] An adversary collects useful contextual detailed information about the targeted user or organization in order to craft a more deceptive and enticing message to lure the target into responding.TECHNIQUE:Conduct web searching research of target. See also: CAPEC-118.:TECHNIQUE:Identify trusted associates, colleagues and friends of target. See also: CAPEC-118.:TECHNIQUE:Utilize social engineering attack patterns such as Pretexting. See also: CAPEC-407.:TECHNIQUE:Collect social information via dumpster diving. See also: CAPEC-406.:TECHNIQUE:Collect social information via traditional sources. See also: CAPEC-118.:TECHNIQUE:Collect social information via Non-traditional sources. See also: CAPEC-118.::STEP:2:PHASE:Experiment:DESCRIPTION:[Optional: Obtain domain name and certificate to spoof legitimate site] This optional step can be used to help the adversary impersonate the legitimate site more convincingly. The adversary can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.TECHNIQUE:Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L).:TECHNIQUE:Optionally obtain a legitimate SSL certificate for the new domain name.::STEP:3:PHASE:Experiment:DESCRIPTION:[Optional: Explore legitimate website and create duplicate] An adversary creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.TECHNIQUE:Use spidering software to get copy of web pages on legitimate site.:TECHNIQUE:Manually save copies of required web pages from legitimate site.:TECHNIQUE:Create new web pages that have the legitimate site's look at feel, but contain completely new content.::STEP:4:PHASE:Experiment:DESCRIPTION:[Optional: Build variants of the website with very specific user information e.g., living area, etc.] Once the adversary has their website which duplicates a legitimate website, they need to build very custom user related information in it. For example, they could create multiple variants of the website which would target different living area users by providing information such as local news, local weather, etc. so that the user believes this is a new feature from the website.TECHNIQUE:Integrate localized information in the web pages created to duplicate the original website. Those localized information could be dynamically generated based on unique key or IP address of the future victim.::STEP:5:PHASE:Exploit:DESCRIPTION:[Convince user to enter sensitive information on adversary's site.] An adversary sends a message (typically an e-mail) to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to adversary's website) and log in. The key is to get the victim to believe that the message is coming from a legitimate entity trusted by the victim or with which the victim or does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.TECHNIQUE:Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.:TECHNIQUE:Place phishing link in post to online forum.::STEP:6:PHASE:Exploit:DESCRIPTION:[Use stolen credentials to log into legitimate site] Once the adversary captures some sensitive information through phishing (login credentials, credit card information, etc.) the adversary can leverage this information. For instance, the adversary can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.TECHNIQUE:Log in to the legitimate site using another user's supplied credentials.::",
        "Prerequisites": "::None. Any user can be targeted by a Spear Phishing attack.::",
        "Skills Required": "::SKILL:Spear phishing attacks require specific knowledge of the victims being targeted, such as which bank is being used by the victims, or websites they commonly log into (Google, Facebook, etc).:LEVEL:Medium::",
        "Resources Required": "::An adversay must have the ability communicate their phishing scheme to the victims (via email, instance message, etc.), as well as a website or other platform for victims to enter personal information into.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data Information Leakage::SCOPE:Accountability:SCOPE:Authentication:SCOPE:Authorization:SCOPE:Non-RepudiationTECHNICAL IMPACT:Gain Privileges:NOTE:Accountability Authentication Authorization Non-Repudiation Gain Privileges Privilege Escalation::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data:NOTE:Integrity Modify Data Data Modification::",
        "Mitigations": "::Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.::",
        "Example Instances": "::The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity that happened in a different area from where they live (details might be provided by the spear phishers) and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An adversary has just collected the target's online banking information which can now be used by them to log into the target's bank account and transfer money to a bank account of the adversary's choice.::An adversary can leverage a weakness in the SMB protocol by sending the target, an official looking e-mail from their employer's IT Department stating that their system has vulnerable software, which they need to manually patch by accessing an updated version of the software by clicking on a provided link to a network share. Once the link is clicked, the target is directed to an external server controlled by the adversary or to a malicious file on a public access share. The SMB protocol will then attempt to authenticate the target to the adversary controlled server, which allows the adversary to capture the hashed credentials over SMB. These credentials can then be used to execute offline brute force attacks or a Pass The Hash attack.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1534:ENTRY NAME:Internal Spearfishing::::TAXONOMY NAME:ATTACK:ENTRY ID:1566.001:ENTRY NAME:Phishing: Spearfishing Attachment::::TAXONOMY NAME:ATTACK:ENTRY ID:1566.002:ENTRY NAME:Phishing: Spearfishing Link::::TAXONOMY NAME:ATTACK:ENTRY ID:1566.003:ENTRY NAME:Phishing: Spearfishing via Service::::TAXONOMY NAME:ATTACK:ENTRY ID:1598.001:ENTRY NAME:Phishing for Information: Spearfishing Service::::TAXONOMY NAME:ATTACK:ENTRY ID:1598.002:ENTRY NAME:Phishing for Information: Spearfishing Attachment::::TAXONOMY NAME:ATTACK:ENTRY ID:1598.003:ENTRY NAME:Phishing for Information: Spearfishing Link::",
        "Notes": ""
    },
    {
        "CAPEC ID": "165",
        "ID": "File Manipulation",
        "group": 20,
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::The target must use the affected file without verifying its integrity.::",
        "Skills Required": "",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack. In some cases, tools can be used to better control the response of the targeted application to the modified file.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.003:ENTRY NAME:Masquerading: Rename System Utilities::",
        "Notes": ""
    },
    {
        "CAPEC ID": "169",
        "ID": "Footprinting",
        "group": 21,
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary engages in probing and exploration activities to identify constituents and properties of the target.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very Low",
        "Related Attack Patterns": "",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Request Footprinting] The attacker examines the website information and source code of the website and uses automated tools to get as much information as possible about the system and organization.TECHNIQUE:Open Source Footprinting: Examine the website about the organization and skim through the webpage's HTML source to look for comments.:TECHNIQUE:Network Enumeration: Perform various queries (Registrar Query, Organizational Query, Domain Query, Network Query, POC Query) on the many whois databases found on the internet to identify domain names and associated networks.:TECHNIQUE:DNS Interrogation: Once basic information is gathered the attack could begin to query DNS.:TECHNIQUE:Other Techniques: Use ping sweep, TCP scan, UDP scan, OS Identification various techniques to gain more information about the system and network.::",
        "Prerequisites": "::An application must publicize identifiable information about the system or application through voluntary or involuntary means. Certain identification details of information systems are visible on communication networks (e.g., if an adversary uses a sniffer to inspect the traffic) due to their inherent structure and protocol standards. Any system or network that can be detected can be footprinted. However, some configuration choices may limit the useful information that can be collected during a footprinting attack.::",
        "Skills Required": "::SKILL:The adversary knows how to send HTTP request, run the scan tool.:LEVEL:Low::",
        "Resources Required": "::The adversary requires a variety of tools to collect information about the target. These include port/network scanners and tools to analyze responses from applications to determine version and configuration information. Footprinting a system adequately may also take a few days if the attacker wishes the footprinting attempt to go undetected.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Keep patches up to date by installing weekly or daily if possible.::Shut down unnecessary services/ports.::Change default passwords by choosing strong passwords.::Curtail unexpected input.::Encrypt and password-protect sensitive data.::Avoid including information that has the potential to identify and compromise your organization's security such as access to business plans, formulas, and proprietary documents.::",
        "Example Instances": "::In this example let us look at the website http://www.example.com to get much information we can about Alice. From the website, we find that Alice also runs foobar.org. We type in www example.com into the prompt of the Name Lookup window in a tool, and our result is this IP address: 192.173.28.130 We type the domain into the Name Lookup prompt and we are given the same IP. We can safely say that example and foobar.org are hosted on the same box. But if we were to do a reverse name lookup on the IP, which domain will come up? www.example.com or foobar.org? Neither, the result is nijasvspirates.org. So nijasvspirates.org is the name of the box hosting 31337squirrel.org and foobar.org. So now that we have the IP, let's check to see if nijasvspirates is awake. We type the IP into the prompt in the Ping window. We'll set the interval between packets to 1 millisecond. We'll set the number of seconds to wait until a ping times out to 5. We'll set the ping size to 500 bytes and we'll send ten pings. Ten packets sent and ten packets received. nijasvspirates.org returned a message to my computer within an average of 0.35 seconds for every packet sent. nijasvspirates is alive. We open the Whois window and type nijasvspirates.org into the Query prompt, and whois.networksolutions.com into the Server prompt. This means we'll be asking Network Solutions to tell us everything they know about nijasvspirates.org. The result is this laundry list of info: Registrant: FooBar (nijasvspirates -DOM) p.o.box 11111 SLC, UT 84151 US Domain Name: nijasvspirates.ORG Administrative Contact, Billing Contact: Smith, John jsmith@anonymous.net FooBar p.o.box 11111 SLC, UT 84151 555-555-6103 Technical Contact: Johnson, Ken kj@fierymonkey.org fierymonkey p.o.box 11111 SLC, UT 84151 555-555-3849 Record last updated on 17-Aug-2001. Record expires on 11-Aug-2002. Record created on 11-Aug-2000. Database last updated on 12-Dec-2001 04:06:00 EST. Domain servers in listed order: NS1. fierymonkey.ORG 192.173.28.130 NS2. fierymonkey.ORG 64.192.168.80 A corner stone of footprinting is Port Scanning. Let's port scan nijasvspirates.org and see what kind of services are running on that box. We type in the nijasvspirates IP into the Host prompt of the Port Scan window. We'll start searching from port number 1, and we'll stop at the default Sub7 port, 27374. Our results are: 21 TCP ftp 22 TCP ssh SSH-1.99-OpenSSH_2.30 25 TCP smtp 53 TCP domain 80 TCP www 110 TCP pop3 111 TCP sunrpc 113 TCP ident Just by this we know that Alice is running a website and email, using POP3, SUNRPC (SUN Remote Procedure Call), and ident.::",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1217:ENTRY NAME:Browser Bookmark Discovery::::TAXONOMY NAME:ATTACK:ENTRY ID:1592:ENTRY NAME:Gather Victim Host Information::::TAXONOMY NAME:ATTACK:ENTRY ID:1595:ENTRY NAME:Active Scanning::",
        "Notes": ""
    },
    {
        "CAPEC ID": "17",
        "ID": "Using Malicious Files",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:122::NATURE:CanPrecede:CAPEC ID:233::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine File/Directory Configuration] The adversary looks for misconfigured files or directories on a system that might give executable access to an overly broad group of users.TECHNIQUE:Through shell access to a system, use the command ls -l to view permissions for files and directories.::STEP:2:PHASE:Experiment:DESCRIPTION:[Upload Malicious Files] If the adversary discovers a directory that has executable permissions, they will attempt to upload a malicious file to execute.TECHNIQUE:Upload a malicious file through a misconfigured FTP server.::STEP:3:PHASE:Exploit:DESCRIPTION:[Execute Malicious File] The adversary either executes the uploaded malicious file, or executes an existing file that has been misconfigured to allow executable access to the adversary.::",
        "Prerequisites": "::System's configuration must allow an attacker to directly access executable files or upload files to execute. This means that any access control system that is supposed to mediate communications between the subject and the object is set incorrectly or assumes a benign environment.::",
        "Skills Required": "::SKILL:To identify and execute against an over-privileged system interface:LEVEL:Low::",
        "Resources Required": "::Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Confidentiality Integrity Availability Execute Unauthorized Commands Run Arbitrary Code::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Design: Enforce principle of least privilege::Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.::Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.::",
        "Example Instances": "::Consider a directory on a web server with the following permissions drwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot This could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can be exploited by a threat to probe the system and identify additional vulnerabilities to exploit.::",
        "Related Weaknesses": "::732::285::272::59::282::270::693::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.005:ENTRY NAME:Hijack Execution Flow: Executable Installer File Permissions Weakness::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.010:ENTRY NAME:Hijack Execution Flow: Services File Permissions Weakness::",
        "Notes": ""
    },
    {
        "CAPEC ID": "177",
        "ID": "Create files with the same name as files protected with a higher classification",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:17::",
        "Execution Flow": "",
        "Prerequisites": "::The target application must include external files. Most non-trivial applications meet this criterion.::The target application does not verify that a located file is the one it was looking for through means other than the name. Many applications fail to perform checks of this type.::The directories the target application searches to find the included file include directories writable by the attacker which are searched before the protected directory containing the actual files. It is much less common for applications to meet this criterion, but if an attacker can manipulate the application's search path (possibly by controlling environmental variables) then they can force this criterion to be met.::",
        "Skills Required": "",
        "Resources Required": "::The attacker must have sufficient access to place an arbitrarily named file somewhere early in the application's search path.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::706::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036:ENTRY NAME:Masquerading::",
        "Notes": ""
    },
    {
        "CAPEC ID": "180",
        "ID": "Exploiting Incorrectly Configured Access Control Security Levels",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:122::NATURE:CanPrecede:CAPEC ID:17::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Survey] The attacker surveys the target application, possibly as a valid and authenticated user.TECHNIQUE:Spider the web site for all available links.:TECHNIQUE:Brute force to guess all function names/action with different privileges.::STEP:2:PHASE:Experiment:DESCRIPTION:[Identify weak points in access control configurations] The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured.TECHNIQUE:The attacker attempts authenticated access to targeted functions and data.:TECHNIQUE:The attacker attempts unauthenticated access to targeted functions and data.:TECHNIQUE:The attacker attempts indirect and side channel access to targeted functions and data.::STEP:3:PHASE:Exploit:DESCRIPTION:[Access the function or data bypassing the access control] The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control.TECHNIQUE:The attacker executes the function or accesses the data not authorized to them.::",
        "Prerequisites": "::The target must apply access controls, but incorrectly configure them. However, not all incorrect configurations can be exploited by an attacker. If the incorrect configuration applies too little security to some functionality, then the attacker may be able to exploit it if the access control would be the only thing preventing an attacker's access and it no longer does so. If the incorrect configuration applies too much security, it must prevent legitimate activity and the attacker must be able to force others to require this activity..::",
        "Skills Required": "::SKILL:In order to discover unrestricted resources, the attacker does not need special tools or skills. They only have to observe the resources or access mechanisms invoked as each action is performed and then try and access those access mechanisms directly.:LEVEL:Low::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Authorization Execute Unauthorized Commands Run Arbitrary Code::SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:AvailabilityTECHNICAL IMPACT:Unreliable Execution::",
        "Mitigations": "::Design: Configure the access control correctly.::",
        "Example Instances": "::For example, an incorrectly configured Web server, may allow unauthorized access to it, thus threaten the security of the Web application.::",
        "Related Weaknesses": "::732::1190::1191::1193::1220::1268::1280::1297::1311::1315::1318::1320::1321::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.010:ENTRY NAME:Hijack Execution Flow: Services File Permissions Weaknesses::",
        "Notes": ""
    },
    {
        "CAPEC ID": "186",
        "ID": "Malicious Software Update",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:184::NATURE:CanFollow:CAPEC ID:98::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify target] The adversary must first identify what they want their target to be. Because malicious software updates can be carried out in a variety of ways, the adversary will first not only identify a target program, but also what users they wish to target. This attack can be targeted (a particular user or group of users) or untargeted (many different users).::STEP:2:PHASE:Experiment:DESCRIPTION:[Craft a deployment mechanism based on the target] The adversary must craft a deployment mechanism to deploy the malicious software update. This mechanism will differ based on if the attack is targeted or untargeted.TECHNIQUE:Targeted attack: hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update.:TECHNIQUE:Targeted attack: Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update:TECHNIQUE:Untargeted attack: Spam the malicious update to as many users as possible through unsolicited email, instant messages, or social media messages.:TECHNIQUE:Untargeted attack: Send phishing emails to as many users as possible and pretend to be a legitimate source suggesting to download an important software update.:TECHNIQUE:Untargeted attack: Use trojans/botnets to aid in either of the two untargeted attacks.::STEP:3:PHASE:Exploit:DESCRIPTION:[Deploy malicious software update] Using the deployment mechanism from the previous step, the adversary gets a user to install the malicious software update.::",
        "Prerequisites": "",
        "Skills Required": "::SKILL:This attack requires advanced cyber capabilities:LEVEL:High::",
        "Resources Required": "::Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the adversary to host a payload and then trigger the installation of the payload code.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Access Control:SCOPE:Availability:SCOPE:ConfidentialityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Access Control Availability Confidentiality Execute Unauthorized Commands Utilize the built-in software update mechanisms of the commercial components to deliver software that could compromise security credentials, enable a denial-of-service attack, or enable tracking.::",
        "Mitigations": "::Validate software updates before installing.::",
        "Example Instances": "::Using an automated process to download and install dangerous code was key part of the NotPeyta attack [REF-697]::",
        "Related Weaknesses": "::494::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::",
        "Notes": "TYPE:Other:NOTE:Other class of attacks focus on firmware, where malicious updates are made to the core system firmware or BIOS. Since this occurs outside the controls of the operating system, the OS detection and prevention mechanisms do not aid, thus allowing an adversary to evade defenses as well as gain persistence on the target's system.::"
    },
    {
        "CAPEC ID": "187",
        "ID": "Malicious Automated Software Update via Redirection",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:186::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Access Control:SCOPE:Availability:SCOPE:ConfidentialityTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::494::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1072:ENTRY NAME:Software Deployment Tools::",
        "Notes": ""
    },
    {
        "CAPEC ID": "19",
        "ID": "Embedding Scripts within Scripts",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:242::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Spider] Using a browser or an automated tool, an adversary records all entry points for inputs that happen to be reflected in a client-side script element. These script elements can be located in the HTML content (head, body, comments), in an HTML tag, XML, CSS, etc.TECHNIQUE:Use a spidering tool to follow and record all non-static links that are likely to have input parameters (through forms, URL, fragments, etc.) actively used by the Web application.:TECHNIQUE:Use a proxy tool to record all links visited during a manual traversal of the web application.:TECHNIQUE:Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.::STEP:2:PHASE:Experiment:DESCRIPTION:[Probe identified potential entry points for XSS vulnerability] The adversary uses the entry points gathered in the Explore phase as a target list and injects various common script payloads to determine if an entry point actually represents a vulnerability and to characterize the extent to which the vulnerability can be exploited.TECHNIQUE:Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed.:TECHNIQUE:Manually inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed.:TECHNIQUE:Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a client-side script elements context and observe system behavior to determine if script was executed.:TECHNIQUE:Use an automated injection attack tool to inject various script payloads into each identified entry point using a list of common script injection probes that typically work in a server-side script elements context and observe system behavior to determine if script was executed.:TECHNIQUE:Use a proxy tool to record results of the created requests.::STEP:3:PHASE:Exploit:DESCRIPTION:[Steal session IDs, credentials, page content, etc.] As the adversary succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.TECHNIQUE:Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the adversary.:TECHNIQUE:Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an adversary's server and then causes the browser to execute appropriately.::STEP:4:PHASE:Exploit:DESCRIPTION:[Forceful browsing] When the adversary targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).TECHNIQUE:Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site:TECHNIQUE:Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an adversary's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).::STEP:5:PHASE:Exploit:DESCRIPTION:[Content spoofing] By manipulating the content, the adversary targets the information that the user would like to get from the website.TECHNIQUE:Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes adversary-modified invalid information to the user on the current web page.::",
        "Prerequisites": "::Target software must be able to execute scripts, and also grant the adversary privilege to write/upload scripts.::",
        "Skills Required": "::SKILL:To load malicious script into open, e.g. world writable directory:LEVEL:Low::SKILL:Executing remote scripts on host and collecting output:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Confidentiality Integrity Availability Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Use browser technologies that do not allow client side scripting.::Utilize strict type, character, and encoding enforcement.::Server side developers should not proxy content via XHR or other means. If a HTTP proxy for remote content is setup on the server side, the client's browser has no way of discerning where the data is originating from.::Ensure all content that is delivered to client is sanitized against an acceptable content specification.::Perform input validation for all remote content.::Perform output validation for all remote content.::Disable scripting languages such as JavaScript in browser::Session tokens for specific host::Patching software. There are many attack vectors for XSS on the client side and the server side. Many vulnerabilities are fixed in service packs for browser, web servers, and plug in technologies, staying current on patch release that deal with XSS countermeasures mitigates this.::Privileges are constrained, if a script is loaded, ensure system runs in chroot jail or other limited authority mode::",
        "Example Instances": "::Ajax applications enable rich functionality for browser based web applications. Applications like Google Maps deliver unprecedented ability to zoom in and out, scroll graphics, and change graphic presentation through Ajax. The security issues that an adversary may exploit in this instance are the relative lack of security features in JavaScript and the various browser's implementation of JavaScript, these security gaps are what XSS and a host of other client side vulnerabilities are based on. While Ajax may not open up new security holes, per se, due to the conversational aspects between client and server of Ajax communication, attacks can be optimized. A single zoom in or zoom out on a graphic in an Ajax application may round trip to the server dozens of times. One of the first steps many adversarys take is frequently footprinting an environment, this can include scanning local addresses like 192.*.*.* IP addresses, checking local directories, files, and settings for known vulnerabilities, and so on. <IMG SRC=javascript:alert('XSS')> The XSS script that is embedded in a given IMG tag can be manipulated to probe a different address on every click of the mouse or other motions that the Ajax application is aware of. In addition the enumerations allow for the adversary to nest sequential logic in the attacks. While Ajax applications do not open up brand new attack vectors, the existing attack vectors are more than adequate to execute attacks, and now these attacks can be optimized to sequentially execute and enumerate host environments.::~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more fine grained control over when they want certain commands executed. These files are meant to be written to by the local user to configure their own environment; however, adversaries can also insert code into these files to gain persistence each time a user logs in or opens a new shell.::",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1546.004:ENTRY NAME:Event Triggered Execution:.bash_profile and .bashrc::",
        "Notes": ""
    },
    {
        "CAPEC ID": "191",
        "ID": "Read Sensitive Constants Within an Executable",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:167::",
        "Execution Flow": "",
        "Prerequisites": "::Access to a binary or executable such that it can be analyzed by various utilities.::",
        "Skills Required": "",
        "Resources Required": "::Binary analysis programs such as 'strings' or 'grep', or hex editors.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::798::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1552.001:ENTRY NAME:Unsecured Credentials:Credentials in files::",
        "Notes": "TYPE:Other:NOTE:More sophisticated methods of searching for sensitive strings within a file involve disassembly or decompiling of the file. One could, for example, utilize disassembly methods on an ISAPI executable or dll to discover a hard-coded password within the code as it executes. This type of analysis usually involves four stages in which first a debugger is attached to the running process, anti-debugging countermeasures are circumvented or bypassed, the program is analyzed step-by-step, and breakpoints are established so that discrete functions and data structures can be analyzed. Debugging tools such as SoftICE, Ollydbg, or vendor supplied debugging tools are often used. Disassembly tools such as IDA pro, or similar tools, can also be employed. A third strategy for accessing sensitive strings within a binary involves the decompilation of the file itself into source code that reveals the strings. An example of this type of analysis involves extracting source code from a java JAR file and then using functionality within a java IDE to search the source code for sensitive, hard-coded information. In performing this analysis native java tools, such as jar are used to extract the compiled class files. Next, a java decompiler such as DJ is used to extract java source code from the compiled classes, revealing source code. Finally, the source code is audited to reveal sensitive information, a step that is usually assisted by source code analysis programs.::"
    },
    {
        "CAPEC ID": "196",
        "ID": "Session Credential Falsification through Forging",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:CanPrecede:CAPEC ID:384::NATURE:CanPrecede:CAPEC ID:61::NATURE:ChildOf:CAPEC ID:21::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Analyze and Understand Session IDs] The attacker finds that the targeted application use session credentials to identify legitimate users.TECHNIQUE:An attacker makes many anonymous connections and records the session IDs.:TECHNIQUE:An attacker makes authorized connections and records the session tokens or credentials.::STEP:2:PHASE:Experiment:DESCRIPTION:[Create Session IDs.] Attackers craft messages containing their forged credentials in GET, POST request, HTTP headers or cookies.TECHNIQUE:The attacker manipulates the HTTP request message and adds their forged session IDs in to the requests or cookies.::STEP:3:PHASE:Exploit:DESCRIPTION:[Abuse the Victim's Session Credentials] The attacker fixates falsified session ID to the victim when victim access the system. Once the victim has achieved a higher level of privilege, possibly by logging into the application, the attacker can now take over the session using the forged session identifier.TECHNIQUE:The attacker loads the predefined or predicted session ID into their browser and browses to protected data or functionality.:TECHNIQUE:The attacker loads the predefined or predicted session ID into their software and utilizes functionality with the rights of the victim.::",
        "Prerequisites": "::The targeted application must use session credentials to identify legitimate users. Session identifiers that remains unchanged when the privilege levels change. Predictable session identifiers.::",
        "Skills Required": "::SKILL:Forge the session credential and reply the request.:LEVEL:Medium::",
        "Resources Required": "::Attackers may require tools to craft messages containing their forged credentials, and ability to send HTTP request to a web application.::",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Authorization Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Accountability:SCOPE:Authentication:SCOPE:Authorization:SCOPE:Non-RepudiationTECHNICAL IMPACT:Gain Privileges::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::",
        "Mitigations": "::Implementation: Use session IDs that are difficult to guess or brute-force: One way for the attackers to obtain valid session IDs is by brute-forcing or guessing them. By choosing session identifiers that are sufficiently random, brute-forcing or guessing becomes very difficult.::Implementation: Regenerate and destroy session identifiers when there is a change in the level of privilege: This ensures that even though a potential victim may have followed a link with a fixated identifier, a new one is issued when the level of privilege changes.::",
        "Example Instances": "::This example uses client side scripting to set session ID in the victim's browser. The JavaScript code document.cookie=sessionid=0123456789 fixates a falsified session credential into victim's browser, with the help of crafted a URL link. http://www.example.com/<script>document.cookie=sessionid=0123456789;</script> A similar example uses session ID as an argument of the URL. http://www.example.com/index.php/sessionid=0123456789 Once the victim clicks the links, the attacker may be able to bypass authentication or piggy-back off some other authenticated victim's session.::",
        "Related Weaknesses": "::384::664::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1134.002:ENTRY NAME:Access Token Manipulation: Create Process with Token::::TAXONOMY NAME:ATTACK:ENTRY ID:1134.003:ENTRY NAME:Access Token Manipulation: Make and Impersonate Token::::TAXONOMY NAME:ATTACK:ENTRY ID:1606:ENTRY NAME:Forge Web Credentials::",
        "Notes": ""
    },
    {
        "CAPEC ID": "2",
        "ID": "Inducing Account Lockout",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:212::",
        "Execution Flow": "::STEP:1:PHASE:Experiment:DESCRIPTION:[Investigate account lockout behavior of system] Investigate the security features present in the system that may trigger an account lockoutTECHNIQUE:Analyze system documentation to find list of events that could potentially cause account lockout:TECHNIQUE:Obtain user account in system and attempt to lock it out by sending malformed or incorrect data repeatedly:TECHNIQUE:Determine another user's login ID, and attempt to brute force the password (or other credentials) for it a predetermined number of times, or until the system provides an indication that the account is locked out.::STEP:2:PHASE:Experiment:DESCRIPTION:[Obtain list of user accounts to lock out] Generate a list of valid user accounts to lock outTECHNIQUE:Obtain list of authorized users using another attack pattern, such as SQL Injection.:TECHNIQUE:Attempt to create accounts if possible; system should indicate if a user ID is already taken.:TECHNIQUE:Attempt to brute force user IDs if system reveals whether a given user ID is valid or not upon failed login attempts.::STEP:3:PHASE:Exploit:DESCRIPTION:[Lock Out Accounts] Perform lockout procedure for all accounts that the attacker wants to lock out.TECHNIQUE:For each user ID to be locked out, perform the lockout procedure discovered in the first step.::",
        "Prerequisites": "::The system has a lockout mechanism.::An attacker must be able to reproduce behavior that would result in an account being locked.::",
        "Skills Required": "::SKILL:No programming skills or computer knowledge is needed. An attacker can easily use this attack pattern following the Execution Flow above.:LEVEL:Low::",
        "Resources Required": "::Computer with access to the login portion of the target system::",
        "Indicators": "",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Resource Consumption:NOTE:Availability Resource Consumption Denial of Service::",
        "Mitigations": "::Implement intelligent password throttling mechanisms such as those which take IP address into account, in addition to the login name.::When implementing security features, consider how they can be misused and made to turn on themselves.::",
        "Example Instances": "::A famous example of this type an attack is the eBay attack. eBay always displays the user id of the highest bidder. In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place the counter bid because they would be locked out. Thus an attacker could win the auction.::",
        "Related Weaknesses": "::645::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1531:ENTRY NAME:Account Access Removal::",
        "Notes": ""
    },
    {
        "CAPEC ID": "203",
        "ID": "Manipulate Registry Information",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:176::",
        "Execution Flow": "",
        "Prerequisites": "::The targeted application must rely on values stored in a registry.::The adversary must have a means of elevating permissions in order to access and modify registry content through either administrator privileges (e.g., credentialed access), or a remote access tool capable of editing a registry through an API.::",
        "Skills Required": "::SKILL:The adversary requires privileged credentials or the development/acquiring of a tailored remote access tool.:LEVEL:High::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Ensure proper permissions are set for Registry hives to prevent users from modifying keys.::Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.::Employ robust identification and audit/blocking using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.::",
        "Example Instances": "::Manipulating registration information can be undertaken in advance of a path traversal attack (inserting relative path modifiers) or buffer overflow attack (enlarging a registry value beyond an application's ability to store it).::",
        "Related Weaknesses": "::15::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1112:ENTRY NAME:Modify Registry::::TAXONOMY NAME:ATTACK:ENTRY ID:1647:ENTRY NAME:Plist Modification::",
        "Notes": ""
    },
    {
        "CAPEC ID": "204",
        "ID": "Lifting Sensitive Data Embedded in Cache",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:167::NATURE:CanPrecede:CAPEC ID:560::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify Application Cache] An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.TECHNIQUE:Use probing tools to look for application cache files on a machine.:TECHNIQUE:Use a web application and determine if any sensitive information is stored in browser cache.::STEP:2:PHASE:Experiment:DESCRIPTION:[Attempt to Access Cache] Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.TECHNIQUE:Use priviledge escalation to access cache files that might have strict privileges.:TECHNIQUE:If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption.::STEP:3:PHASE:Exploit:DESCRIPTION:[Lift Sensitive Data from Cache] After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.TECHNIQUE:Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions.::",
        "Prerequisites": "::The target application must store sensitive information in a cache.::The cache must be inadequately protected against attacker access.::",
        "Skills Required": "",
        "Resources Required": "::The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::524::311::1239::1258::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1005:ENTRY NAME:Data from Local System::",
        "Notes": ""
    },
    {
        "CAPEC ID": "206",
        "ID": "Signing Malicious Code",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:The adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or acquired normally through a certificate authority.::STEP:2:PHASE:Explore:DESCRIPTION:Based on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach::STEP:3:PHASE:Experiment:DESCRIPTION:The adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally.::STEP:4:PHASE:Exploit:DESCRIPTION:Once the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary.::",
        "Prerequisites": "::The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the adversary does not need to steal the signing key before forging code bundles in the developer's name.)::",
        "Skills Required": "",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Ensure digital certificates are protected and inaccessible by unauthorized uses.::If a digital certificate has been compromised it should be revoked and regenerated.::Even if a piece of software has a valid and trusted digital signature, it should be assessed for any weaknesses and vulnerabilities.::",
        "Example Instances": "::In the famous Stuxnet malware incident, two digital certificates were compromised in order to sign malicious device drivers with legitimate credentials. The signing resulted in the malware appearing as trusted by the system it was running on, which facilitated the installation of the malware in kernel mode. This further resulted in Stuxnet remaining undetected for a significant amount of time. [REF-699]::The cyber espionage group CyberKittens leveraged a stolen certificate from AI Squared that allowed them to leverage a signed executable within Operation Wilted Tulip. This ultimately allowed the executable to run as trusted on the system, allowing a Crowd Strike stager to be loaded within the system's memory. [REF-714]::",
        "Related Weaknesses": "::732::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1553.002:ENTRY NAME:Subvert Trust Controls:Code Signing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "21",
        "ID": "Exploitation of Trusted Identifiers",
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary guesses, obtains, or rides a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Survey the application for Indicators of Susceptibility] Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.TECHNIQUE:Spider all available pages:TECHNIQUE:Attack known bad interfaces:TECHNIQUE:Search outward-facing configuration and properties files for identifiers.::STEP:2:PHASE:Experiment:DESCRIPTION:[Fetch samples] The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.TECHNIQUE:An adversary makes many anonymous connections and records the session IDs assigned.:TECHNIQUE:An adversary makes authorized connections and records the session tokens or credentials issued.:TECHNIQUE:An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system.::STEP:3:PHASE:Exploit:DESCRIPTION:[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application::STEP:4:PHASE:Exploit:DESCRIPTION:[Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.::STEP:5:PHASE:Exploit:DESCRIPTION:[Data Exfiltration] The adversary can obtain sensitive data contained within the system or application.::",
        "Prerequisites": "::Server software must rely on weak identifier proof and/or verification schemes.::Identifiers must have long lifetimes and potential for reusability.::Server software must allow concurrent sessions to exist.::",
        "Skills Required": "::SKILL:To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user:LEVEL:Low::",
        "Resources Required": "::Ability to deploy software on network.::Ability to communicate synchronously or asynchronously with server.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Design: utilize strong federated identity such as SAML to encrypt and sign identity tokens in transit.::Implementation: Use industry standards session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf.::Implementation: If the identifier is used for authentication, such as in the so-called single sign on use cases, then ensure that it is protected at the same level of assurance as authentication tokens.::Implementation: If the web or application server supports it, then encrypting and/or signing the identifier (such as cookie) can protect the ID if intercepted.::Design: Use strong session identifiers that are protected in transit and at rest.::Implementation: Utilize a session timeout for all sessions, for example 20 minutes. If the user does not explicitly logout, the server terminates their session after this period of inactivity. If the user logs back in then a new session key is generated.::Implementation: Verify authenticity of all identifiers at runtime.::",
        "Example Instances": "::Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an adversary to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an adversary to exploit session IDs. A brute force attack involves an adversary repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an adversary can retry several hundred or thousand request with little to no issue on their side. The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The adversary can then use these variables and access the application.::For example, in a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or the process that wrote the message to the queue is authentic and authorized to do so.::",
        "Related Weaknesses": "::290::302::346::539::6::384::664::602::642::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1134:ENTRY NAME:Access Token Manipulation::::TAXONOMY NAME:ATTACK:ENTRY ID:1528:ENTRY NAME:Steal Application Access Token::::TAXONOMY NAME:ATTACK:ENTRY ID:1539:ENTRY NAME:Steal Web Session Cookie::",
        "Notes": ""
    },
    {
        "CAPEC ID": "227",
        "ID": "Sustained Client Engagement",
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::This pattern of attack requires a temporal aspect to the servicing of a given request. Success can be achieved if the adversary can make requests that collectively take more time to complete than legitimate user requests within the same time frame.::",
        "Skills Required": "",
        "Resources Required": "::To successfully execute this pattern of attack, a script or program is often required that is capable of continually engaging the target and maintaining sustained usage of a specific resource. Depending on the configuration of the target, it may or may not be necessary to involve a network or cluster of objects all capable of making parallel requests.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Potential mitigations include requiring a unique login for each resource request, constraining local unprivileged access by disallowing simultaneous engagements of the resource, or limiting access to the resource to one access per IP address. In such scenarios, the adversary would have to increase engagements either by launching multiple sessions manually or programmatically to counter such defenses.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499:ENTRY NAME:Endpoint Denial of Service::::TAXONOMY NAME:WASC:ENTRY ID:10:ENTRY NAME:Denial of Service::",
        "Notes": ""
    },
    {
        "CAPEC ID": "233",
        "ID": "Privilege Escalation",
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::269::1264::1311::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1548:ENTRY NAME:Abuse Elevation Control Mechanism::",
        "Notes": ""
    },
    {
        "CAPEC ID": "25",
        "ID": "Forced Deadlock",
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:The adversary initiates an exploratory phase to get familiar with the system.::STEP:2:PHASE:Explore:DESCRIPTION:The adversary triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish.::STEP:3:PHASE:Explore:DESCRIPTION:If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service.::",
        "Prerequisites": "::The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions. [REF-101]::The target host exposes an API to the user.::",
        "Skills Required": "::SKILL:This type of attack may be sophisticated and require knowledge about the system's resources and APIs.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Resource Consumption:NOTE:Availability Resource Consumption A successful forced deadlock attack compromises the availability of the system by exhausting its available resources.::",
        "Mitigations": "::Use known algorithm to avoid deadlock condition (for instance non-blocking synchronization algorithms).::For competing actions, use well-known libraries which implement synchronization.::",
        "Example Instances": "::An example of a deadlock which may occur in database products is the following. Client applications using the database may require exclusive access to a table, and in order to gain exclusive access they ask for a lock. If one client application holds a lock on a table and attempts to obtain the lock on a second table that is already held by a second client application, this may lead to deadlock if the second application then attempts to obtain the lock that is held by the first application (Source: Wikipedia, http://en.wikipedia.org/wiki/Deadlock)::",
        "Related Weaknesses": "::412::567::662::667::833::1322::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499.004:ENTRY NAME:Endpoint Denial of Service: Application or System Exploitation::",
        "Notes": ""
    },
    {
        "CAPEC ID": "251",
        "ID": "Local Code Inclusion",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:175::",
        "Execution Flow": "",
        "Prerequisites": "::The targeted application must have a bug that allows an adversary to control which code file is loaded at some juncture.::Some variants of this attack may require that old versions of some code files be present and in predictable locations.::",
        "Skills Required": "",
        "Resources Required": "::The adversary needs to have enough access to the target application to control the identity of a locally included file. The attacker may also need to be able to upload arbitrary code files to the target machine, although any location for these files may be acceptable.::",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Integrity Execute Unauthorized Commands Through local code inclusion, the adversary compromises the integrity of the application.::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data An attacker may leverage local code inclusion in order to print sensitive data to a page, such as hidden configuration files or or password hashes.::",
        "Mitigations": "::Implementation: Avoid passing user input to filesystem or framework API. If necessary to do so, implement a specific, allowlist approach.::",
        "Example Instances": "",
        "Related Weaknesses": "::829::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1055:ENTRY NAME:Process Injection::",
        "Notes": ""
    },
    {
        "CAPEC ID": "267",
        "ID": "Leverage Alternate Encoding",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:153::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Survey the application for user-controllable inputs] Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.TECHNIQUE:Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.:TECHNIQUE:Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.:TECHNIQUE:Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.:TECHNIQUE:Manually inspect the application to find entry points.::STEP:2:PHASE:Experiment:DESCRIPTION:[Probe entry points to locate vulnerabilities] The adversary uses the entry points gathered in the Explore phase as a target list and injects various payloads using a variety of different types of encodings to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.TECHNIQUE:Try to use different encodings of content in order to bypass validation routines.::",
        "Prerequisites": "::The application's decoder accepts and interprets encoded characters. Data canonicalization, input filtering and validating is not done properly leaving the door open to harmful characters for the target host.::",
        "Skills Required": "::SKILL:An adversary can inject different representation of a filtered character in a different encoding.:LEVEL:Low::SKILL:An adversary may craft subtle encoding of input data by using the knowledge that they have gathered about the target host.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Authorization Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Accountability:SCOPE:Authentication:SCOPE:Authorization:SCOPE:Non-RepudiationTECHNICAL IMPACT:Gain Privileges::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:AvailabilityTECHNICAL IMPACT:Unreliable Execution:TECHNICAL IMPACT:Resource Consumption:NOTE:Availability Unreliable Execution Resource Consumption Denial of Service::",
        "Mitigations": "::Assume all input might use an improper representation. Use canonicalized data inside the application; all data must be converted into the representation used inside the application (UTF-8, UTF-16, etc.)::Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system. Test your decoding process against malicious input.::",
        "Example Instances": "::Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, and 7 does not properly handle unspecified encoding strings, which allows remote adversaries to bypass the Same Origin Policy and obtain sensitive information via a crafted web site, aka Post Encoding Information Disclosure Vulnerability. Related Vulnerabilities CVE-2010-0488::Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.::",
        "Related Weaknesses": "::173::172::180::181::73::74::20::697::692::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1027:ENTRY NAME:Obfuscated Files or Information::",
        "Notes": ""
    },
    {
        "CAPEC ID": "268",
        "ID": "Audit Log Manipulation",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:161::",
        "Execution Flow": "",
        "Prerequisites": "::The target host is logging the action and data of the user.::The target host insufficiently protects access to the logs or logging mechanisms.::",
        "Skills Required": "",
        "Resources Required": "::The attacker must understand how the logging mechanism works. Optionally, the attacker must know the location and the format of individual entries of the log files.::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::117::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1070:ENTRY NAME:Indicator Removal on Host::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.002:ENTRY NAME:Impair Defenses: Disable Windows Event Logging::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.003:ENTRY NAME:Impair Defenses: Impair Command History Logging::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.008:ENTRY NAME:Impair Defenses: Disable Cloud Logs::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Log Injection::",
        "Notes": ""
    },
    {
        "CAPEC ID": "270",
        "ID": "Modification of Registry Run Keys",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary adds a new entry to the run keys in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:203::NATURE:CanPrecede:CAPEC ID:568::NATURE:CanPrecede:CAPEC ID:529::NATURE:CanPrecede:CAPEC ID:646::NATURE:CanFollow:CAPEC ID:555::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine target system] The adversary must first determine the system they wish to target. This attack only works on Windows.::STEP:2:PHASE:Experiment:DESCRIPTION:[Gain access to the system] The adversary needs to gain access to the system in some way so that they can modify the Windows registry.TECHNIQUE:Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.:TECHNIQUE:Gain remote access to a system through a variety of means.::STEP:3:PHASE:Exploit:DESCRIPTION:[Modify Windows registry] The adversary will modify the Windows registry by adding a new entry to the run keys referencing a desired program. This program will be run whenever the user logs in.::",
        "Prerequisites": "::The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data:TECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.::",
        "Example Instances": "::An adversary can place a malicious executable (RAT) on the target system and then configure it to automatically run when the user logs in to maintain persistence on the target system.::Through the modification of registry run keys the adversary can masquerade a malicious executable as a legitimate program.::",
        "Related Weaknesses": "::15::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1547.001:ENTRY NAME:Boot or Logon Autostart Execution: Registry Run Keys / Start Folder::::TAXONOMY NAME:ATTACK:ENTRY ID:1547.014:ENTRY NAME:Boot or Logon Autostart Execution: Active::",
        "Notes": ""
    },
    {
        "CAPEC ID": "292",
        "ID": "Host Discovery",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. The adversary usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep,' where a particular kind of ping is sent to a range of IP addresses.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary requires logical access to the target network in order to carry out host discovery.::",
        "Skills Required": "",
        "Resources Required": "::The resources required will differ based upon the type of host discovery being performed. Usually a network scanning tool or scanning script is required due to the volume of requests that must be generated.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1018:ENTRY NAME:Remote System Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "295",
        "ID": "Timestamp Request",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:292::",
        "Execution Flow": "",
        "Prerequisites": "::The ability to send a timestamp request to a remote target and receive a response.::",
        "Skills Required": "",
        "Resources Required": "::Scanners or utilities that provide the ability to send custom ICMP queries.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::",
        "Mitigations": "",
        "Example Instances": "::An adversary sends an ICMP type 13 Timestamp Request to determine the time as recorded by a remote target. Timestamp Replies, ICMP Type 14, usually return a value in Greenwich Mean Time. An adversary can attempt to use an ICMP Timestamp requests to 'ping' a remote system to see if is alive. Additionally, because these types of messages are rare they are easily spotted by intrusion detection systems, many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 13 and egress ICMP type 14 messages.::An adversary may gather the system time or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. The information could be useful for performing other techniques, such as executing a file with a Scheduled Task, or to discover locality information based on time zone to assist in victim targeting::",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1124:ENTRY NAME:System Time Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "30",
        "ID": "Hijacking a Privileged Thread of Execution",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:233::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine target thread] The adversary determines the underlying system thread that is subject to user-control::STEP:2:PHASE:Experiment:DESCRIPTION:[Gain handle to thread] The adversary then gains a handle to a process thread.TECHNIQUE:Use the OpenThread API call in Windows on a known thread.:TECHNIQUE:Cause an exception in a java privileged block public function and catch it, or catch a normal signal. The thread is then hanging and the adversary can attempt to gain a handle to it.::STEP:3:PHASE:Experiment:DESCRIPTION:[Alter process memory] Once the adversary has a handle to the target thread, they will suspend the thread and alter the memory using native OS calls.TECHNIQUE:On Windows, use SuspendThread followed by VirtualAllocEx, WriteProcessMemory, and SetThreadContext.::STEP:4:PHASE:Exploit:DESCRIPTION:[Resume thread execution] Once the process memory has been altered to execute malicious code, the thread is then resumed.TECHNIQUE:On Windows, use ResumeThread.::",
        "Prerequisites": "::The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users::In order to feasibly execute this class of attacks, the adversary must have the ability to hijack a privileged thread. This ability includes, but is not limited to, modifying environment variables that affect the process the thread belongs to, or calling native OS calls that can suspend and alter process memory. This does not preclude network-based attacks, but makes them conceptually more difficult to identify and execute.::",
        "Skills Required": "::SKILL:Hijacking a thread involves knowledge of how processes and threads function on the target platform, the design of the target application as well as the ability to identify the primitives to be used or manipulated to hijack the thread.:LEVEL:High::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack. The adversary needs to be able to latch onto a privileged thread. The adversary does, however, need to be able to program, compile, and link to the victim binaries being executed so that it will turn control of a privileged thread over to the adversary's malicious code. This is the case even if the adversary conducts the attack remotely.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Confidentiality Integrity Availability Execute Unauthorized Commands Run Arbitrary Code::",
        "Mitigations": "::Application Architects must be careful to design callback, signal, and similar asynchronous constructs such that they shed excess privilege prior to handing control to user-written (thus untrusted) code.::Application Architects must be careful to design privileged code blocks such that upon return (successful, failed, or unpredicted) that privilege is shed prior to leaving the block/scope.::",
        "Example Instances": "::Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations.::",
        "Related Weaknesses": "::270::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1055.003:ENTRY NAME:Process Injection: Thread Execution Hijacking::",
        "Notes": ""
    },
    {
        "CAPEC ID": "300",
        "ID": "Port Scanning",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary requires logical access to the target's network in order to carry out this type of attack.::",
        "Skills Required": "",
        "Resources Required": "::The adversary requires a network mapping/scanning tool, or must conduct socket programming on the command line. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1046:ENTRY NAME:Network Service Scanning::",
        "Notes": "TYPE:Other:NOTE:There are four types of port status that this type of attack aims to identify: 1) Open Port: The port is open and a firewall does not block access to the port, 2) Closed Port: The port is closed (i.e. no service resides there) and a firewall does not block access to the port, 3) Filtered Port: A firewall or ACL rule is blocking access to the port in some manner, although the presence of a listening service on the port cannot be verified, and 4) Unfiltered Port: A firewall or ACL rule is not blocking access to the port, although the presence of a listening service on the port cannot be verified.::"
    },
    {
        "CAPEC ID": "309",
        "ID": "Network Topology Mapping",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::NATURE:CanPrecede:CAPEC ID:664::",
        "Execution Flow": "",
        "Prerequisites": "::None::",
        "Skills Required": "",
        "Resources Required": "::Probing requires the ability to interactively send and receive data from a target, whereas passive listening requires a sufficient understanding of the protocol to analyze a preexisting channel of communication.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1016:ENTRY NAME:System Network Configuration Discovery::::TAXONOMY NAME:ATTACK:ENTRY ID:1049:ENTRY NAME:System Network Connections Discovery::::TAXONOMY NAME:ATTACK:ENTRY ID:1590:ENTRY NAME:Gather Victim Network Information::",
        "Notes": ""
    },
    {
        "CAPEC ID": "31",
        "ID": "Accessing/Intercepting/Modifying HTTP Cookies",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:39::NATURE:ChildOf:CAPEC ID:157::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Obtain copy of cookie] The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.TECHNIQUE:Sniff cookie using a network sniffer such as Wireshark:TECHNIQUE:Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.:TECHNIQUE:Steal cookie via a cross-site scripting attack.:TECHNIQUE:Guess cookie contents if it contains predictable information.::STEP:2:PHASE:Experiment:DESCRIPTION:[Obtain sensitive information from cookie] The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.TECHNIQUE:If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.:TECHNIQUE:Analyze the cookie's contents to determine whether it contains any sensitive information.::STEP:3:PHASE:Experiment:DESCRIPTION:[Modify cookie to subvert security controls.] The adversary may be able to modify or replace cookies to bypass security controls in the application.TECHNIQUE:Modify logical parts of cookie and send it back to server to observe the effects.:TECHNIQUE:Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.:TECHNIQUE:Modify cookie bitwise and send it back to server to observe the effects.:TECHNIQUE:Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a points balance for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance.::",
        "Prerequisites": "::Target server software must be a HTTP daemon that relies on cookies.::The cookies must contain sensitive information.::The adversary must be able to make HTTP requests to the server, and the cookie must be contained in the reply.::",
        "Skills Required": "::SKILL:To overwrite session cookie data, and submit targeted attacks via HTTP:LEVEL:Low::SKILL:Exploiting a remote buffer overflow generated by attack:LEVEL:High::",
        "Resources Required": "::A utility that allows for the viewing and modification of cookies. Many modern web browsers support this behavior.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Design: Use input validation for cookies::Design: Generate and validate MAC for cookies::Implementation: Use SSL/TLS to protect cookie in transit::Implementation: Ensure the web server implements all relevant security patches, many exploitable buffer overflows are fixed in patches issued for the software.::",
        "Example Instances": "::There are two main attack vectors for exploiting poorly protected session variables like cookies. One is the local machine itself which can be exploited directly at the physical level or indirectly through XSS and phishing. In addition, the adversary in the middle attack (CAPEC-94) relies on a network sniffer, proxy, or other intermediary to intercept the subject's credentials and use them to impersonate the digital subject on the host. The issue is that once the credentials are intercepted, impersonation is trivial for the adversary to accomplish if no other protection mechanisms are in place. See also: CVE-2010-5148 , CVE-2016-0353::",
        "Related Weaknesses": "::565::302::311::113::539::20::315::384::472::602::642::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1539:ENTRY NAME:Steal Web Session Cookie::",
        "Notes": ""
    },
    {
        "CAPEC ID": "312",
        "ID": "Active OS Fingerprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:224::",
        "Execution Flow": "",
        "Prerequisites": "::The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.::",
        "Skills Required": "",
        "Resources Required": "::Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges. A tool capable of sending and receiving packets from a remote system.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1082:ENTRY NAME:System Information Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "313",
        "ID": "Passive OS Fingerprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods, it is generally better able to evade detection.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:224::",
        "Execution Flow": "",
        "Prerequisites": "::The ability to monitor network communications.Access to at least one host, and the privileges to interface with the network interface card.::",
        "Skills Required": "",
        "Resources Required": "::Any tool capable of monitoring network communications, like a packet sniffer (e.g., Wireshark)::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1082:ENTRY NAME:System Information Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "35",
        "ID": "Leverage Executable Code in Non-Executable Files",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:636::NATURE:PeerOf:CAPEC ID:23::NATURE:PeerOf:CAPEC ID:75::",
        "Execution Flow": "",
        "Prerequisites": "::The attacker must have the ability to modify non-executable files consumed by the target software.::",
        "Skills Required": "::SKILL:To identify and execute against an over-privileged system interface:LEVEL:Low::",
        "Resources Required": "::Ability to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program, or interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Confidentiality Integrity Availability Execute Unauthorized Commands Run Arbitrary Code::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Design: Enforce principle of least privilege::Design: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to constrain privileges even if attacker gains some limited access to commands.::Implementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and interfaces that grant direct access to executables.::Implementation: Implement host integrity monitoring to detect any unwanted altering of configuration files.::Implementation: Ensure that files that are not required to execute, such as configuration files, are not over-privileged, i.e. not allowed to execute.::",
        "Example Instances": "::Virtually any system that relies on configuration files for runtime behavior is open to this attack vector. The configuration files are frequently stored in predictable locations, so an attacker that can fingerprint a server process such as a web server or database server can quickly identify the likely locale where the configuration is stored. And this is of course not limited to server processes. Unix shells rely on profile files to store environment variables, search paths for programs and so on. If the aliases are changed, then a standard Unix cp command can be rerouted to rm or other standard command so the user's intention is subverted.::The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser.::Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process.::The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name public grants all users with the public role the ability to use the administration functionality. < security-constraint><description>Security processing rules for admin screens</description><url-pattern>/admin/*</url-pattern><http-method>POST</http-method><http-method>GET</http-method><auth-constraint><role-name>administrator</role-name><role-name>public</role-name> </auth-constraint> </security-constraint> The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.::",
        "Related Weaknesses": "::94::96::95::97::272::59::282::270::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1027.006:ENTRY NAME:Obfuscated Files or Information: HTML Smuggling::::TAXONOMY NAME:ATTACK:ENTRY ID:1564.009:ENTRY NAME:Hide Artifacts: Resource Forking::",
        "Notes": ""
    },
    {
        "CAPEC ID": "37",
        "ID": "Retrieve Embedded Sensitive Data",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:167::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.TECHNIQUE:Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.:TECHNIQUE:Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.::STEP:2:PHASE:Exploit:DESCRIPTION:[Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.TECHNIQUE:API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.:TECHNIQUE:Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.:TECHNIQUE:Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.:TECHNIQUE:Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.::",
        "Prerequisites": "::In order to feasibly execute this type of attack, some valuable data must be present in client software.::Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack.::",
        "Skills Required": "::SKILL:The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution:LEVEL:Medium::",
        "Resources Required": "::The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as Strings or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "",
        "Example Instances": "::Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be.::An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents.::Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user.::",
        "Related Weaknesses": "::226::311::525::312::314::315::318::1239::1258::1266::1272::1278::1301::1330::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1005:ENTRY NAME:Data from Local System::::TAXONOMY NAME:ATTACK:ENTRY ID:1552.004:ENTRY NAME:Unsecured Credentials: Private Keys::",
        "Notes": ""
    },
    {
        "CAPEC ID": "38",
        "ID": "Leveraging/Manipulating Configuration File Search Paths",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:159::",
        "Execution Flow": "",
        "Prerequisites": "::The attacker must be able to write to redirect search paths on the victim host.::",
        "Skills Required": "::SKILL:To identify and execute against an over-privileged system interface:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Confidentiality Integrity Availability Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Design: Enforce principle of least privilege::Design: Ensure that the program's compound parts, including all system dependencies, classpath, path, and so on, are secured to the same or higher level assurance as the program::Implementation: Host integrity monitoring::",
        "Example Instances": "::Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command rm could be aliased to mv and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting alias rm=mv /usr/home/attacker In this case the attacker retains a copy of all the files the victim attempts to remove.::A standard UNIX path looks similar to this /bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: /evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.::",
        "Related Weaknesses": "::426::427::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.007:ENTRY NAME:Hijack Execution Flow: Path Interception by PATH Environment Variable::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.009:ENTRY NAME:Hijack Execution Flow: Path Interception by Unquoted Path::",
        "Notes": ""
    },
    {
        "CAPEC ID": "383",
        "ID": "Harvesting Information via API Event Monitoring",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a virtual sale of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:407::NATURE:CanPrecede:CAPEC ID:94::",
        "Execution Flow": "",
        "Prerequisites": "::The target software is utilizing application framework APIs::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data The adversary is able to gather information to potentially support further nefarious activities.::",
        "Mitigations": "::Leverage encryption techniques during information transactions so as to protect them from attack patterns of this kind.::",
        "Example Instances": "",
        "Related Weaknesses": "::311::319::419::602::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1056.004:ENTRY NAME:Input Capture: Credential API Hooking::",
        "Notes": ""
    },
    {
        "CAPEC ID": "407",
        "ID": "Pretexting",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:416::NATURE:ChildOf:CAPEC ID:410::NATURE:CanPrecede:CAPEC ID:163::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the pretext that would influence the actions of the specific target.::",
        "Skills Required": "::SKILL:The adversary requires strong inter-personal and communication skills.:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other:NOTE:Confidentiality Other Depending on the adversary's intentions and the specific nature their actions/requests, a successful pretexting attack can result in the compromise to the confidentiality of sensitive information in a variety of contexts.::",
        "Mitigations": "::An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks.::",
        "Example Instances": "::The adversary dresses up like a jogger and runs in place by the entrance of a building, pretending to look for their access card. Because the hood obscures their face, it may be possible to solicit someone inside the building to let them inside.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1589:ENTRY NAME:Gather Victim Identity Information::",
        "Notes": ""
    },
    {
        "CAPEC ID": "438",
        "ID": "Modification During Manufacture",
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195:ENTRY NAME:Supply Chain Compromise::",
        "Notes": ""
    },
    {
        "CAPEC ID": "439",
        "ID": "Manipulation During Distribution",
        "Abstraction": "Meta",
        "Status": "Draft",
        "Description": "An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "::A malicious OEM provider, or OEM provider employee or contractor, may install software, or modify existing code, during distribution.::External contractors involved in the packaging or testing of products or components may install software, or modify existing code, during distribution.::",
        "Related Weaknesses": "::1269::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195:ENTRY NAME:Supply Chain Compromise::",
        "Notes": ""
    },
    {
        "CAPEC ID": "440",
        "ID": "Hardware Integrity Attack",
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "",
        "Execution Flow": "",
        "Prerequisites": "::Influence over the deployed system at a victim location.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::::TAXONOMY NAME:ATTACK:ENTRY ID:1200:ENTRY NAME:Hardware Additions::",
        "Notes": ""
    },
    {
        "CAPEC ID": "442",
        "ID": "Infected Software",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:441::",
        "Execution Flow": "",
        "Prerequisites": "::Access to the software currently deployed at a victim location. This access is often obtained by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Leverage anti-virus products to detect and quarantine software with known virus.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.001:ENTRY NAME:Supply Chain Compromise: Compromise Software Dependencies and Development Tools::::TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "443",
        "ID": "Malicious Logic Inserted Into Product by Authorized Developer",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::Access to the product during the initial or continuous development.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.::",
        "Example Instances": "::In January 2022 the author of popular JavaScript packages Faker and colors, used for generating mock data and including colored text within NodeJS consoles respectively, introduced malicious code that resulted in a Denial of Service (DoS) via an infinite loop. When applications that leveraged these packages updated to the malicious version, their applications executed the infinite loop and output gibberish ASCI characters endlessly. This resulted in the application being unusable until a stable version of the package was obtained. [REF-705]::During initial development, an authorized hardware developer implants a malicious microcontroller within an Internet of Things (IOT) device and programs the microcontroller to communicate with the vulnerable device. Each time the device initializes, the malicious microcontroller's code is executed, which ultimately provides the adversary with backdoor access to the vulnerable device. This can further allow the adversary to sniff network traffic, exfiltrate date, execute unauthorized commands, and/or pivot to other vulnerable devices.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::::TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "445",
        "ID": "Malicious Logic Insertion into Product Software via Configuration Management Manipulation",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::Access to the configuration management system during deployment or currently deployed at a victim location. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.::Leverage anti-virus products to detect and quarantine software with known virus.::",
        "Example Instances": "::In 2016, the policy-based configuration management system Chef was shown to be vulnerable to remote code execution attacks based on its Chef Manage add-on improperly deserializing user-driven cookie data. This allowed unauthenticated users the ability to craft cookie data that executed arbitrary code with the web server's privileges. [REF-706]::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.001:ENTRY NAME:Supply Chain Compromise: Compromise Software Dependencies and Development Tools::",
        "Notes": ""
    },
    {
        "CAPEC ID": "446",
        "ID": "Malicious Logic Insertion into Product via Inclusion of Third-Party Component",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.::Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.::",
        "Example Instances": "::From mid-2014 to early 2015, Lenovo computers were shipped with the Superfish Visual Search software that ultimately functioned as adware on the system. The Visual Search installation included a self-signed root HTTPS certificate that was able to intercept encrypted traffic for any site visited by the user. Of more concern was the fact that the certificate's corresponding private key was the same for every Lenovo machine. Once the private key was discovered [REF-709], an adversary could then conduct an Adversary-in-the-Middle (AitM) attack that would go undetected by machines that had this certificate installed on it. Adversaries could then masquerade as legitimate entities such as financial institutions, popular corporations, or other secure destinations on the Internet. [REF-708]::In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195:ENTRY NAME:Supply Chain Compromise::",
        "Notes": ""
    },
    {
        "CAPEC ID": "457",
        "ID": "USB Memory Attacks",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:456::NATURE:CanPrecede:CAPEC ID:529::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine Target System] In certain cases, the adversary will explore an organization's network to determine a specific target machine to exploit based on the information it contains or privileges the main user may possess.TECHNIQUE:If needed, the adversary explores an organization's network to determine if any specific systems of interest exist.::STEP:2:PHASE:Experiment:DESCRIPTION:[Develop or Obtain malware and install on a USB device] The adversary develops or obtains the malicious software necessary to exploit the target system, which they then install on an external USB device such as a USB flash drive.TECHNIQUE:The adversary can develop or obtain malware for to perform a variety of tasks such as sniffing network traffic or monitoring keystrokes.::STEP:3:PHASE:Exploit:DESCRIPTION:[Connect or deceive a user into connecting the infected USB device] Once the malware has been placed on an external USB device, the adversary connects the device to the target system or deceives a user into connecting the device to the target system such as in a USB Drop Attack.TECHNIQUE:The adversary connects the USB device to a specified target system or performs a USB Drop Attack, hoping a user will find and connect the USB device on their own. Once the device is connected, the malware executes giving the adversary access to network traffic, credentials, etc.::",
        "Prerequisites": "::Some level of physical access to the device being attacked.::Information pertaining to the target organization on how to best execute a USB Drop Attack.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Ensure that proper, physical system access is regulated to prevent an adversary from physically connecting a malicious USB device themself.::Use anti-virus and anti-malware tools which can prevent malware from executing if it finds its way onto a target system. Additionally, make sure these tools are regularly updated to contain up-to-date virus and malware signatures.::Do not connect untrusted USB devices to systems connected on an organizational network. Additionally, use an isolated testing machine to validate untrusted devices and confirm malware does not exist.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1091:ENTRY NAME:Replication Through Removable Media::::TAXONOMY NAME:ATTACK:ENTRY ID:1092:ENTRY NAME:Communication Through Removable Media::",
        "Notes": ""
    },
    {
        "CAPEC ID": "464",
        "ID": "Evercookie",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:554::",
        "Execution Flow": "",
        "Prerequisites": "::The victim's browser is not configured to reject all cookiesThe victim visits a website that serves the attackers' evercookie::",
        "Skills Required": "",
        "Resources Required": "::Evercookie source code::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Design: Browser's design needs to be changed to limit where cookies can be stored on the client side and provide an option to clear these cookies in all places, as well as another option to stop these cookies from being written in the first place.::Design: Safari browser's private browsing mode is currently effective against evercookies.::",
        "Example Instances": "",
        "Related Weaknesses": "::359::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1606.001:ENTRY NAME:Forge Web Credentials: Web Cookies::",
        "Notes": ""
    },
    {
        "CAPEC ID": "465",
        "ID": "Transparent Proxy Abuse",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:554::",
        "Execution Flow": "",
        "Prerequisites": "::Transparent proxy is usedVulnerable configuration of network topology involving the transparent proxy (e.g., no NAT happening between the client and the proxy)Execution of malicious Flash or Applet in the victim's browser::",
        "Skills Required": "::SKILL:Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Design: Ensure that the transparent proxy uses an actual network layer IP address for routing requests. On the transparent proxy, disable the use of routing based on address information in the HTTP host header.::Configuration: Disable in the browser the execution of Java Script, Flash, SilverLight, etc.::",
        "Example Instances": "",
        "Related Weaknesses": "::441::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1090.001:ENTRY NAME:Proxy: Internal Proxy::",
        "Notes": ""
    },
    {
        "CAPEC ID": "469",
        "ID": "HTTP DoS",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:227::",
        "Execution Flow": "",
        "Prerequisites": "::HTTP protocol is usedWeb server used is vulnerable to denial of service via HTTP flooding::",
        "Skills Required": "",
        "Resources Required": "::Ability to issues hundreds of HTTP requests::",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Configuration: Configure web server software to limit the waiting period on opened HTTP sessions::Design: Use load balancing mechanisms::",
        "Example Instances": "",
        "Related Weaknesses": "::770::772::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499.002:ENTRY NAME:Endpoint Denial of Service: Service Exhaustion Flood::",
        "Notes": ""
    },
    {
        "CAPEC ID": "471",
        "ID": "Search Order Hijacking",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:159::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify target general susceptibility] An attacker uses an automated tool or manually finds whether the target application uses dynamically linked libraries and the configuration file or look up table (such as Procedure Linkage Table) which contains the entries for dynamically linked libraries.TECHNIQUE:The attacker uses a tool such as the OSX otool utility or manually probes whether the target application uses dynamically linked libraries.:TECHNIQUE:The attacker finds the configuration files containing the entries to the dynamically linked libraries and modifies the entries to point to the malicious libraries the attacker crafted.::STEP:2:PHASE:Experiment:DESCRIPTION:[Craft malicious libraries] The attacker uses knowledge gained in the Explore phase to craft malicious libraries that they will redirect the target to leverage. These malicious libraries could have the same APIs as the legitimate library and additional malicious code.TECHNIQUE:The attacker monitors the file operations performed by the target application using a tool like dtrace or FileMon. And the attacker can delay the operations by using sleep(2) and usleep() to prepare the appropriate conditions for the attack, or make the application perform expansive tasks (large files parsing, etc.) depending on the purpose of the application.::STEP:3:PHASE:Exploit:DESCRIPTION:[Redirect the access to libraries to the malicious libraries] The attacker redirects the target to the malicious libraries they crafted in the Experiment phase. The attacker will be able to force the targeted application to execute arbitrary code when the application attempts to access the legitimate libraries.TECHNIQUE:The attacker modifies the entries in the configuration files pointing to the malicious libraries they crafted.:TECHNIQUE:The attacker leverages symlink/timing issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-132.:TECHNIQUE:The attacker leverages file search path order issues to redirect the target to access the malicious libraries they crafted. See also: CAPEC-38.::",
        "Prerequisites": "::Attacker has a mechanism to place its malicious libraries in the needed location on the file system.::",
        "Skills Required": "::SKILL:Ability to create a malicious library.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Design: Fix the Windows loading process to eliminate the preferential search order by looking for DLLs in the precise location where they are expected::Design: Sign system DLLs so that unauthorized DLLs can be detected.::",
        "Example Instances": "::For instance, an attacker with access to the file system may place a malicious ntshrui.dll in the C:Windows directory. This DLL normally resides in the System32 folder. Process explorer.exe which also resides in C:Windows, upon trying to load the ntshrui.dll from the System32 folder will actually load the DLL supplied by the attacker simply because of the preferential search order. Since the attacker has placed its malicious ntshrui.dll in the same directory as the loading explorer.exe process, the DLL supplied by the attacker will be found first and thus loaded in lieu of the legitimate DLL. Since explorer.exe is loaded during the boot cycle, the attackers' malware is guaranteed to execute.::macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence. A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.::",
        "Related Weaknesses": "::427::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.001:ENTRY NAME:Hijack Execution Flow:DLL search order hijacking::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.004:ENTRY NAME:Hijack Execution Flow: Dylib Hijacking::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.008:ENTRY NAME:Hijack Execution Flow: Path Interception by Search Order Hijacking::",
        "Notes": ""
    {
        "CAPEC ID": "473",
        "ID": "Signature Spoof",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:151::",
        "Execution Flow": "",
        "Prerequisites": "::The victim or victim system is dependent upon a cryptographic signature-based verification system for validation of one or more security events or actions.::The validation can be bypassed via an attacker-provided signature that makes it appear that the legitimate authoritative or reputable source provided the signature.::",
        "Skills Required": "::SKILL:Technical understanding of how signature verification algorithms work with data and applications:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "",
        "Example Instances": "::An attacker provides a victim with a malicious executable disguised as a legitimate executable from an established software by signing the executable with a forged cryptographic key. The victim's operating system attempts to verify the executable by checking the signature, the signature is considered valid, and the attackers' malicious executable runs.::An attacker exploits weaknesses in a cryptographic algorithm to that allow a private key for a legitimate software vendor to be reconstructed, attacker-created malicious software is cryptographically signed with the reconstructed key, and is installed by the victim operating system disguised as a legitimate software update from the software vendor.::",
        "Related Weaknesses": "::20::327::290::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.001:ENTRY NAME:Masquerading: Invalid Code Signature::::TAXONOMY NAME:ATTACK:ENTRY ID:1553.002:ENTRY NAME:Subvert Trust Controls: Code Signing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "474",
        "ID": "Signature Spoofing by Key Theft",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:473::",
        "Execution Flow": "",
        "Prerequisites": "::An authoritative or reputable signer is storing their private signature key with insufficient protection.::",
        "Skills Required": "::SKILL:Knowledge of common location methods and access methods to sensitive data:LEVEL:Low::SKILL:Ability to compromise systems containing sensitive data:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Restrict access to private keys from non-supervisory accounts::Restrict access to administrative personnel and processes only::Ensure all remote methods are secured::Ensure all services are patched and up to date::",
        "Example Instances": "",
        "Related Weaknesses": "::522::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1552.004:ENTRY NAME:Unsecured Credentials: Private Keys::",
        "Notes": ""
    },
    {
        "CAPEC ID": "478",
        "ID": "Modification of Windows Service Configuration",
        "Abstraction": "Detailed",
        "Status": "Usable",
        "Description": "An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:203::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine target system] The adversary must first determine the system they wish to modify the registry of. This needs to be a windows machine as this attack only works on the windows registry.::STEP:2:PHASE:Experiment:DESCRIPTION:[Gain access to the system] The adversary needs to gain access to the system in some way so that they can modify the windows registry.TECHNIQUE:Gain physical access to a system either through shoulder surfing a password or accessing a system that is left unlocked.:TECHNIQUE:Gain remote access to a system through a variety of means.::STEP:3:PHASE:Exploit:DESCRIPTION:[Modify windows registry] The adversary will modify the windows registry by changing the configuration settings for a service. Specifically, the adversary will change the path settings to define a path to a malicious binary to be executed.::",
        "Prerequisites": "::The adversary must have the capability to write to the Windows Registry on the targeted system.::",
        "Skills Required": "",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Integrity Execute Unauthorized Commands By altering specific configuration settings for the service, the adversary could run arbitrary code to be executed.::",
        "Mitigations": "::Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.::",
        "Example Instances": "",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.011:ENTRY NAME:Hijack Execution Flow:Service Registry Permissions Weakness::::TAXONOMY NAME:ATTACK:ENTRY ID:1543.003:ENTRY NAME:Create or Modify System Process:Windows Service::",
        "Notes": ""
    },
    {
        "CAPEC ID": "479",
        "ID": "Malicious Root Certificate",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:473::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have the ability to create a new root certificate.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1553.004:ENTRY NAME:Subvert Trust Controls:Install Root Certificate::",
        "Notes": ""
    },
    {
        "CAPEC ID": "480",
        "ID": "Escaping Virtualization",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:115::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Probing] The adversary probes the target application, service, or device to find a possible weakness that would allow escaping the virtualized environment.TECHNIQUE:Probing applications, services, or devices for virtualization weaknesses.::STEP:2:PHASE:Experiment:DESCRIPTION:[Verify the exploitable security weaknesses] Using the found weakness, the adversary attempts to escape the virtualized environment.TECHNIQUE:Using an application weakness to escape a virtualized environment::STEP:3:PHASE:Exploit:DESCRIPTION:[Execute more complex attacks] Once outside of the virtualized environment, the adversary attempts to perform other more complex attacks such as accessing system resources or executing unauthorized code within the host environment.TECHNIQUE:Executing complex attacks when given higher permissions by escaping a virtualized environment::",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Authorization Execute Unauthorized Commands Run Arbitrary Code::SCOPE:Accountability:SCOPE:Authentication:SCOPE:Authorization:SCOPE:Non-RepudiationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Ensure virtualization software is current and up-to-date.::Abide by the least privilege principle to avoid assigning users more privileges than necessary.::",
        "Example Instances": "",
        "Related Weaknesses": "::693::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1611:ENTRY NAME:Escape to Host::",
        "Notes": ""
    },
    {
        "CAPEC ID": "481",
        "ID": "Contradictory Destinations in Traffic Routing Schemes",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:161::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary must be aware that their message will be routed using a CDN, and that both of the contradictory domains are served from that CDN.::If the purpose of the Domain Fronting is to hide redirected C2 traffic, the C2 server must have been created in the CDN.::",
        "Skills Required": "::SKILL:The adversary must have some knowledge of how messages are routed.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:TECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Monitor connections, checking headers in traffic for contradictory domain names, or empty domain names.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1090.004:ENTRY NAME:Proxy:Domain Fronting::",
        "Notes": ""
    },
    {
        "CAPEC ID": "482",
        "ID": "TCP Flood",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:125::",
        "Execution Flow": "",
        "Prerequisites": "::This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::To mitigate this type of an attack, an organization can monitor incoming packets and look for patterns in the TCP traffic to determine if the network is under an attack. The potential target may implement a rate limit on TCP SYN messages which would provide limited capabilities while under attack.::",
        "Example Instances": "",
        "Related Weaknesses": "::770::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1498.001:ENTRY NAME:Network Denial of Service: Direct Network Flood::::TAXONOMY NAME:ATTACK:ENTRY ID:1499.001:ENTRY NAME:Endpoint Denial of Service: OS Exhaustion Flood::::TAXONOMY NAME:ATTACK:ENTRY ID:1499.002:ENTRY NAME:Endpoint Denial of Service: Service Exhaustion Flood::",
        "Notes": ""
    },
    {
        "CAPEC ID": "485",
        "ID": "Signature Spoofing by Key Recreation",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:473::",
        "Execution Flow": "",
        "Prerequisites": "::An authoritative signer is using a weak method of random number generation or weak signing software that causes key leakage or permits key inference.::An authoritative signer is using a signature algorithm with a direct weakness or with poorly chosen parameters that enable the key to be recovered using signatures from that signer.::",
        "Skills Required": "::SKILL:Cryptanalysis of signature generation algorithm:LEVEL:High::SKILL:Reverse engineering and cryptanalysis of signature generation algorithm implementation and random number generation:LEVEL:High::SKILL:Ability to create malformed data blobs and know how to present them directly or indirectly to a victim.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Ensure cryptographic elements have been sufficiently tested for weaknesses.::",
        "Example Instances": "",
        "Related Weaknesses": "::330::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1552.004:ENTRY NAME:Unsecure Credentials: Private Keys::",
        "Notes": ""
    },
    {
        "CAPEC ID": "488",
        "ID": "HTTP Flood",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:125::",
        "Execution Flow": "",
        "Prerequisites": "::This type of an attack requires the ability to generate a large amount of HTTP traffic to send to a target server.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::To mitigate this type of an attack, an organization can monitor the typical traffic flow. When spikes in usage occur, filters could examine traffic for indicators of bad behavior with respect to the web servers, and then create firewall rules to deny the malicious IP addresses. These patterns in the filter could be a combination of trained behavior, knowledge of standards as they apply to the web server, known patterns, or anomaly detection. Firewalling source IPs works since the HTTP is sent using TCP so the source IP can't be spoofed; if the source IP is spoofed is, then it's not legitimate traffic. Special care should be taken care with rule sets to ensure low false positive rates along with a method at the application layer to allow a valid user to begin using the service again. Another possible solution is using 3rd party providers as they have experts, knowledge, experience, and resources to deal with the attack and mitigate it before hand or while it occurs. The best mitigation is preparation before an attack, but there is no bulletproof solution as with ample resources a brute force attack may succeed.::",
        "Example Instances": "",
        "Related Weaknesses": "::770::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499.002:ENTRY NAME:Endpoint Denial of Service:Service Exhaustion Flood::",
        "Notes": ""
    },
    {
        "CAPEC ID": "489",
        "ID": "SSL Flood",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:125::",
        "Execution Flow": "",
        "Prerequisites": "::This type of an attack requires the ability to generate a large amount of SSL traffic to send a target server.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::To mitigate this type of an attack, an organization can create rule based filters to silently drop connections if too many are attempted in a certain time period.::",
        "Example Instances": "",
        "Related Weaknesses": "::770::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499.002:ENTRY NAME:Endpoint Denial of Service:Service Exhaustion Flood::",
        "Notes": ""
    },
    {
        "CAPEC ID": "49",
        "ID": "Password Brute Forcing",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:112::NATURE:CanPrecede:CAPEC ID:600::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:561::NATURE:CanPrecede:CAPEC ID:653::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine application's/system's password policy] Determine the password policies of the target application/system.TECHNIQUE:Determine minimum and maximum allowed password lengths.:TECHNIQUE:Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).:TECHNIQUE:Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).::STEP:2:PHASE:Exploit:DESCRIPTION:[Brute force password] Given the finite space of possible passwords dictated by the password policy determined in the previous step, try all possible passwords for a known user ID until application/system grants access.TECHNIQUE:Manually or automatically enter all possible passwords through the application/system's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.:TECHNIQUE:Perform an offline dictionary attack or a rainbow table attack against a known password hash.::",
        "Prerequisites": "::An adversary needs to know a username to target.::The system uses password based authentication as the one factor authentication mechanism.::An application does not have a password throttling mechanism in place. A good password throttling mechanism will make it almost impossible computationally to brute force a password as it may either lock out the user after a certain number of incorrect attempts or introduce time out periods. Both of these would make a brute force attack impractical.::",
        "Skills Required": "::SKILL:A brute force attack is very straightforward. A variety of password cracking tools are widely available.:LEVEL:Low::",
        "Resources Required": "::A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).::",
        "Indicators": "::Many incorrect login attempts are detected by the system.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.::Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.::Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.::",
        "Example Instances": "::A system does not enforce a strong password policy and the user picks a five letter password consisting of lower case English letters only. The system does not implement any password throttling mechanism. Assuming the adversary does not know the length of the users' password, an adversary can brute force this password in maximum 1+26+26^2+26^3+26^4+26^5 = 1 + 26 + 676 + 17576 + 456976 + 11,881,376 = 12,356,631 attempts, and half these tries (6,178,316) on average. Using modern hardware this attack is trivial. If the adversary were to assume that the user password could also contain upper case letters (and it was case sensitive) and/or numbers, than the number of trials would have been larger. An adversary's job would have most likely been even easier because many users who choose easy to brute force passwords like this are also likely to use a word that can be found in the dictionary. Since there are far fewer valid English words containing up to five letters than 12,356,631, an attack that tries each of the entries in the English dictionary would go even faster.::A weakness exists in the automatic password generation routine of Mailman prior to 2.1.5 that causes only about five million different passwords to be generated. This makes it easy to brute force the password for all users who decided to let Mailman automatically generate their passwords for them. Users who chose their own passwords during the sign up process would not have been affected (assuming that they chose strong passwords). See also: CVE-2004-1143::",
        "Related Weaknesses": "::521::262::263::257::654::307::308::309::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1110.001:ENTRY NAME:Brute Force:Password Guessing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "490",
        "ID": "Amplification",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:125::",
        "Execution Flow": "",
        "Prerequisites": "::This type of an attack requires the existence of a 3rd party service that generates a response that is significantly larger than the request that triggers it.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::To mitigate this type of an attack, an organization can attempt to identify the 3rd party services being used in an active attack and blocking them until the attack ends. This can be accomplished by filtering traffic for suspicious message patterns such as a spike in traffic where each response contains the same large block of data. Care should be taken to prevent false positive rates so legitimate traffic isn't blocked.::",
        "Example Instances": "",
        "Related Weaknesses": "::770::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1498.002:ENTRY NAME:Network Denial of Service:Reflection Amplification::",
        "Notes": ""
    },
    {
        "CAPEC ID": "497",
        "ID": "File Discovery",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must know the location of these common key files.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Leverage file protection mechanisms to render these files accessible only to authorized parties.::",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1083:ENTRY NAME:File and Directory Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "504",
        "ID": "Task Impersonation",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:173::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing sensitive information.TECHNIQUE:Determine what tasks prompt a user for their credentials.:TECHNIQUE:Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.::STEP:2:PHASE:Exploit:DESCRIPTION:[Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.TECHNIQUE:Prompt a user for their credentials, while making the user believe the credential request is legitimate.:TECHNIQUE:Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.::",
        "Prerequisites": "::The adversary must already have access to the target system via some means.::A legitimate task must exist that an adversary can impersonate to glean credentials.::The user's privileges allow them to execute certain tasks with elevated privileges.::",
        "Skills Required": "::SKILL:Once an adversary has gained access to the target system, impersonating a task is trivial.:LEVEL:Low::",
        "Resources Required": "::Malware or some other means to initially comprise the target system.::Additional malware to impersonate a legitimate task.::",
        "Indicators": "::Credential or permission elevation prompts that appear illegitimate or unexpected.::",
        "Consequences": "::SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.::",
        "Example Instances": "::An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.::An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges.::",
        "Related Weaknesses": "::1021::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.004:ENTRY NAME:Masquerading: Masquerade Task or Service::",
        "Notes": ""
    },
    {
        "CAPEC ID": "509",
        "ID": "Kerberoasting",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:652::NATURE:CanPrecede:CAPEC ID:151::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:Scan for user accounts with set SPN valuesTECHNIQUE:These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.::STEP:2:PHASE:Explore:DESCRIPTION:Request service ticketsTECHNIQUE:Using user account's SPN value, request other service tickets from Active Directory::STEP:3:PHASE:Experiment:DESCRIPTION:Extract ticket and save to diskTECHNIQUE:Certain tools like Mimikatz can extract local tickets and save them to memory/disk.::STEP:4:PHASE:Exploit:DESCRIPTION:Crack the encrypted ticket to harvest plain text credentialsTECHNIQUE:Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.::",
        "Prerequisites": "::The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.::The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).::The adversary requires a brute force tool.::",
        "Skills Required": "::SKILL::LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Monitor system and domain logs for abnormal access.::Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.::Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.::Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.::",
        "Example Instances": "::PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]::",
        "Related Weaknesses": "::522::308::309::294::263::262::521::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1558.003:ENTRY NAME:Steal or Forge Kerberos Tickets:Kerberoasting::",
        "Notes": ""
    },
    {
        "CAPEC ID": "511",
        "ID": "Infiltration of Software Development Environment",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).::The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.::The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.::",
        "Skills Required": "::SKILL:Intelligence about the manufacturer's operating environment and infrastructure.:LEVEL:Medium::SKILL:Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.:LEVEL:High::SKILL:Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc):LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Avoid the common delivery mechanisms of adversaries, such as email attachments, which could introduce the malware.::",
        "Example Instances": "::The attacker, knowing the victim runs email on a system adjacent to the IDE system, sends a phishing email with a malicious attachment to the victim. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent IDE system from the victim's workstation. The attacker is then able to exfiltrate sensitive data about the software being developed on the IDE system.::Using rogue versions of Xcode (Apple's app development tool) downloaded from third-party websites, it was possible for the adversary to insert malicious code into legitimate apps during the development process.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.001:ENTRY NAME:Supply Chain Compromise: Compromise Software Dependencies and Development Tools::",
        "Notes": ""
    },
    {
        "CAPEC ID": "516",
        "ID": "Hardware Component Substitution During Baselining",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.::",
        "Skills Required": "::SKILL:Intelligence data on victim's purchasing habits.:LEVEL:Medium::SKILL:Resources to maliciously construct/alter hardware components used for testing by the supplier.:LEVEL:High::SKILL:Resources to physically infiltrate supplier.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.::Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.::",
        "Example Instances": "::An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "520",
        "ID": "Counterfeit Hardware Component Inserted During Product Assembly",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.::",
        "Skills Required": "::SKILL:Resources to maliciously construct components used by the manufacturer.:LEVEL:High::SKILL:Resources to physically infiltrate manufacturer or manufacturer's supplier.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.::Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.::",
        "Example Instances": "::A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The adversary constructs a counterfeit card that functions normally except that packets from the adversary's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the adversary to bypass the firewall unrestricted.::In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "522",
        "ID": "Malicious Hardware Component Replacement",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:439::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine Target Hardware] The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.TECHNIQUE:Look for datasheets containing the system schematics that can help identify possible target hardware.:TECHNIQUE:Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.::STEP:2:PHASE:Explore:DESCRIPTION:[Discover Vulnerability in Supply Chain] The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.TECHNIQUE:Procure a system and observe the steps it takes in the shipment process.:TECHNIQUE:Identify possible warehouses that systems are stored after manufacturing.::STEP:3:PHASE:Experiment:DESCRIPTION:[Test a Malicious Component Replacement] Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.TECHNIQUE:Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.:TECHNIQUE:Obtain already designed malicious components that just need to be placed into the system.::STEP:3:PHASE:Exploit:DESCRIPTION:[Substitute Components in the Supply Chain] Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.::",
        "Prerequisites": "::Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.::",
        "Skills Required": "::SKILL:Advanced knowledge of the design of the system.:LEVEL:High::SKILL:Hardware creation and manufacture of replacement components.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.::Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.::Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.::",
        "Example Instances": "::During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "523",
        "ID": "Malicious Software Implanted",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:439::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine Entry Point] The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.TECHNIQUE:Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.:TECHNIQUE:Identify exposed USB connectors that could be used to load software.::STEP:2:PHASE:Explore:DESCRIPTION:[Discover Vulnerability in Supply Chain] The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.TECHNIQUE:Procure a system and observe the steps it takes in the shipment process.:TECHNIQUE:Identify possible warehouses that systems are stored after manufacturing.::STEP:3:PHASE:Experiment:DESCRIPTION:[Test Malicious Software] Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.TECHNIQUE:Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.:TECHNIQUE:Obtain already designed malicious software that just need to be placed into the system.::STEP:4:PHASE:Exploit:DESCRIPTION:[Implant Software in the Supply Chain] Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.::",
        "Prerequisites": "::Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.::",
        "Skills Required": "::SKILL:Advanced knowledge of the design of the system and it's operating system components and subcomponents.:LEVEL:High::SKILL:Malicious software creation.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Deploy strong code integrity policies to allow only authorized apps to run.::Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.::Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.::Require SSL for update channels and implement certificate transparency based verification.::Sign everything, including configuration files, XML files and packages.::Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.::",
        "Example Instances": "::An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "528",
        "ID": "XML Flood",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing.",
        "Alternate Terms": "::TERM:XML Denial of Service (XML DoS):DESCRIPTION:::",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:125::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Survey the target] Using a browser or an automated tool, an attacker records all instance of web services to process XML requests.TECHNIQUE:Use an automated tool to record all instances of URLs to process XML requests.:TECHNIQUE:Use a browser to manually explore the website and analyze how the application processes XML requests.::STEP:2:PHASE:Experiment:DESCRIPTION:An adversary crafts input data that may have an adverse effect on the operation of the web service when the XML data sent to the service.::STEP:3:PHASE:Exploit:DESCRIPTION:[Launch a resource depletion attack] The attacker delivers a large number of XML messages to the target URLs found in the explore phase at a sufficiently rapid rate. It causes denial of service to the target application.TECHNIQUE:Send a large number of crafted XML messages to the target URL.::",
        "Prerequisites": "::The target must receive and process XML transactions.::An adverssary must possess the ability to generate a large amount of XML based messages to send to the target service.::",
        "Skills Required": "::SKILL:Denial of service:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "::A large amount of data is passed to the XML parser possibly making it crash or otherwise unavailable to end users.::",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Resource Consumption::",
        "Mitigations": "::Design: Build throttling mechanism into the resource allocation. Provide for a timeout mechanism for allocated resources whose transaction does not complete within a specified interval.::Implementation: Provide for network flow control and traffic shaping to control access to the resources.::",
        "Example Instances": "::Consider the case of attack performed against the createCustomerBillingAccount Web Service for an online store. In this case, the createCustomerBillingAccount Web Service receives a huge number of simultaneous requests, containing nonsense billing account creation information (the small XML messages). The createCustomerBillingAccount Web Services may forward the messages to other Web Services for processing. The application suffers from a high load of requests, potentially leading to a complete loss of availability the involved Web Service.::",
        "Related Weaknesses": "::770::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1499.002:ENTRY NAME:Endpoint Denial of Service:Service Exhaustion Flood::::TAXONOMY NAME:ATTACK:ENTRY ID:1498.001:ENTRY NAME:Network Denial of Service:Direct Network Flood::",
        "Notes": ""
    },
    {
        "CAPEC ID": "531",
        "ID": "Hardware Component Substitution",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:534::",
        "Execution Flow": "",
        "Prerequisites": "::Physical access to the system or the integration facility where hardware components are kept.::",
        "Skills Required": "::SKILL:Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "::An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "532",
        "ID": "Altered Installed BIOS",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::Advanced knowledge about the installed target system design.::Advanced knowledge about the download and update installation processes.::Access to the download and update system(s) used to deliver BIOS images.::",
        "Skills Required": "::SKILL:Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Deploy strong code integrity policies to allow only authorized apps to run.::Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.::Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.::Require SSL for update channels and implement certificate transparency based verification.::Sign update packages and BIOS patches.::Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.::",
        "Example Instances": "::An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1495:ENTRY NAME:Firmware Corruption::::TAXONOMY NAME:ATTACK:ENTRY ID:1542.001:ENTRY NAME:Pre-OS Boot:System Firmware::",
        "Notes": ""
    },
    {
        "CAPEC ID": "537",
        "ID": "Infiltration of Hardware Development Environment",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).::The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.::The adversary must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.::",
        "Skills Required": "::SKILL:Intelligence about the manufacturer's operating environment and infrastructure.:LEVEL:Medium::SKILL:Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.:LEVEL:High::SKILL:Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc):LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Verify software downloads and updates to ensure they have not been modified be adversaries::Leverage antivirus tools to detect known malware::Do not download software from untrusted sources::Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks::",
        "Example Instances": "::The adversary, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for hardware and/or firmware design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the adversary to remotely compromise the adjacent hardware development system from the manufacturer's workstation. The adversary is then able to exfiltrate and alter sensitive data on the hardware system, allowing for future compromise once the developed system is deployed at the victim location.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "538",
        "ID": "Open-Source Library Manipulation",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine the relevant open-source code project to target] The adversary will make the selection based on various criteria: The open-source code currently in use on a selected target system. The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system. The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses. The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery. The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.::STEP:2:PHASE:Experiment:DESCRIPTION:[Develop a plan for malicious contribution] The adversary develops a plan to contribute malicious code, taking the following into consideration: The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover. Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary. Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.::STEP:3:PHASE:Exploit:DESCRIPTION:[Execute the plan for malicious contribution] Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.::",
        "Prerequisites": "::Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.::",
        "Skills Required": "::SKILL:Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "::An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.001:ENTRY NAME:Supply Chain Compromise: Software Dependencies and Development Tools::",
        "Notes": ""
    },
    {
        "CAPEC ID": "539",
        "ID": "ASIC With Malicious Functionality",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.::Advanced knowledge about the ASIC installed within the target system.::",
        "Skills Required": "::SKILL:Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "::A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "541",
        "ID": "Application Fingerprinting",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:224::",
        "Execution Flow": "",
        "Prerequisites": "::None::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1592.002:ENTRY NAME:Gather Victim Host Information: Software::",
        "Notes": ""
    },
    {
        "CAPEC ID": "542",
        "ID": "Targeted Malware",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:549::NATURE:CanPrecede:CAPEC ID:662::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1587.001:ENTRY NAME:Develop Capabilities: Malware::",
        "Notes": ""
    },
    {
        "CAPEC ID": "543",
        "ID": "Counterfeit Websites",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:194::NATURE:CanPrecede:CAPEC ID:89::",
        "Execution Flow": "",
        "Prerequisites": "::None::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.005:ENTRY NAME:Masquerading: Match Legitimate Name or Location::",
        "Notes": ""
    },
    {
        "CAPEC ID": "545",
        "ID": "Pull Data from System Resources",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:116::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::1239::1243::1258::1266::1272::1278::1323::1324::1258::1330::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1005:ENTRY NAME:Data from Local System::::TAXONOMY NAME:ATTACK:ENTRY ID:1555.001:ENTRY NAME:Credentials from Password Stores:Keychain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "55",
        "ID": "Rainbow Table Password Cracking",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:49::NATURE:CanPrecede:CAPEC ID:600::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:561::NATURE:CanPrecede:CAPEC ID:653::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine application's/system's password policy] Determine the password policies of the target application/system.TECHNIQUE:Determine minimum and maximum allowed password lengths.:TECHNIQUE:Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc.).:TECHNIQUE:Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).::STEP:2:PHASE:Explore:DESCRIPTION:[Obtain password hashes] An attacker gets access to the database table storing hashes of passwords or potentially just discovers a hash of an individual password.TECHNIQUE:Obtain copy of database table or flat file containing password hashes (by breaking access controls, using SQL Injection, etc.):TECHNIQUE:Obtain password hashes from platform-specific storage locations (e.g. Windows registry):TECHNIQUE:Sniff network packets containing password hashes.::STEP:3:PHASE:Exploit:DESCRIPTION:[Run rainbow table-based password cracking tool] An attacker finds or writes a password cracking tool that uses a previously computed rainbow table for the right hashing algorithm. It helps if the attacker knows what hashing algorithm was used by the password system.TECHNIQUE:Run rainbow table-based password cracking tool such as Ophcrack or RainbowCrack. Reduction function must depend on application's/system's password policy.::",
        "Prerequisites": "::Hash of the original password is available to the attacker. For a better chance of success, an attacker should have more than one hash of the original password, and ideally the whole table.::Salt was not used to create the hash of the original password. Otherwise the rainbow tables have to be re-computed, which is very expensive and will make the attack effectively infeasible (especially if salt was added in iterations).::The system uses one factor password based authentication.::",
        "Skills Required": "::SKILL:A variety of password cracking tools are available that can leverage a rainbow table. The more difficult part is to obtain the password hash(es) in the first place.:LEVEL:Low::",
        "Resources Required": "::Rainbow table of password hash chains with the right algorithm used. A password cracking tool that leverages this rainbow table will also be required. Hash(es) of the password is required.::",
        "Indicators": "::This is a completely offline attack that an attacker can perform at their leisure after the password hashes are obtained.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Use salt when computing password hashes. That is, concatenate the salt (random bits) with the original password prior to hashing it.::",
        "Example Instances": "::BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables. See also: CVE-2006-1058::",
        "Related Weaknesses": "::261::521::262::263::654::916::308::309::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1110.002:ENTRY NAME:Brute Force:Password Cracking::",
        "Notes": ""
    },
    {
        "CAPEC ID": "550",
        "ID": "Install New Service",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Limit privileges of user accounts so new service creation can only be performed by authorized administrators.::",
        "Example Instances": "",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1543:ENTRY NAME:Create or Modify System Process::",
        "Notes": ""
    },
    {
        "CAPEC ID": "551",
        "ID": "Modify Existing Service",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Limit privileges of user accounts so service changes can only be performed by authorized administrators. Also monitor any service changes that may occur inadvertently.::",
        "Example Instances": "",
        "Related Weaknesses": "::284::522::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1543:ENTRY NAME:Create or Modify System Process::",
        "Notes": ""
    },
    {
        "CAPEC ID": "552",
        "ID": "Install Rootkit ",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Prevent adversary access to privileged accounts necessary to install rootkits.::",
        "Example Instances": "::A rootkit may take the form of a hypervisor. A hypervisor is a software layer that sits between the operating system and the processor. It presents a virtual running environment to the operating system. An example of a common hypervisor is Xen. Because a hypervisor operates at a level below the operating system it can hide its existence from the operating system.::Similar to a rootkit, a bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.::",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1014:ENTRY NAME:Rootkit::::TAXONOMY NAME:ATTACK:ENTRY ID:1542.003:ENTRY NAME:Pre-OS Boot:Bootkit::::TAXONOMY NAME:ATTACK:ENTRY ID:1547.006:ENTRY NAME:Boot or Logon Autostart Execution:Kernel Modules and Extensions::",
        "Notes": ""
    },
    {
        "CAPEC ID": "555",
        "ID": "Remote Services with Stolen Credentials",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:151::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Disable RDP, telnet, SSH and enable firewall rules to block such traffic. Limit users and accounts that have remote interactive login access. Remove the Local Administrators group from the list of groups allowed to login through RDP. Limit remote user permissions. Use remote desktop gateways and multifactor authentication for remote logins.::",
        "Example Instances": "::Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.::Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.::",
        "Related Weaknesses": "::522::308::309::294::263::262::521::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1021:ENTRY NAME:Remote Services::::TAXONOMY NAME:ATTACK:ENTRY ID:1114.002:ENTRY NAME:Email Collection:Remote Email Collection::::TAXONOMY NAME:ATTACK:ENTRY ID:1133:ENTRY NAME:External Remote Services::",
        "Notes": ""
    },
    {
        "CAPEC ID": "556",
        "ID": "Replace File Extension Handlers",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Inspect registry for changes. Limit privileges of user accounts so changes to default file handlers can only be performed by authorized administrators.::",
        "Example Instances": "",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1546.001:ENTRY NAME:Event Triggered Execution:Change Default File Association::",
        "Notes": ""
    },
    {
        "CAPEC ID": "558",
        "ID": "Replace Trusted Executable",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "::Specific versions of Windows contain accessibility features that may be launched with a key combination before a user has logged in (for example when they are on the Windows Logon screen). On Windows XP and Windows Server 2003/R2, the program (e.g. C:WindowsSystem32utilman.exe) may be replaced with cmd.exe (or another program that provides backdoor access). Then pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over RDP will cause the replaced file to be executed with SYSTEM privileges.::",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1505.005:ENTRY NAME:Server Software Component: Terminal Services DLL::::TAXONOMY NAME:ATTACK:ENTRY ID:1546.008:ENTRY NAME:Event Triggered Execution: Accessibility Features::",
        "Notes": ""
    },
    {
        "CAPEC ID": "560",
        "ID": "Use of Known Domain Credentials",
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:CanPrecede:CAPEC ID:151::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service.TECHNIQUE:An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.:TECHNIQUE:An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.:TECHNIQUE:An adversary conducts a sniffing attack to steal credentials as they are transmitted.:TECHNIQUE:An adversary gains access to a database and exfiltrates password hashes.:TECHNIQUE:An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.::STEP:2:PHASE:Explore:DESCRIPTION:[Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.TECHNIQUE:Determine minimum and maximum allowed password lengths.:TECHNIQUE:Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).:TECHNIQUE:Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).::STEP:3:PHASE:Experiment:DESCRIPTION:[Attempt authentication] Try each credential until the target grants access.TECHNIQUE:Manually or automatically enter each credential through the target's interface.::STEP:4:PHASE:Exploit:DESCRIPTION:[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within a system or application::STEP:5:PHASE:Exploit:DESCRIPTION:[Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.::STEP:6:PHASE:Exploit:DESCRIPTION:[Data Exfiltration] The adversary can obtain sensitive data contained within the system or application.::",
        "Prerequisites": "::The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.::The system/application does not have a sound password policy that is being enforced.::The system/application does not implement an effective password throttling mechanism.::The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.::",
        "Skills Required": "::SKILL:Once an adversary obtains a known credential, leveraging it is trivial.:LEVEL:Low::",
        "Resources Required": "::A list of known credentials.::A custom script that leverages the credential list to launch an attack.::",
        "Indicators": "::Authentication attempts use credentials that have been used previously by the account in question.::Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.::Data is being transferred and/or removed from systems/applications within the network.::Suspicious or Malicious software is downloaded/installed on systems within the domain.::Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:AuthorizationTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.::Create a strong password policy and ensure that your system enforces this policy.::Ensure users are not reusing username/password combinations for multiple systems, applications, or services.::Do not reuse local administrator account credentials across systems.::Deny remote use of local admin credentials to log into domain systems.::Do not allow accounts to be a local administrator on more than one system.::Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.::Monitor system and domain logs for abnormal credential access.::",
        "Example Instances": "::Throughout 2015 and 2016, APT28 \u2014 also known as Pawn Storm, Sednit, Fancy Bear, Sofacy, and STRONTIUM \u2014 leveraged stolen credentials to infiltrate the Democratic National Committee (DNC), the United States Army, the World Anti-Doping Agency (WADA), the Court of Arbitration for Sport (TAS-CAS), and more. In most cases, the legitimate credentials were obtained via calculated spearphishing, tabnabbing, and DNS attacks targeted at corporate webmail systems. APT28 also executed several watering hole attacks, in addition to exploiting several zero-day vulnerabilities within Flash and Windows. The stolen credentials were then utilized to maintain authenticated access, laterally move within the local network, and exfiltrate sensitive information including DNC emails and personal medical records of numerous athletes. [REF-571]::In early 2019, FIN6 exploited stolen credentials from an organization within the engineering industry to laterally move within an environment via the Windows\u2019 Remote Desktop Protocol (RDP). Multiple servers were subsequently infected with malware to create malware distribution servers, which were used to distribute the LockerGoga ransomware. [REF-573]::",
        "Related Weaknesses": "::522::307::308::309::262::263::654::1273::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1078:ENTRY NAME:Valid Accounts::",
        "Notes": ""
    },
    {
        "CAPEC ID": "561",
        "ID": "Windows Admin Shares with Stolen Credentials",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:653::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:165::NATURE:CanPrecede:CAPEC ID:549::NATURE:CanPrecede:CAPEC ID:545::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.TECHNIQUE:An adversary purchases breached Windows administrator credentials from the dark web.:TECHNIQUE:An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.:TECHNIQUE:An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.:TECHNIQUE:An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.:TECHNIQUE:An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials.::STEP:2:PHASE:Experiment:DESCRIPTION:[Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access.TECHNIQUE:Manually or automatically enter each administrator credential through the target's interface.::STEP:3:PHASE:Exploit:DESCRIPTION:[Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain.::STEP:4:PHASE:Exploit:DESCRIPTION:[Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares.::",
        "Prerequisites": "::The system/application is connected to the Windows domain.::The target administrative share allows remote use of local admin credentials to log into domain systems.::The adversary possesses a list of known Windows administrator credentials that exist on the target domain.::",
        "Skills Required": "::SKILL:Once an adversary obtains a known Windows credential, leveraging it is trivial.:LEVEL:Low::",
        "Resources Required": "::A list of known Windows administrator credentials for the targeted domain.::",
        "Indicators": "::Data is being transferred and/or removed from administrative network shares.::Suspicious or Malicious software is executed within administrative network shares.::Suspicious or Malicious software is downloaded/installed on systems within the domain.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:AuthorizationTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Do not reuse local administrator account credentials across systems.::Deny remote use of local admin credentials to log into domain systems.::Do not allow accounts to be a local administrator on more than one system.::",
        "Example Instances": "::APT32 has leveraged Windows' built-in Net utility to use Windows Administrative Shares to copy and execute remote malware. [REF-579]::In May 2017, APT15 laterally moved within a Windows domain via Windows Administrative Shares to copy files to and from compromised host systems. This further allowed for the remote execution of malware. [REF-578]::",
        "Related Weaknesses": "::522::308::309::294::263::262::521::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1021.002:ENTRY NAME:Remote Services:SMB/Windows Admin Shares::",
        "Notes": ""
    },
    {
        "CAPEC ID": "562",
        "ID": "Modify Shared File",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:17::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Disallow shared content. Protect shared folders by minimizing users that have write access. Use utilities that mitigate exploitation like the Microsoft Enhanced Mitigation Experience Toolkit (EMET) to prevent exploits from being run.::",
        "Example Instances": "",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1080:ENTRY NAME:Taint shared content::",
        "Notes": ""
    },
    {
        "CAPEC ID": "564",
        "ID": "Run Software at Logon",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Restrict write access to logon scripts to necessary administrators.::",
        "Example Instances": "",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1037:ENTRY NAME:Boot or Logon Initialization Scripts::::TAXONOMY NAME:ATTACK:ENTRY ID:1543.001:ENTRY NAME:Create or Modify System Process: Launch Agent::::TAXONOMY NAME:ATTACK:ENTRY ID:1543.004:ENTRY NAME:Create or Modify System Process: Launch Daemon::::TAXONOMY NAME:ATTACK:ENTRY ID:1547:ENTRY NAME:Boot or Logon Autostart Execution::",
        "Notes": ""
    },
    {
        "CAPEC ID": "565",
        "ID": "Password Spraying",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:49::NATURE:CanPrecede:CAPEC ID:600::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:561::NATURE:CanPrecede:CAPEC ID:653::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine target's password policy] Determine the password policies of the target system/application.TECHNIQUE:Determine minimum and maximum allowed password lengths.:TECHNIQUE:Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).:TECHNIQUE:Determine account lockout policy (a strict account lockout policy will prevent brute force attacks).::STEP:2:PHASE:Explore:DESCRIPTION:[Select passwords] Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)TECHNIQUE:Select passwords based on common use or a particular user's additional details.:TECHNIQUE:Select passwords based on the target's password complexity policies.::STEP:3:PHASE:Exploit:DESCRIPTION:[Brute force password] Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.TECHNIQUE:Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.:TECHNIQUE:Iterate through the remaining passwords for each known user account.::",
        "Prerequisites": "::The system/application uses one factor password based authentication.::The system/application does not have a sound password policy that is being enforced.::The system/application does not implement an effective password throttling mechanism.::The adversary possesses a list of known user accounts on the target system/application.::",
        "Skills Required": "::SKILL:A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available.:LEVEL:Low::",
        "Resources Required": "::A machine with sufficient resources for the job (e.g. CPU, RAM, HD).::Applicable password lists.::A password cracking tool or a custom script that leverages the password list to launch the attack.::",
        "Indicators": "::Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.::The login attempts use passwords that have been used previously by the user account in question.::Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:AuthorizationTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Create a strong password policy and ensure that your system enforces this policy.::Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.::Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.::",
        "Example Instances": "::A user selects the phrase Password123 as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.::The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment.::",
        "Related Weaknesses": "::521::262::263::654::307::308::309::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1110.003:ENTRY NAME:Brute Force:Password Spraying::",
        "Notes": ""
    },
    {
        "CAPEC ID": "568",
        "ID": "Capture Credentials via Keylogger",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:569::NATURE:CanPrecede:CAPEC ID:600::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:561::NATURE:CanPrecede:CAPEC ID:653::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine which user's credentials to capture] Since this is a more targeted attack, an adversary will first identify a particular user they wish the capture the credentials of.::STEP:2:PHASE:Experiment:DESCRIPTION:[Deploy keylogger] Once a user is identified, an adversary will deploy a keylogger to the user's system in one of many ways.TECHNIQUE:Send a phishing email with a malicious attachment that installs a keylogger on a user's system:TECHNIQUE:Conceal a keylogger behind fake software and get the user to download the software:TECHNIQUE:Get a user to click on a malicious URL that directs them to a webpage that will install a keylogger without their knowledge:TECHNIQUE:Gain access to the user's system through a vulnerability and manually install a keylogger::STEP:3:PHASE:Experiment:DESCRIPTION:[Record keystrokes] Once the keylogger is deployed on the user's system, the adversary will record keystrokes over a period of time.::STEP:4:PHASE:Experiment:DESCRIPTION:[Analyze data and determine credentials] Using the captured keystrokes, the adversary will be able to determine the credentials of the user.TECHNIQUE:Search for repeated sequences that are following by the enter key:TECHNIQUE:Search for repeated sequences that are not found in a dictionary:TECHNIQUE:Search for several backspaces in a row. This could indicate a mistyped password. The correct password can then be inferred using the whole key sequence::STEP:5:PHASE:Exploit:DESCRIPTION:[Use found credentials] After the adversary has found the credentials for the target user, they will then use them to gain access to a system in order to perform some follow-up attack::",
        "Prerequisites": "::The ability to install the keylogger, either in person or remote.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Strong physical security can help reduce the ability of an adversary to install a keylogger.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1056.001:ENTRY NAME:Input Capture:Keylogging::",
        "Notes": ""
    },
    {
        "CAPEC ID": "569",
        "ID": "Collect Data as Provided by Users",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:116::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1056:ENTRY NAME:Input Capture::",
        "Notes": ""
    },
    {
        "CAPEC ID": "57",
        "ID": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:157::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Find a REST-style application that uses SSL] The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate.::STEP:2:PHASE:Experiment:DESCRIPTION:[Insert a listener to sniff client-server communication] The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information.TECHNIQUE:Run wireshark or tcpdump on a device that is on the inside of a firewall, load balancer, or router of a network and capture traffic after SSL has been terminated::STEP:3:PHASE:Exploit:DESCRIPTION:[Gather information passed in the clear] If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user::",
        "Prerequisites": "::Opportunity to intercept must exist beyond the point where SSL is terminated.::The adversary must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path.::",
        "Skills Required": "::SKILL:To insert a network sniffer or other listener into the communication stream:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Implementation: Implement message level security such as HMAC in the HTTP communication::Design: Utilize defense in depth, do not rely on a single security mechanism like SSL::Design: Enforce principle of least privilege::",
        "Example Instances": "::The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the adversary can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack.::",
        "Related Weaknesses": "::300::287::693::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1040:ENTRY NAME:Network Sniffing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "571",
        "ID": "Block Logging to Central Repository",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:161::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1562.002:ENTRY NAME:Impair Defenses: Disable Windows Event Logging::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.002:ENTRY NAME:Impair Defenses: Impair Command History Logging::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.006:ENTRY NAME:Impair Defenses: Indicator Blocking::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.008:ENTRY NAME:Impair Defenses: Disable Cloud Logs::",
        "Notes": ""
    },
    {
        "CAPEC ID": "572",
        "ID": "Artificially Inflate File Sizes",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary modifies file contents by adding data to files for several reasons. Many different attacks could \u201cfollow\u201d this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:165::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Resource Consumption:NOTE:Availability Resource Consumption Denial of Service::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "",
        "Example Instances": "::An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1027.001:ENTRY NAME:Obfuscated Files or Information:Binary Padding::",
        "Notes": ""
    },
    {
        "CAPEC ID": "573",
        "ID": "Process Footprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user. By knowing what processes are running on the target system, the adversary can learn about the target environment as a means towards further malicious behavior.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "::Identify programs that may be used to acquire process information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.::",
        "Example Instances": "::On a Windows system, the command, tasklist, displays information about processes. The same function on a Mac OS system is done with the command, ps.::In addition to manual discovery of running processes, an adversary can develop malware that carries out this attack pattern before subsequent malicious action.::",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1057:ENTRY NAME:Process Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "574",
        "ID": "Services Footprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what services are registered on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. Depending on the operating system, commands that can obtain services information include sc and tasklist/svc using Tasklist, and net start using Net.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "::Identify programs that may be used to acquire service information and block them by using a software restriction policy or tools that restrict program execution by uaing a process allowlist.::",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1007:ENTRY NAME:System Service Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "575",
        "ID": "Account Footprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an authorized user. By knowing what accounts are registered on the target system, the adversary can inform further and more targeted malicious behavior. Example Windows commands which can acquire this information are: net user and dsquery.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "::Identify programs that may be used to acquire account information and block them by using a software restriction policy or tools that restrict program execution by uysing a process allowlist.::",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1087:ENTRY NAME:Account Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "576",
        "ID": "Group Permission Footprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is net localgroup.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "::Identify programs (such as net) that may be used to enumerate local group permissions and block them by using a software restriction Policy or tools that restrict program execution by using a process allowlist.::",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1069:ENTRY NAME:Permission Groups Discovery::::TAXONOMY NAME:ATTACK:ENTRY ID:1615:ENTRY NAME:Group Policy Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "577",
        "ID": "Owner Footprinting",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do this, for example, by reviewing logins or file modification times. By knowing what owners use the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command that may accomplish this is dir /A ntuser.dat. Which will display the last modified time of a user's ntuser.dat file when run within the root folder of a user. This time is synonymous with the last time that user was logged in.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have gained access to the target system via physical or logical means in order to carry out this attack.::Administrator permissions are required to view the home folder of other users.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::",
        "Mitigations": "::Ensure that proper permissions on files and folders are enacted to limit accessibility.::",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1033:ENTRY NAME:System Owner/User Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "578",
        "ID": "Disable Security Software",
        "Abstraction": "Standard",
        "Status": "Usable",
        "Description": "An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:176::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have the capability to interact with the configuration of the targeted system.::",
        "Skills Required": "",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Hide Activities:NOTE:Availability Hide Activities By disabling certain security tools, the adversary can hide malicious activity and avoid detection.::",
        "Mitigations": "::Ensure proper permissions are in place to prevent adversaries from altering the execution status of security tools.::",
        "Example Instances": "",
        "Related Weaknesses": "::284::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1562.001:ENTRY NAME:Impair Defenses: Disable or Modify Tools::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.002:ENTRY NAME:Impair Defenses: Disable Windows Event Logging::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.004:ENTRY NAME:Impair Defenses: Disable or Modify System Firewall::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.007:ENTRY NAME:Impair Defenses: Disable or Modify Cloud Firewall::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.008:ENTRY NAME:Impair Defenses: Disable Cloud Logs::::TAXONOMY NAME:ATTACK:ENTRY ID:1562.009:ENTRY NAME:Impair Defenses: Safe Mode Boot::",
        "Notes": "",
    },
    {
        "CAPEC ID": "579",
        "ID": "Replace Winlogon Helper DLL",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Changes to registry entries in HKLMSoftwareMicrosoftWindows NTWinlogonNotify that do not correlate with known software, patch cycles, etc are suspicious. New DLLs written to System32 which do not correlate with known good software or patching may be suspicious.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1547.004:ENTRY NAME:Boot or Logon Autostart Execution: Winlogon helper DLL::",
        "Notes": ""
    },
    {
        "CAPEC ID": "580",
        "ID": "System Footprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have logical access to the target network and system.::",
        "Skills Required": "::SKILL:The adversary needs to know basic linux commands.:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Keep patches up to date by installing weekly or daily if possible.::Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1082:ENTRY NAME:System Information Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "581",
        "ID": "Security Software Footprinting",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:580::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Identify programs that may be used to acquire security tool information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1518.001:ENTRY NAME:Software Discovery:Security Software Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "593",
        "ID": "Session Hijacking",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:21::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Discover Existing Session Token] Through varrying means, an adversary will discover and store an existing session token for some other authenticated user session.::STEP:2:PHASE:Experiment:DESCRIPTION:[Insert Found Session Token] The attacker attempts to insert a found session token into communication with the targeted application to confirm viability for exploitation.::STEP:3:PHASE:Exploit:DESCRIPTION:[Session Token Exploitation] The attacker leverages the captured session token to interact with the targeted application in a malicious fashion, impersonating the victim.::",
        "Prerequisites": "::An application that leverages sessions to perform authentication.::",
        "Skills Required": "::SKILL:Exploiting a poorly protected identity token is a well understood attack with many helpful resources available.:LEVEL:Low::",
        "Resources Required": "::The adversary must have the ability to communicate with the application over the network.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Gain Privileges:NOTE:Confidentiality Integrity Availability Gain Privileges A successful attack can enable an adversary to gain unauthorized access to an application.::",
        "Mitigations": "::Properly encrypt and sign identity tokens in transit, and use industry standard session key generation mechanisms that utilize high amount of entropy to generate the session key. Many standard web and application servers will perform this task on your behalf. Utilize a session timeout for all sessions. If the user does not explicitly logout, terminate their session after this period of inactivity. If the user logs back in then a new session key should be generated.::",
        "Example Instances": "",
        "Related Weaknesses": "::287::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1185:ENTRY NAME:Browser Session Hijacking::::TAXONOMY NAME:ATTACK:ENTRY ID:1550.001:ENTRY NAME:Use Alternate Authentication Material:Application Access Token::::TAXONOMY NAME:ATTACK:ENTRY ID:1563:ENTRY NAME:Remote Service Session Hijacking::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Session hijacking attack::",
        "Notes": ""
    },
    {
        "CAPEC ID": "60",
        "ID": "Reusing Session IDs (aka Session Replay)",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:593::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:The attacker interacts with the target host and finds that session IDs are used to authenticate users.::STEP:2:PHASE:Explore:DESCRIPTION:The attacker steals a session ID from a valid user.::STEP:3:PHASE:Exploit:DESCRIPTION:The attacker tries to use the stolen session ID to gain access to the system with the privileges of the session ID's original owner.::",
        "Prerequisites": "::The target host uses session IDs to keep track of the users.::Session IDs are used to control access to resources.::The session IDs used by the target host are not well protected from session theft.::",
        "Skills Required": "::SKILL:If an attacker can steal a valid session ID, they can then try to be authenticated with that stolen session ID.:LEVEL:Low::SKILL:More sophisticated attack can be used to hijack a valid session from a user and spoof a legitimate user by reusing their valid session ID.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Always invalidate a session ID after the user logout.::Setup a session time out for the session IDs.::Protect the communication between the client and server. For instance it is best practice to use SSL to mitigate adversary in the middle attacks (CAPEC-94).::Do not code send session ID with GET method, otherwise the session ID will be copied to the URL. In general avoid writing session IDs in the URLs. URLs can get logged in log files, which are vulnerable to an attacker.::Encrypt the session data associated with the session ID.::Use multifactor authentication.::",
        "Example Instances": "::OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. See also: CVE-1999-0428::Merak Mail IceWarp Web Mail uses a static identifier as a user session ID that does not change across sessions, which could allow remote attackers with access to the ID to gain privileges as that user, e.g. by extracting the ID from the user's answer or forward URLs. See also: CVE-2002-0258::",
        "Related Weaknesses": "::294::290::346::384::488::539::200::285::664::732::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1134.001:ENTRY NAME:Access Token Manipulation:Token Impersonation/Theft::::TAXONOMY NAME:ATTACK:ENTRY ID:1550.004:ENTRY NAME:Use Alternate Authentication Material:Web Session Cookie::",
        "Notes": ""
    },
    {
        "CAPEC ID": "600",
        "ID": "Credential Stuffing",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:653::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Acquire known credentials] The adversary must obtain known credentials in order to access the target system, application, or service.TECHNIQUE:An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.:TECHNIQUE:An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.:TECHNIQUE:An adversary conducts a sniffing attack to steal credentials as they are transmitted.:TECHNIQUE:An adversary gains access to a database and exfiltrates password hashes.:TECHNIQUE:An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.::STEP:2:PHASE:Explore:DESCRIPTION:[Determine target's password policy] Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.TECHNIQUE:Determine minimum and maximum allowed password lengths.:TECHNIQUE:Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).:TECHNIQUE:Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).::STEP:3:PHASE:Experiment:DESCRIPTION:[Attempt authentication] Try each username/password combination until the target grants access.TECHNIQUE:Manually or automatically enter each username/password combination through the target's interface.::STEP:3:PHASE:Exploit:DESCRIPTION:[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application::STEP:4:PHASE:Exploit:DESCRIPTION:[Spoofing] Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.::STEP:5:PHASE:Exploit:DESCRIPTION:[Data Exfiltration] The adversary can obtain sensitive data contained within the system or application.::",
        "Prerequisites": "::The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.::The system/application does not have a sound password policy that is being enforced.::The system/application does not implement an effective password throttling mechanism.::The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target.::",
        "Skills Required": "::SKILL:A Credential Stuffing attack is very straightforward.:LEVEL:Low::",
        "Resources Required": "::A machine with sufficient resources for the job (e.g. CPU, RAM, HD).::A known list of username/password combinations.::A custom script that leverages the credential list to launch the attack.::",
        "Indicators": "::Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.::The login attempts use passwords that have been used previously by the user account in question.::Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:AuthorizationTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.::Create a strong password policy and ensure that your system enforces this policy.::Ensure users are not reusing username/password combinations for multiple systems, applications, or services.::Do not reuse local administrator account credentials across systems.::Deny remote use of local admin credentials to log into domain systems.::Do not allow accounts to be a local administrator on more than one system.::Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.::Monitor system and domain logs for abnormal credential access.::",
        "Example Instances": "::A user leverages the password Password123 for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.::In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised.::",
        "Related Weaknesses": "::522::307::308::309::262::263::654::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1110.004:ENTRY NAME:Brute Force:Credential Stuffing::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Credential stuffing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "609",
        "ID": "Cellular Traffic Intercept",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:157::",
        "Execution Flow": "",
        "Prerequisites": "::None::",
        "Skills Required": "::SKILL:Adversaries can purchase hardware and software solutions, or create their own solutions, to capture/intercept cellular radio traffic. The cost of a basic Base Transceiver Station (BTS) to broadcast to local mobile cellular radios in mobile devices has dropped to very affordable costs. The ability of commercial cellular providers to monitor for rogue BTS stations is poor in many areas and it is assumed that rogue BTS stations exist in urban areas.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data Capture all cellular and RF traffic from mobile and retransmission devices. Move bulk traffic capture to storage area for cryptanalysis of encrypted traffic, and telemetry analysis of non-encrypted data. (packet headers, cellular power data, signal strength, etc.)::",
        "Mitigations": "::Encryption of all data packets emanating from the smartphone to a retransmission device via two encrypted tunnels with Suite B cryptography, all the way to the VPN gateway at the datacenter.::",
        "Example Instances": "",
        "Related Weaknesses": "::311::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1111:ENTRY NAME:Multi-Factor Authentication Interception::",
        "Notes": ""
    },
    {
        "CAPEC ID": "616",
        "ID": "Establish Rogue Location",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:154::NATURE:CanPrecede:CAPEC ID:691::",
        "Execution Flow": "",
        "Prerequisites": "::A resource is expected to available to the user.::",
        "Skills Required": "::SKILL:Adversaries can often purchase low-cost technology to implement rogue access points.:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:IntegrityTECHNICAL IMPACT:Other:NOTE:Confidentiality Integrity Other Successful attacks of this nature can result in a wide variety of consequences and negatively impact confidentiality and integrity based on the adversary's subsequent actions.::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.005:ENTRY NAME:Masquerading: Match Legitimate Name or Location::",
        "Notes": ""
    },
    {
        "CAPEC ID": "620",
        "ID": "Drop Encryption Level",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:212::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Access ControlTECHNICAL IMPACT:Bypass Protection Mechanism::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::757::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1600:ENTRY NAME:Weaken Encryption::",
        "Notes": ""
    },
    {
        "CAPEC ID": "633",
        "ID": "Token Impersonation",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:194::",
        "Execution Flow": "",
        "Prerequisites": "::This pattern of attack is only applicable when a downstream user leverages tokens to verify identity, and then takes action based on that identity.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Alter Execution Logic:NOTE:Integrity Alter Execution Logic By faking the source of data or services, an adversary can cause a target to make incorrect decisions about how to proceed.::SCOPE:IntegrityTECHNICAL IMPACT:Gain Privileges:NOTE:Integrity Gain Privileges By impersonating identities that have an increased level of access, an adversary gain privilege that they many not have otherwise had.::SCOPE:IntegrityTECHNICAL IMPACT:Hide Activities:NOTE:Integrity Hide Activities Faking the source of data or services can be used to create a false trail in logs as the target will associated any actions with the impersonated identity instead of the adversary.::",
        "Mitigations": "",
        "Example Instances": "",
        "Related Weaknesses": "::287::1270::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1134:ENTRY NAME:Access Token Manipulation::",
        "Notes": ""
    },
    {
        "CAPEC ID": "634",
        "ID": "Probe Audio and Video Peripherals",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:651::NATURE:ChildOf:CAPEC ID:545::",
        "Execution Flow": "",
        "Prerequisites": "::Knowledge of the target device's or application\u2019s vulnerabilities that can be capitalized on with malicious code. The adversary must be able to place the malicious code on the target device.::",
        "Skills Required": "::SKILL:To deploy a hidden process or malware on the system to automatically collect audio and video data.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Prevent unknown code from executing on a system through the use of an allowlist policy.::Patch installed applications as soon as new updates become available.::",
        "Example Instances": "::An adversary can capture audio and video, and transmit the recordings to a C2 server or a similar capability.::An adversary can capture and record from audio peripherals in a vehicle via a Car Whisperer attack. If an adversary is within close proximity to a vehicle with Bluetooth capabilities, they may attempt to connect to the hands-free system when it is in pairing mode. With successful authentication, if an authentication system is present at all, an adversary may be able to play music/voice recordings, as well begin a recording and capture conversations happening inside the vehicle. Successful authentication relies on the pairing security key being set to a default value, or by brute force (which may be less practical in an outside environment) Depending on the sensitivity of the information being discussed, this scenario can be extremely compromising.::An adversary may also use a technique called Bluebugging, which is similar to Bluesnarfing but requires the adversary to be between 10-15 meters of the target device. Bluebugging creates a backdoor for an attacker to listen/record phone calls, forward calls, send SMS and retrieve the phonebook.::",
        "Related Weaknesses": "::267::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1123:ENTRY NAME:Audio Capture::::TAXONOMY NAME:ATTACK:ENTRY ID:1125:ENTRY NAME:Video Capture::",
        "Notes": ""
    },
    {
        "CAPEC ID": "635",
        "ID": "Alternative Execution Due to Deceptive Filenames",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:165::",
        "Execution Flow": "",
        "Prerequisites": "::The use of the file must be controlled by the file extension.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension.::",
        "Example Instances": "",
        "Related Weaknesses": "::162::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.007:ENTRY NAME:Masquerading: Double File Extension::",
        "Notes": ""
    },
    {
        "CAPEC ID": "636",
        "ID": "Hiding Malicious Data or Code within Files",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:165::",
        "Execution Flow": "",
        "Prerequisites": "::The operating system must support a file system that allows for alternate data storage for a file.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1001.002:ENTRY NAME:Data Obfuscation: Steganography::::TAXONOMY NAME:ATTACK:ENTRY ID:1027.003:ENTRY NAME:Obfuscated Files or Information: Steganography::::TAXONOMY NAME:ATTACK:ENTRY ID:1027.004:ENTRY NAME:Obfuscated Files or Information: Compile After Delivery::::TAXONOMY NAME:ATTACK:ENTRY ID:1218.001:ENTRY NAME:Signed Binary Proxy Execution: Compiled HTML File::::TAXONOMY NAME:ATTACK:ENTRY ID:1221:ENTRY NAME:Template Injection::",
        "Notes": ""
    },
    {
        "CAPEC ID": "637",
        "ID": "Collect Data from Clipboard",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:150::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Find an application that allows copying sensititve data to clipboad] An adversary first needs to find an application that allows copying and pasting of sensitive information. This could be an application that prints out temporary passwords to the screen, private email addresses, or any other sensitive information or data::STEP:2:PHASE:Experiment:DESCRIPTION:[Target users of the application] An adversary will target users of the application in order to obtain the information in their clipboard on a periodic basicTECHNIQUE:Install malware on a user's system designed to log clipboard contents periodically:TECHNIQUE:Get the user to click on a malicious link that will bring them to an application to log the contents of the clipboard::STEP:3:PHASE:Exploit:DESCRIPTION:[Follow-up attack] Use any sensitive information found to carry out a follow-up attack::",
        "Prerequisites": "::The adversary must have a means (i.e., a pre-installed tool or background process) by which to collect data from the clipboard and store it. That is, when the target copies data to the clipboard (e.g., to paste into another application), the adversary needs some means of capturing that data in a third location.::",
        "Skills Required": "::SKILL:To deploy a hidden process or malware on the system to automatically collect clipboard data.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::While copying and pasting of data with the clipboard is a legitimate and practical function, certain situations and context may require the disabling of this feature. Just as certain applications disable screenshot capability, applications that handle highly sensitive information should consider disabling copy and paste functionality.::Employ a robust identification and audit/blocking via using an allowlist of applications on your system. Malware may contain the functionality associated with this attack pattern.::",
        "Example Instances": "",
        "Related Weaknesses": "::267::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1115:ENTRY NAME:Clipboard Data::",
        "Notes": ""
    },
    {
        "CAPEC ID": "638",
        "ID": "Altered Component Firmware",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:452::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Select Target] The adversary searches for a suitable target to attack, such as government and/or private industry organizations.TECHNIQUE:Conduct reconnaissance to determine potential targets to exploit.::STEP:2:PHASE:Explore:DESCRIPTION:[Identify Components] After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.TECHNIQUE:[Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged.:TECHNIQUE:[Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack.::STEP:3:PHASE:Experiment:DESCRIPTION:[Optional: Create Payload] If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.::STEP:4:PHASE:Exploit:DESCRIPTION:[Insert Firmware Altering Malware] Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.TECHNIQUE:The adversary inserts the firmware altering malware on the target component, via the use of known malware tools.:TECHNIQUE:[Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system.::",
        "Prerequisites": "::Advanced knowledge about the target component's firmware::Advanced knowledge about Master Boot Records (MBR)::Advanced knowledge about tools used to insert firmware altering malware.::Advanced knowledge about component shipments to the target organization.::",
        "Skills Required": "::SKILL:Ability to access and reverse engineer hardware component firmware.:LEVEL:High::SKILL:Ability to intercept components in transit.:LEVEL:High::SKILL:Ability to create malicious payload to be executed from MBR.:LEVEL:Medium::SKILL:Ability to leverage known malware tools to infect target system and insert firmware altering malware/payload:LEVEL:Low::",
        "Resources Required": "::Manufacturer source code for hardware components.::Malware tools used to insert malware and payload onto target component.::Either remote or physical access to the target component.::",
        "Indicators": "::Output observed from processes, API calls, or Self-Monitoring, Analysis and Reporting Technology (SMART) may provide insight into malicious modifications of MBRs.::Digital forensics tools may produce output that indicates an attack of this nature has occurred. Examples include unexpected disk partitions and/or unusual strings.::",
        "Consequences": "::SCOPE:Authentication:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges:TECHNICAL IMPACT:Execute Unauthorized Commands:TECHNICAL IMPACT:Bypass Protection Mechanism:TECHNICAL IMPACT:Hide Activities::SCOPE:Confidentiality:SCOPE:Access ControlTECHNICAL IMPACT:Read Data:TECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Leverage hardware components known to not be susceptible to these types of attacks.::Implement hardware RAID infrastructure.::",
        "Example Instances": "::In 2014, the Equation group was observed levering known malware tools to conduct component firmware alteration attacks against hard drives. In total, 12 HDD categories were shown to be vulnerable from manufacturers such as Western Digital, HGST, Samsung, and Seagate. Because of their complexity, only a few victims were targeted by these attacks. [REF-664]::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1542.002:ENTRY NAME:Pre-OS Boot:Component Firmware::",
        "Notes": ""
    },
    {
        "CAPEC ID": "639",
        "ID": "Probe System Files",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:545::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary has access to the file system of a system.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Verify that files have proper access controls set, and reduce the storage of sensitive information to only what is necessary.::",
        "Example Instances": "::Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.::Adversaries may search network shares on computers they have compromised to find files of interest.::",
        "Related Weaknesses": "::552::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1039:ENTRY NAME:Data from Network Shared Drive::::TAXONOMY NAME:ATTACK:ENTRY ID:1552.001:ENTRY NAME:Unsecured Credentials: Credentials in Files::::TAXONOMY NAME:ATTACK:ENTRY ID:1552.003:ENTRY NAME:Unsecured Credentials: Bash History::::TAXONOMY NAME:ATTACK:ENTRY ID:1552.004:ENTRY NAME:Unsecured Credentials: Private Keys::::TAXONOMY NAME:ATTACK:ENTRY ID:1552.006:ENTRY NAME:Unsecured Credentials: Group Policy Preferences::",
        "Notes": ""
    },
    {
        "CAPEC ID": "640",
        "ID": "Inclusion of Code in Existing Process",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, and more.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:251::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine target process] The adversary determines a process with sufficient privileges that they wish to include code into.TECHNIQUE:On Windows, use the process explorer's security tab to see if a process is running with administror privileges.:TECHNIQUE:On Linux, use the ps command to view running processes and pipe the output to a search for a particular user, or the root user.::STEP:2:PHASE:Experiment:DESCRIPTION:[Attempt to include simple code with known output] The adversary attempts to include very simple code into the existing process to determine if the code inclusion worked. The code will differ based on the approach used to include code into an existing process.::STEP:3:PHASE:Exploit:DESCRIPTION:[Include arbitrary code into existing process] Once an adversary has determined that including code into the existing process is possible, they will include code for a targeted purpose, such as accessing that process's memory.::",
        "Prerequisites": "::The targeted application fails to verify the integrity of the running process that allows an adversary to execute arbitrary code.::",
        "Skills Required": "::SKILL:Knowledge of how to load malicious code into the memory space of a running process, as well as the ability to have the running process execute this code. For example, with DLL injection, the adversary must know how to load a DLL into the memory space of another running process, and cause this process to execute the code inside of the DLL.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Integrity:SCOPE:ConfidentialityTECHNICAL IMPACT:Execute Unauthorized Commands:TECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Prevent unknown or malicious software from loading through using an allowlist policy.::Properly restrict the location of the software being used.::Leverage security kernel modules providing advanced access control and process restrictions like SELinux.::Monitor API calls like CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC, and similar for Windows.::Monitor API calls like ptrace system call, use of LD_PRELOAD environment variable, dlfcn dynamic linking API calls, and similar for Linux.::Monitor API calls like SetWindowsHookEx and SetWinEventHook which install hook procedures for Windows.::Monitor processes and command-line arguments for unknown behavior related to code injection.::",
        "Example Instances": "",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1055:ENTRY NAME:Process Injection::::TAXONOMY NAME:ATTACK:ENTRY ID:1505.005:ENTRY NAME:Server Software Component: Terminal Services DLL::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.006:ENTRY NAME:Hijack Execution Flow: Dynamic Linker Hijacking::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.013:ENTRY NAME:Hijack Execution Flow: KernelCallbackTable::",
        "Notes": ""
    },
    {
        "CAPEC ID": "641",
        "ID": "DLL Side-Loading",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:159::",
        "Execution Flow": "",
        "Prerequisites": "::The target must fail to verify the integrity of the DLL before using them.::",
        "Skills Required": "::SKILL:Trick the operating system in loading a malicious DLL instead of a legitimate DLL.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Execute Unauthorized Commands:TECHNICAL IMPACT:Bypass Protection Mechanism::",
        "Mitigations": "::Prevent unknown DLLs from loading through using an allowlist policy.::Patch installed applications as soon as new updates become available.::Properly restrict the location of the software being used.::Use of sxstrace.exe on Windows as well as manual inspection of the manifests.::Require code signing and avoid using relative paths for resources.::",
        "Example Instances": "",
        "Related Weaknesses": "::706::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1574.002:ENTRY NAME:Hijack Execution Flow:DLL Side-Loading::",
        "Notes": ""
    },
    {
        "CAPEC ID": "642",
        "ID": "Replace Binaries",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:17::",
        "Execution Flow": "",
        "Prerequisites": "::The attacker must be able to place the malicious binary on the target machine.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Insure that binaries commonly used by the system have the correct file permissions. Set operating system policies that restrict privilege elevation of non-Administrators. Use auditing tools to observe changes to system services.::",
        "Example Instances": "::The installer for a previous version of Firefox would use a DLL maliciously placed in the default download directory instead of the existing DLL located elsewhere, probably due to DLL hijacking. This DLL would be run with administrator privileges if the installer has those privileges.::By default, the Windows screensaver application SCRNSAVE.exe leverages the scrnsave.scr Portable Executable (PE) file in C:Windowssystem32. This value is set in the registry at HKEY_CURRENT_USERControl PanelDesktop, which can be modified by an adversary to instead point to a malicious program. This program would then run any time the SCRNSAVE.exe program is activated and with administrator privileges. An adversary may additionally modify other registry values within the same location to set the SCRNSAVE.exe program to run more frequently.::",
        "Related Weaknesses": "::732::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1505.005:ENTRY NAME:Server Software Component: Terminal Services DLL::::TAXONOMY NAME:ATTACK:ENTRY ID:1554:ENTRY NAME:Compromise Client Software Binary::::TAXONOMY NAME:ATTACK:ENTRY ID:1574.005:ENTRY NAME:Hijack Execution Flow:Executable Installer File Permissions Weakness::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Binary planting::",
        "Notes": ""
    },
    {
        "CAPEC ID": "643",
        "ID": "Identify Shared Files/Directories on System",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:309::NATURE:CanPrecede:CAPEC ID:561::NATURE:CanPrecede:CAPEC ID:545::NATURE:CanPrecede:CAPEC ID:165::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).::",
        "Skills Required": "::SKILL:Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line. The adversary, or their malware, can simply employ a set of commands that search for shared drives on the system (e.g., net view remote system or net share).:LEVEL:Low::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data The adversary is potentially able to identify the location of sensitive information or lateral pathways through the network.::",
        "Mitigations": "::Identify unnecessary system utilities or potentially malicious software that may contain functionality to identify network share information, and audit and/or block them by using allowlist tools.::",
        "Example Instances": "",
        "Related Weaknesses": "::267::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1135:ENTRY NAME:Network Share Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "644",
        "ID": "Use of Captured Hashes (Pass The Hash)",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:653::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:165::NATURE:CanPrecede:CAPEC ID:549::NATURE:CanPrecede:CAPEC ID:545::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Acquire known Windows credential hash value pairs] The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.TECHNIQUE:An adversary purchases breached Windows credential hash value pairs from the dark web.:TECHNIQUE:An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.:TECHNIQUE:An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.:TECHNIQUE:An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.::STEP:2:PHASE:Experiment:DESCRIPTION:[Attempt domain authentication] Try each Windows credential hash value pair until the target grants access.TECHNIQUE:Manually or automatically enter each Windows credential hash value pair through the target's interface.::STEP:3:PHASE:Exploit:DESCRIPTION:[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain::STEP:4:PHASE:Exploit:DESCRIPTION:[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.::STEP:5:PHASE:Exploit:DESCRIPTION:[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.::",
        "Prerequisites": "::The system/application is connected to the Windows domain.::The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.::The adversary possesses known Windows credential hash value pairs that exist on the target domain.::",
        "Skills Required": "::SKILL:Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial.:LEVEL:Low::",
        "Resources Required": "::A list of known Window credential hash value pairs for the targeted domain.::",
        "Indicators": "::Authentication attempts use credentials that have been used previously by the account in question.::Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.::Data is being transferred and/or removed from systems/applications within the network.::Suspicious or Malicious software is downloaded/installed on systems within the domain.::Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:AuthorizationTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Prevent the use of Lan Man and NT Lan Man authentication on severs and apply patch KB2871997 to Windows 7 and higher systems.::Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network.::Monitor system and domain logs for abnormal credential access.::Create a strong password policy and ensure that your system enforces this policy.::Leverage system penetration testing and other defense in depth methods to determine vulnerable systems within a domain.::",
        "Example Instances": "::Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]::Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]::",
        "Related Weaknesses": "::522::836::308::294::308::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1550.002:ENTRY NAME:Use Alternate Authentication Material:Pass The Hash::",
        "Notes": ""
    },
    {
        "CAPEC ID": "645",
        "ID": "Use of Captured Tickets (Pass The Ticket)",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:652::NATURE:CanPrecede:CAPEC ID:151::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary needs physical access to the victim system.::The use of a third-party credential harvesting tool.::",
        "Skills Required": "::SKILL:Determine if Kerberos authentication is used on the server.:LEVEL:Low::SKILL:The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them.::Monitor system and domain logs for abnormal access.::",
        "Example Instances": "::Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]::",
        "Related Weaknesses": "::522::294::308::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1550.003:ENTRY NAME:Use Alternate Authentication Material:Pass The Ticket::",
        "Notes": ""
    },
    {
        "CAPEC ID": "646",
        "ID": "Peripheral Footprinting",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary needs either physical or remote access to the victim system.::",
        "Skills Required": "::SKILL:The adversary needs to be able to infect the victim system in a manner that gives them remote access.:LEVEL:Medium::SKILL:If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "",
        "Mitigations": "::Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.::",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1120:ENTRY NAME:Peripheral Device Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "647",
        "ID": "Collect Data from Registries",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:150::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Gain logical access to system] An adversary must first gain logical access to the system it wants to gather registry information from,TECHNIQUE:Obtain user account credentials and access the system:TECHNIQUE:Plant malware on the system that will give remote logical access to the adversary::STEP:2:PHASE:Experiment:DESCRIPTION:[Determine if the permissions are correct] Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means::STEP:3:PHASE:Experiment:DESCRIPTION:[Peruse registry for information] Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.::STEP:4:PHASE:Exploit:DESCRIPTION:[Follow-up attack] Use any information or weaknesses found to carry out a follow-up attack::",
        "Prerequisites": "::The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).::The adversary must have capability to navigate the operating system to peruse the registry.::",
        "Skills Required": "::SKILL:Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line.:LEVEL:Low::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data The adversary is able to read sensitive information about the system in the registry.::",
        "Mitigations": "::Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.::Employ robust identification and audit/blocking via using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.::",
        "Example Instances": "",
        "Related Weaknesses": "::285::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1005:ENTRY NAME:Data from Local System::::TAXONOMY NAME:ATTACK:ENTRY ID:1012:ENTRY NAME:Query Registry::::TAXONOMY NAME:ATTACK:ENTRY ID:1552.002:ENTRY NAME:Unsecured Credentials: Credentials in Registry::",
        "Notes": ""
    },
    {
        "CAPEC ID": "648",
        "ID": "Collect Data from Screen Capture",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:150::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).::",
        "Skills Required": "::SKILL:Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only to leverage the relevant command for screen capture.:LEVEL:Low::",
        "Resources Required": "::None: No specialized resources are required to execute this type of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Read Data The adversary is able to capture potentially sensitive information and processes as they appear on the screen.::",
        "Mitigations": "::Identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using allowlist tools.::While screen capture is a legitimate and practical function, certain situations and context may require the disabling of this feature.::",
        "Example Instances": "",
        "Related Weaknesses": "::267::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1113:ENTRY NAME:Screen Capture::::TAXONOMY NAME:ATTACK:ENTRY ID:1513:ENTRY NAME:Screen Capture::",
        "Notes": ""
    },
    {
        "CAPEC ID": "649",
        "ID": "Adding a Space to a File Extension",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:635::",
        "Execution Flow": "",
        "Prerequisites": "::The use of the file must be controlled by the file extension.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::File extensions should be checked to see if non-visible characters are being included.::",
        "Example Instances": "",
        "Related Weaknesses": "::46::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1036.006:ENTRY NAME:Masquerading:Space after Filename::",
        "Notes": ""
    },
    {
        "CAPEC ID": "65",
        "ID": "Sniff Application Code",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:157::NATURE:CanPrecede:CAPEC ID:37::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Set up a sniffer] The adversary sets up a sniffer in the path between the server and the client and watches the traffic.TECHNIQUE:The adversary sets up a sniffer in the path between the server and the client.::STEP:2:PHASE:Exploit:DESCRIPTION:[Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code.TECHNIQUE:adversary loads the sniffer to capture the application code bound during a dynamic update.:TECHNIQUE:The adversary proceeds to reverse engineer the captured code.::",
        "Prerequisites": "::The attacker must have the ability to place themself in the communication path between the client and server.::The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.::The attacker must be able to employ a sniffer on the network without being detected.::",
        "Skills Required": "::SKILL:The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ an adversary-in-the-middle attack (CAPEC-94), the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be.:LEVEL:Medium::",
        "Resources Required": "::The Attacker needs the ability to capture communications between the client being updated and the server providing the update. In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Design: Encrypt all communication between the client and server.::Implementation: Use SSL, SSH, SCP.::Operation: Use ifconfig/ipconfig or other tools to detect the sniffer installed in the network.::",
        "Example Instances": "::Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication. The attacker then proceeds to reverse engineer the captured stream to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc..::Plain code, such as applets or JavaScript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such.::",
        "Related Weaknesses": "::319::311::318::693::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1040:ENTRY NAME:Network Sniffing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "650",
        "ID": "Upload a Web Shell to a Web Server",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a gateway to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:17::",
        "Execution Flow": "",
        "Prerequisites": "::The web server is susceptible to one of the various web application exploits that allows for uploading a shell file.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:Integrity:SCOPE:AvailabilityTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Make sure your web server is up-to-date with all patches to protect against known vulnerabilities.::Ensure that the file permissions in directories on the web server from which files can be execute is set to the least privilege settings, and that those directories contents is controlled by an allowlist.::",
        "Example Instances": "",
        "Related Weaknesses": "::287::553::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1505.003:ENTRY NAME:Server Software Component:Web Shell::",
        "Notes": ""
    },
    {
        "CAPEC ID": "651",
        "ID": "Eavesdropping",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), hardware (e.g., recording equipment), or physical means (e.g., physical proximity). The goal of eavesdropping is typically to gain unauthorized access to sensitive information about the target for financial, personal, political, or other gains. Eavesdropping is different from a sniffing attack as it does not take place on a network-based communication channel (e.g., IP traffic). Instead, it entails listening in on the raw audio source of a conversation between two or more parties.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:117::",
        "Execution Flow": "",
        "Prerequisites": "::The adversary typically requires physical proximity to the target's environment, whether for physical eavesdropping or for placing recording equipment. This is not always the case for software-based eavesdropping, if the adversary has the capability to install malware on the target system that can activate a microphone and record audio digitally.::",
        "Skills Required": "",
        "Resources Required": "::For logical eavesdropping, some equipment may be necessary (e.g., microphone, tape recorder, etc.). For physical eavesdropping, only proximity is required.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Other:NOTE:Confidentiality Other The adversary gains unauthorized access to information.::",
        "Mitigations": "::Be mindful of your surroundings when discussing sensitive information in public areas.::Implement proper software restriction policies to only allow authorized software on your environment. Use of anti-virus and other security monitoring and detecting tools can aid in this too. Closely monitor installed software for unusual behavior or activity, and implement patches as soon as they become available.::If possible, physically disable the microphone on your machine if it is not needed.::",
        "Example Instances": "",
        "Related Weaknesses": "::200::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1111:ENTRY NAME:Multi-Factor Authentication Interception::",
        "Notes": ""
    },
    {
        "CAPEC ID": "652",
        "ID": "Use of Known Kerberos Credentials",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:151::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.TECHNIQUE:An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.:TECHNIQUE:An adversary guesses the credentials to a weak Kerberos service account.:TECHNIQUE:An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.:TECHNIQUE:An adversary conducts a Kerberoasting attack.::STEP:2:PHASE:Experiment:DESCRIPTION:[Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access.TECHNIQUE:Manually or automatically enter each Kerberos service account credential through the target's interface.:TECHNIQUE:Attempt a Pass the Ticket attack.::STEP:3:PHASE:Exploit:DESCRIPTION:[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain::STEP:4:PHASE:Exploit:DESCRIPTION:[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.::STEP:5:PHASE:Exploit:DESCRIPTION:[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.::",
        "Prerequisites": "::The system/application leverages Kerberos authentication.::The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.::The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.::The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.::The targeted network allows for network sniffing attacks to succeed.::",
        "Skills Required": "::SKILL:Once an adversary obtains a known Kerberos credential, leveraging it is trivial.:LEVEL:Low::",
        "Resources Required": "::A valid Kerberos ticket or a known Kerberos service account credential.::",
        "Indicators": "::Authentication attempts use expired or invalid credentials.::Authentication attempts are originating from IP addresses or locations that are inconsistent with an account's normal IP addresses or locations.::Data is being transferred and/or removed from systems/applications within the network.::Suspicious or Malicious software is downloaded/installed on systems within the domain.::Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:AuthorizationTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.::Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.::Do not reuse Kerberos service account credentials across systems.::Deny remote use of Kerberos service account credentials to log into domain systems.::Do not allow Kerberos service accounts to be a local administrator on more than one system.::Enable at least AES Kerberos encryption for tickets.::Monitor system and domain logs for abnormal credential access.::",
        "Example Instances": "::Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]::PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]::",
        "Related Weaknesses": "::522::307::308::309::262::263::654::294::836::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1558:ENTRY NAME:Steal or Forge Kerberos Tickets::",
        "Notes": "TYPE:Other:NOTE:Kerberos centers around a ticketing system that is used to request/grant access to resources and to then access the requested resources. If one of these tickets is acquired, an adversary could gain access to a specific resource; access any resource a user has privileges to access; gain access to services that use Kerberos as an authentication mechanism and generate tickets to access a particular resource and the system that hosts the resource; or generate Ticket Granting Tickets (TGTs) for any domain account within Active Directory.::"
    },
    {
        "CAPEC ID": "654",
        "ID": "Credential Prompt Impersonation",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:504::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing their credentials.TECHNIQUE:Determine what tasks prompt a user for their credentials.::STEP:2:PHASE:Exploit:DESCRIPTION:[Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.TECHNIQUE:Prompt a user for their credentials, while making the user believe the credential request is legitimate.::",
        "Prerequisites": "::The adversary must already have access to the target system via some means.::A legitimate task must exist that an adversary can impersonate to glean credentials.::",
        "Skills Required": "::SKILL:Once an adversary has gained access to the target system, impersonating a credential prompt is not difficult.:LEVEL:Low::",
        "Resources Required": "::Malware or some other means to initially comprise the target system.::Additional malware to impersonate a legitimate credential prompt.::",
        "Indicators": "::Credential prompts that appear illegitimate or unexpected.::",
        "Consequences": "::SCOPE:Access Control:SCOPE:AuthenticationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.::",
        "Example Instances": "::An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.::An adversary randomly prompts a user to enter their system credentials, tricking the user into believing that a background process requires the credentials to function. The adversary can then use these gleaned credentials to execute additional attacks or obtain data.::",
        "Related Weaknesses": "::1021::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1056:ENTRY NAME:Input Capture::::TAXONOMY NAME:ATTACK:ENTRY ID:1548.004:ENTRY NAME:Abuse Elevation Control Mechanism: Elevated Execution with Prompt::",
        "Notes": ""
    },
    {
        "CAPEC ID": "655",
        "ID": "Avoid Security Tool Identification by Adding Data",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions. In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:572::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AccountabilityTECHNICAL IMPACT:Hide Activities:TECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "",
        "Example Instances": "::Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1027.001:ENTRY NAME:Obfuscated Files or Information:Binary padding::",
        "Notes": ""
    },
    {
        "CAPEC ID": "657",
        "ID": "Malicious Automated Software Update via Spoofing",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:186::",
        "Execution Flow": "",
        "Prerequisites": "",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Access Control:SCOPE:Availability:SCOPE:ConfidentialityTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "",
        "Example Instances": "::An example of the spoofing strategy would be the eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.::",
        "Related Weaknesses": "::494::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1072:ENTRY NAME:Software Deployment Tools::",
        "Notes": ""
    },
    {
        "CAPEC ID": "660",
        "ID": "Root/Jailbreak Detection Evasion via Hooking",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to hook code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:251::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).TECHNIQUE:Search application stores for mobile applications worth exploiting::STEP:2:PHASE:Experiment:DESCRIPTION:[Develop code to be hooked into chosen target application] The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.TECHNIQUE:Develop code or leverage existing code to bypass Root/Jailbreak detection methods.:TECHNIQUE:Test the code to see if it works.:TECHNIQUE:Iteratively develop the code until Root/Jailbreak detection methods are evaded.::STEP:3:PHASE:Exploit:DESCRIPTION:[Execute code hooking to evade Root/Jailbreak detection methods] Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.TECHNIQUE:Hook code into the target application.::",
        "Prerequisites": "::The targeted application must be non-restricted to allow code hooking.::",
        "Skills Required": "::SKILL:Knowledge about Root/Jailbreak detection and evasion techniques.:LEVEL:High::SKILL:Knowledge about code hooking.:LEVEL:Medium::",
        "Resources Required": "::The adversary must have a Rooted/Jailbroken mobile device.::The adversary needs to have enough access to the target application to control the included code or file.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Integrity:SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:NOTE:Integrity Authorization Execute Unauthorized Commands Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application.::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:Confidentiality:SCOPE:Access ControlTECHNICAL IMPACT:Read Data:NOTE:Confidentiality Access Control Read Data An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information.::",
        "Mitigations": "::Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.::Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.::Inspect the application's stack trace for suspicious method calls.::Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.::For iOS applications, ensure application methods do not originate from outside of Apple's SDK.::",
        "Example Instances": "::An adversary targets a non-restricted iOS banking application in an attempt to compromise sensitive user data. The adversary creates Objective-C runtime code that always returns false when checking for the existence of the Cydia application. The malicious code is then dynamically loaded into the application via the DYLD_INSERT_LIBRARIES environment variable. When the banking applications checks for Cydia, the hooked code returns false, so the application assumes the device is stock (i.e. not Jailbroken) and allows it to access the application. However, the adversary has just evaded Jailbreak detection and is now able to glean user credentials and/or transaction details.::An adversary targets a mobile voting application on an Android device with the goal of committing voter fraud. Leveraging the Xposed framework, the adversary is able to create and hook Java code into the application that bypasses Root detection methods. When the voting application attempts to detect a Rooted device by checking for commonly known installed packages associated with Rooting, the hooked code removes the suspicious packages before returning to the application. As a result, the application believes the device is stock (i.e. not Rooted) when in actuality this is not the case. Having evading Root detection, the adversary is now able to cast votes for the candidate of their choosing as a variety of different users.::",
        "Related Weaknesses": "::829::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1055:ENTRY NAME:Process Injection::",
        "Notes": ""
    },
    {
        "CAPEC ID": "662",
        "ID": "Adversary in the Browser (AiTB)",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints.",
        "Alternate Terms": "::TERM:Man in the Browser:DESCRIPTION:::TERM:Boy in the Browser:DESCRIPTION:::TERM:Man in the Mobile:DESCRIPTION:::",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:94::",
        "Execution Flow": "::STEP:1:PHASE:Experiment:DESCRIPTION:The adversary tricks the victim into installing the Trojan Horse malware onto their system.TECHNIQUE:Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.::STEP:2:PHASE:Experiment:DESCRIPTION:The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.::STEP:3:PHASE:Exploit:DESCRIPTION:The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.::",
        "Prerequisites": "::The adversary must install or convince a user to install a Trojan.::There are two components communicating with each other.::An attacker is able to identify the nature and mechanism of communication between the two target components.::Strong mutual authentication is not used between the two target components yielding opportunity for adversarial interposition.::For browser pivoting, the SeDebugPrivilege and a high-integrity process must both exist to execute this attack.::",
        "Skills Required": "::SKILL:Tricking the victim into installing the Trojan is often the most difficult aspect of this attack. Afterwards, the remainder of this attack is fairly trivial.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Ensure software and applications are only downloaded from legitimate and reputable sources, in addition to conducting integrity checks on the downloaded component.::Leverage anti-malware tools, which can detect Trojan Horse malware.::Use strong, out-of-band mutual authentication to always fully authenticate both ends of any communications channel.::Limit user permissions to prevent browser pivoting.::Ensure browser sessions are regularly terminated and when their effective lifetime ends.::",
        "Example Instances": "::An adversary conducts a phishing attack and tricks a victim into installing a malicious browser plugin. The adversary then positions themself between the victim and their banking institution. The victim begins by initiating a funds transfer from their personal savings to their personal checking account. Using injected JavaScript, the adversary captures this request and modifies it to transfer an increased amount of funds to an account that they controls, before sending it to the bank. The bank processes the transfer and sends the confirmation notice back to the victim, which is instead intercepted by the adversary. The adversary modifies the confirmation to reflect the original transaction details and sends this modified message back to the victim. Upon receiving the confirmation, the victim assumes the transfer was successful and is unaware that their money has just been transferred to the adversary.::In 2020, the Agent Tesla malware was leveraged to conduct AiTB attacks against organizations within the gas, oil, and other energy sectors. The malware was delivered via a spearphishing campaign and has the capability to form-grab, keylog, copy clipboard data, extract credentials, and capture screenshots. [REF-630]::Boy in the browser attacks are a subset of AiTB attacks. Similar to AiTB attacks, the adversary must first trick the victim into installing a Trojan, either via social engineering or drive-by-download attacks. The malware then modifies the victim's hosts file in order to reroute web traffic from an intended website to an adversary-controlled website that mimics the legitimate website. The adversary is now able to observe, intercept, and/or modify all traffic, as in a traditional Adversary in the Middle attack (CAPEC-94). BiTB attacks are low-cost, easy to execute, and more difficult to detect since the malware often removes itself once the attack has concluded. [REF-631]::Man in the Mobile attacks are a subset of AiTB attacks that target mobile device users. Like AiTB attacks, an adversary convinces a victim to install a Trojan mobile application on their mobile device, often under the guise of security. Once the victim has installed the application, the adversary can capture all SMS traffic to bypass SMS-based out-of-band authentication systems. [REF-632]::",
        "Related Weaknesses": "::300::494::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1185:ENTRY NAME:Man in the Browser::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Man-in-the-browser attack::",
        "Notes": ""
    },
    {
        "CAPEC ID": "665",
        "ID": "Exploitation of Thunderbolt Protection Flaws",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:276::NATURE:CanFollow:CAPEC ID:390::NATURE:PeerOf:CAPEC ID:458::NATURE:PeerOf:CAPEC ID:148::NATURE:PeerOf:CAPEC ID:151::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Survey physical victim environment and potential Thunderbolt system targets] The adversary monitors the target's physical environment to identify systems with Thunderbolt interfaces, identify potential weaknesses in physical security in addition to periods of nonattendance by the victim over their Thunderbolt interface equipped devices, and when the devices are in locked or sleep state.::STEP:2:PHASE:Explore:DESCRIPTION:[Evaluate the target system and its Thunderbolt interface] The adversary determines the device's operating system, Thunderbolt interface version, and any implemented Thunderbolt protections to plan the attack.::STEP:1:PHASE:Experiment:DESCRIPTION:[Obtain and/or clone firmware image] The adversary physically manipulates Thunderbolt enabled devices to acquire the firmware image from the target and/or adversary Thunderbolt host controller's SPI (Serial Peripheral Interface) flash.TECHNIQUE:Disassemble victim and/or adversary device enclosure with basic tools to gain access to Thunderbolt controller SPI flash by connecting adversary SPI programmer.:TECHNIQUE:Adversary connects SPI programmer to adversary-controlled Thunderbolt enabled device to obtain/clone victim thunderbolt controller firmware image through tools/scripts.:TECHNIQUE:Clone firmware image with SPI programmer and tools/scripts on adversary-controlled device.::STEP:2:PHASE:Experiment:DESCRIPTION:[Parse and locate relevant firmware data structures and information based upon Thunderbolt controller model, firmware version, and other information] The acquired victim and/or adversary firmware image is parsed for specific data and other relevant identifiers required for exploitation, based upon the victim device information and firmware version.TECHNIQUE:Utilize pre-crafted tools/scripts to parse and locate desired firmware data and modify it.:TECHNIQUE:Locate DROM (Device Read Only Memory) data structure section and calculate/determine appropriate offset to replicate victim device UUID.:TECHNIQUE:Locate ACL (Access Control List) data structure and calculate/determine appropriate offsets to identify victim device UUID.:TECHNIQUE:Locate data structure containing challenge-response key information between appropriate offsets.::STEP:3:PHASE:Experiment:DESCRIPTION:[Disable Thunderbolt security and prevent future Thunderbolt security modifications (if necessary)] The adversary overrides the target device's Thunderbolt Security Level to None (SL0) and/or enables block protections upon the SPI flash to prevent the ability for the victim to perform and/or recognize future Thunderbolt security modifications as well as update the Thunderbolt firmware.TECHNIQUE:The adversary-controlled Thunderbolt device, connected to SPI programmer and victim device via Thunderbolt ports, is utilized to execute commands within tools/scripts to disable SPI flash protections, modify Thunderbolt Security Level, and enable malicious SPI flash protections.::STEP:4:PHASE:Experiment:DESCRIPTION:[Modify/replace victim Thunderbolt firmware image] The modified victim and/or adversary thunderbolt firmware image is written to attacker SPI flash.::STEP:1:PHASE:Exploit:DESCRIPTION:[Connect adversary-controlled thunderbolt enabled device to victim device and verify successful execution of malicious actions] The adversary needs to determine if their exploitation of selected vulnerabilities had the intended effects upon victim device.TECHNIQUE:Observe victim device identify adversary device as the victim device and enables PCIe tunneling.:TECHNIQUE:Resume victim device from sleep, connect adversary-controlled device and observe security is disabled and Thunderbolt connectivity is restored with PCIe tunneling being enabled.:TECHNIQUE:Observe that in UEFI or Thunderbolt Management Tool/UI that the Security Level does not match adversary modified Security Level of None (SL0):TECHNIQUE:Observe after installation of Firmware update that within Thunderbolt Management UI the NVM version is unchanged/same prior to the prompt of successful Firmware update/installation.::STEP:2:PHASE:Exploit:DESCRIPTION:[Exfiltration of desired data from victim device to adversary device] Utilize PCIe tunneling to transfer desired data and information from victim device across Thunderbolt connection.::",
        "Prerequisites": "::The adversary needs at least a few minutes of physical access to a system with an open Thunderbolt port, version 3 or lower, and an external thunderbolt device controlled by the adversary with maliciously crafted software and firmware, via an SPI Programming device, to exploit weaknesses in security protections.::",
        "Skills Required": "::SKILL:Detailed knowledge on various system motherboards, PCI Express Domain, SPI, and Thunderbolt Protocol in order to interface with internal system components via external devices.:LEVEL:High::SKILL:Detailed knowledge on OS/Kernel memory address space, Direct Memory Access (DMA) mapping, Input-Output Memory Management Units (IOMMUs), and vendor memory protections for data leakage.:LEVEL:High::SKILL:Detailed knowledge on scripting and SPI programming in order to configure and modify Thunderbolt controller firmware and software configurations.:LEVEL:High::",
        "Resources Required": "::SPI Programming device capable of modifying/configuring or replacing the firmware of Thunderbolt device stored on SPI Flash of target Thunderbolt controller, as well as modification/spoofing of adversary-controlled Thunderbolt controller.::Precrafted scripts/tools capable of implementing the modification and replacement of Thunderbolt Firmware.::Thunderbolt-enabled computing device capable of interfacing with target Thunderbolt device and extracting/dumping data and memory contents of target device.::",
        "Indicators": "::Windows Event logs may document the access of Thunderbolt port as a USB 3.0 event as well as any malicious actions taken upon target device as file system and memory events.::",
        "Consequences": "::SCOPE:Access ControlTECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Implementation: Kernel Direct Memory Access Protection::Configuration: Enable UEFI option USB Passthrough mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface::Configuration: Enable UEFI option DisplayPort mode - Thunderbolt 3 system port operates as video-only DP interface::Configuration: Enable UEFI option Mixed USB/DisplayPort mode - Thunderbolt 3 system port operates as USB 3.1 Type C interface with support for DP mode::Configuration: Set Security Level to SL3 for Thunderbolt 2 system port::Configuration: Disable PCIe tunneling to set Security Level to SL3::Configuration: Disable Boot Camp upon MacOS systems::",
        "Example Instances": "::An adversary steals a password protected laptop that contains a Thunderbolt 3 enabled port, from a work environment. The adversary uses a screw driver to remove the back panel of the laptop and connects a SPI Programming device to the Thunderbolt Host Controller SPI Flash of the stolen victim device to interface with it on the adversary's own Thunderbolt enabled device via Thunderbolt cables. The SPI Programming device is utilized to execute scripts/tools from the adversary's own system to copy, parse, and modify the victim's Thunderbolt firmware stored on SPI Flash. The device UUID value is obtained, by computing the appropriate offset based upon Thunderbolt firmware version and the OS of victim device, from the DROM section of victim Thunderbolt host controller firmware image. The firmware image is written to adversary Thunderbolt host controller SPI flash to clone and spoof victim device identity. The adversary reboots the victim device, with the victim device identifying the Thunderbolt connection of the adversary's Thunderbolt device as itself and enables PCIe tunneling. The adversary finally transfers the hard drive and memory contents of victim device across Thunderbolt connection.::",
        "Related Weaknesses": "::345::353::288::1188::862::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1211:ENTRY NAME:Exploitation for Defensive Evasion::::TAXONOMY NAME:ATTACK:ENTRY ID:1542.002:ENTRY NAME:Pre-OS Boot: Component Firmware::::TAXONOMY NAME:ATTACK:ENTRY ID:1556:ENTRY NAME:Modify Authentication Process::",
        "Notes": ""
    },
    {
        "CAPEC ID": "666",
        "ID": "BlueSmacking",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:125::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Scan for Bluetooth Enabled Devices] Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.TECHNIQUE:Note the MAC address of the device you want to attack.::STEP:2:PHASE:Experiment:DESCRIPTION:[Change L2CAP Packet Length] The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device.TECHNIQUE:An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux.::STEP:3:PHASE:Exploit:DESCRIPTION:[Flood] An adversary sends the packets to the target device, and floods it until performance is degraded.::",
        "Prerequisites": "::The system/application has Bluetooth enabled.::",
        "Skills Required": "::SKILL:An adversary only needs a Linux machine along with a Bluetooth adapter, which is extremely common.:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "::Performance is degraded or halted by incoming L2CAP packets.::",
        "Consequences": "::SCOPE:AvailabilityTECHNICAL IMPACT:Unreliable Execution:TECHNICAL IMPACT:Resource Consumption::",
        "Mitigations": "::Disable Bluetooth when not being used.::When using Bluetooth, set it to hidden or non-discoverable mode.::",
        "Example Instances": "",
        "Related Weaknesses": "::404::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1498.001:ENTRY NAME:Network Denial of Service: Direct Network Flood::::TAXONOMY NAME:ATTACK:ENTRY ID:1499.001:ENTRY NAME:Endpoint Denial of Service: OS Exhaustion Flood::",
        "Notes": ""
    },
    {
        "CAPEC ID": "668",
        "ID": "Key Negotiation of Bluetooth Attack (KNOB)",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:115::NATURE:CanPrecede:CAPEC ID:148::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Discovery] Using an established Person in the Middle setup, search for Bluetooth devices beginning the authentication process.TECHNIQUE:Use packet capture tools.::STEP:2:PHASE:Experiment:DESCRIPTION:[Change the entropy bits] Upon recieving the initial key negotiation packet from the master, the adversary modifies the entropy bits requested to 1 to allow for easy decryption before it is forwarded.::STEP:3:PHASE:Exploit:DESCRIPTION:[Capture and decrypt data] Once the entropy of encryption is known, the adversary can capture data and then decrypt on their device.::",
        "Prerequisites": "::Person in the Middle network setup.::",
        "Skills Required": "::SKILL:Ability to modify packets.:LEVEL:Medium::",
        "Resources Required": "::Bluetooth adapter, packet capturing capabilities.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Bypass Protection Mechanism::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Newer Bluetooth firmwares ensure that the KNOB is not negotaited in plaintext. Update your device.::",
        "Example Instances": "::Given users Alice, Bob and Charlie (Charlie being the attacker), Alice and Bob begin to agree on an encryption key when connecting. While Alice sends a message to Bob that an encryption key with 16 bytes of entropy should be used, Charlie changes this to 1 and forwards the request to Bob and continues forwarding these packets until authentication is successful.::",
        "Related Weaknesses": "::425::285::693::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1565.002:ENTRY NAME:Data Manipulation: Transmitted Data Manipulation::",
        "Notes": ""
    },
    {
        "CAPEC ID": "669",
        "ID": "Alteration of a Software Update",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "An adversary with access to an organization\u2019s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software\u2019s normal functionality.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:184::NATURE:CanPrecede:CAPEC ID:673::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify software with frequent updates] The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.::STEP:2:PHASE:Experiment:DESCRIPTION:[Gain access to udpate infrastructure] The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.::STEP:3:PHASE:Exploit:DESCRIPTION:[Alter the software update] Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.::",
        "Prerequisites": "::An adversary would need to have penetrated an organization\u2019s software update infrastructure including gaining access to components supporting the configuration management of software versions and updates related to the software maintenance of customer systems.::",
        "Skills Required": "::SKILL:Skills required include the ability to infiltrate the organization\u2019s software update infrastructure either from the Internet or from within the organization, including subcontractors, and be able to change software being delivered to customer/user systems in an undetected manner.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Access ControlTECHNICAL IMPACT:Gain Privileges::SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.::Require elevated privileges for distribution of software and software updates.::",
        "Example Instances": "::A subcontractor to a software developer injects maliciously altered software updates into an automated update process that distributes to government and commercial customers software containing a hidden backdoor.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "670",
        "ID": "Software Development Tools Maliciously Altered",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::NATURE:CanPrecede:CAPEC ID:669::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary would need to have access to a targeted developer\u2019s development environment and in particular to tools used to design, create, test and manage software, where the adversary could ensure malicious code is included in software packages built through alteration or substitution of tools in the environment used in the development of software.::",
        "Skills Required": "::SKILL:Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Execute Unauthorized Commands::SCOPE:Access ControlTECHNICAL IMPACT:Gain Privileges::SCOPE:ConfidentialityTECHNICAL IMPACT:Modify Data:TECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.::Avoid giving elevated privileges to developers.::",
        "Example Instances": "::An adversary with access to software build tools inside an Integrated Development Environment IDE alters a script used for downloading dependencies from a dependent code repository where the script has been changed to include malicious code implanted in the repository by the adversary.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1127:ENTRY NAME:Trusted Developer Utilities Proxy Execution::::TAXONOMY NAME:ATTACK:ENTRY ID:1195.001:ENTRY NAME:Supply Chain Compromise: Compromise Software Dependencies and Development Tools::",
        "Notes": ""
    },
    {
        "CAPEC ID": "671",
        "ID": "Requirements for ASIC Functionality Maliciously Altered",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user\u2019s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:447::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary would need to have access to a foundry\u2019s or chip maker\u2019s requirements management system that stores customer requirements for ASICs, requirements upon which the design of the ASIC is based.::",
        "Skills Required": "::SKILL:An adversary would need experience in designing chips based on functional requirements in order to manipulate requirements in such a way that deviations would not be detected in subsequent stages of ASIC manufacture and where intended malicious functionality would be available to the adversary once integrated into a system and fielded.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Alter Execution Logic::",
        "Mitigations": "::Utilize DMEA\u2019s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.::Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.::Require that provenance of COTS microelectronic components be known whenever procured.::Conduct detailed vendor assessment before acquiring COTS hardware.::",
        "Example Instances": "::An adversary with access to ASIC functionality requirements for various customers, targets a particular customer\u2019s ordered lot of ASICs by altering its functional requirements such that the ASIC design will result in a manufactured chip that does not meet the customer\u2019s capability needs.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "672",
        "ID": "Malicious Code Implanted During Chip Programming",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip\u2019s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary would need to have access to a foundry\u2019s or chip maker\u2019s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale.::",
        "Skills Required": "::SKILL:An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Alter Execution Logic::",
        "Mitigations": "::Utilize DMEA\u2019s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.::Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.::Require that provenance of COTS microelectronic components be known whenever procured.::Conduct detailed vendor assessment before acquiring COTS hardware.::",
        "Example Instances": "::Following a chip\u2019s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip\u2019s function(s) inserts a malicious instruction that will become part of the chip\u2019s program. When integrated into a system, the chip will produce an effect intended by the adversary.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "673",
        "ID": "Developer Signing Maliciously Altered Software",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems. This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary would need to have access to a targeted developer\u2019s software development environment, including to their software build processes, where the adversary could ensure code maliciously tainted prior to a build process is included in software packages built.::",
        "Skills Required": "::SKILL:The adversary must have the skills to infiltrate a developer\u2019s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Integrity:SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data:TECHNICAL IMPACT:Modify Data::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges:TECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.::Employ intrusion detection and malware detection capabilities on IDE systems where feasible.::",
        "Example Instances": "::An adversary who has infiltrated an organization\u2019s build environment maliciously alters code intended to be included in a product\u2019s software build via software dependency inclusion, part of the software build process. When the software product has been built, the developer electronically signs the finished product using their signing key. The recipient of the software product, an end user/customer, believes the software to reflect the developer\u2019s intent with respect to functionality unaware of the adversary\u2019s malicious intent harbored within.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "674",
        "ID": "Design for FPGA Maliciously Altered",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:447::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker\u2019s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed.::",
        "Skills Required": "::SKILL:An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced.:LEVEL:High::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Alter Execution Logic::",
        "Mitigations": "::Utilize DMEA\u2019s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.::Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.::Require that provenance of COTS microelectronic components be known whenever procured.::Conduct detailed vendor assessment before acquiring COTS hardware.::",
        "Example Instances": "::An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "675",
        "ID": "Retrieve Data from Decommissioned Devices",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization\u2019s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "Medium",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:116::NATURE:CanPrecede:CAPEC ID:37::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content.::",
        "Skills Required": "::SKILL:An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.:LEVEL:High::SKILL:An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:AccountabilityTECHNICAL IMPACT:Bypass Protection Mechanism::",
        "Mitigations": "::Backup device data before erasure to retain intellectual property and inside knowledge.::Overwrite data on device rather than deleting. Deleted data can still be recovered, even if the device trash can is emptied. Rewriting data removes any trace of the old data. Performing multiple overwrites followed by a zeroing of the device (overwriting with all zeros) is good practice.::Use a secure erase software.::Physically destroy the device if it is not intended to be reused. Using a specialized service to disintegrate, burn, melt or pulverize the device can be effective, but if those services are inaccessible, drilling nails or holes, or smashing the device with a hammer can be effective. Do not burn, microwave, or pour acid on a hard drive.::Physically destroy memory and SIM cards for mobile devices not intended to be reused.::Ensure that the user account has been terminated or switched to a new device before destroying.::",
        "Example Instances": "::A company is contracted by an organization to provide data destruction services for solid state and hard disk drives being discarded. Prior to destruction, an adversary within the contracted company copies data from select devices, violating the data confidentiality requirements of the submitting organization.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1052:ENTRY NAME:Exfiltration Over Physical Medium::",
        "Notes": ""
    },
    {
        "CAPEC ID": "677",
        "ID": "Server Functionality Compromise",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:534::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary with access to hardware/software processes and tools within the development or hardware/software support environment can insert malicious software into hardware components during development or update/maintenance.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Execute Unauthorized Commands::",
        "Mitigations": "::Purchase IT systems, components and parts from government approved vendors whenever possible.::Establish diversity among suppliers.::Conduct rigorous threat assessments of suppliers.::Require that Bills of Material (BoM) for critical parts and components be certified.::Utilize contract language requiring contractors and subcontractors to flow down to subcontractors and suppliers SCRM and SCRA (Supply Chain Risk Assessment) requirements.::Establish trusted supplier networks.::",
        "Example Instances": "::Malware is inserted into the Unified Extensible Firmware Interface (UEFI) software that resides on a flash memory chip soldered to a computer\u2019s motherboard. It is the first thing to turn on when a system is booted and is allowed access to almost every part of the operating system. Hence, the malware will have extensive control over operating system functions and persist after system reboots. [REF-685]::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.003:ENTRY NAME:Supply Chain Compromise: Compromise Hardware Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "678",
        "ID": "System Build Data Maliciously Altered",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes are susceptible to deliberate misconfiguration of the system.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:444::",
        "Execution Flow": "",
        "Prerequisites": "::An adversary has access to the data files and processes used for executing system configuration and performing the build.::",
        "Skills Required": "",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Execute Unauthorized Commands::SCOPE:Access ControlTECHNICAL IMPACT:Gain Privileges::SCOPE:ConfidentialityTECHNICAL IMPACT:Modify Data:TECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Implement configuration management security practices that protect the integrity of software and associated data.::Monitor and control access to the configuration management system.::Harden centralized repositories against attack.::Establish acceptance criteria for configuration management check-in to assure integrity.::Plan for and audit the security of configuration management administration processes.::Maintain configuration control over operational systems.::",
        "Example Instances": "::\u2018Make\u2019 is a program used for building executable programs and libraries from source code by executing commands and following rules in a \u2018makefile\u2019. It can create a malicious executable if commands or dependency paths in the makefile are maliciously altered to execute an unwanted command or reference as a dependency maliciously altered code.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "68",
        "ID": "Subvert Code-signing Facilities",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:233::",
        "Execution Flow": "",
        "Prerequisites": "::A framework-based language that supports code signing (such as, and most commonly, Java or .NET)::Deployed code that has been signed by its authoring vendor, or a partner.::The attacker will, for most circumstances, also need to be able to place code in the victim container. This does not necessarily mean that they will have to subvert host-level security, except when explicitly indicated.::",
        "Skills Required": "::SKILL:Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understanding of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory. Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must.:LEVEL:High::",
        "Resources Required": "::The Attacker needs no special resources beyond the listed prerequisites in order to conduct this style of attack.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::A given code signing scheme may be fallible due to improper use of cryptography. Developers must never roll out their own cryptography, nor should existing primitives be modified or ignored.::If an attacker cannot attack the scheme directly, they might try to alter the environment that affects the signing and verification processes. A possible mitigation is to avoid reliance on flags or environment variables that are user-controllable.::",
        "Example Instances": "::In old versions (prior to 3.0b4) of the Netscape web browser Attackers able to foist a malicious Applet into a client's browser could execute the Magic Coat attack. In this attack, the offending Applet would implement its own getSigners() method. This implementation would use the containing VM's APIs to acquire other Applet's signatures (by calling _their_ getSigners() method) and if any running Applet had privileged-enough signature, the malicious Applet would have inherited that privilege just be (metaphorically) donning the others' coats.::Some (older) web browsers allowed scripting languages, such as JavaScript, to call signed Java code. In these circumstances, the browser's VM implementation would choose not to conduct stack inspection across language boundaries (from called signed Java to calling JavaScript) and would short-circuit true at the language boundary. Doing so meant that the VM would allow any (unprivileged) script to call privileged functions within signed code with impunity, causing them to fall prey to luring attacks.::The ability to load unsigned code into the kernel of earlier versions of Vista and bypass integrity checking is an example of such subversion. In the proof-of-concept, it is possible to bypass the signature-checking mechanism Vista uses to load device drivers.::",
        "Related Weaknesses": "::325::328::1326::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1553.002:ENTRY NAME:Subvert Trust Controls: Code Signing::",
        "Notes": ""
    },
    {
        "CAPEC ID": "691",
        "ID": "Spoof Open-Source Software Metadata",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:690::NATURE:CanPrecede:CAPEC ID:184::NATURE:CanPrecede:CAPEC ID:444::NATURE:PeerOf:CAPEC ID:630::",
        "Execution Flow": "",
        "Prerequisites": "::Identification of a popular open-source component whose metadata is to be spoofed.::",
        "Skills Required": "::SKILL:Ability to spoof a variety of software metadata to convince victims the source is trusted.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:AccountabilityTECHNICAL IMPACT:Hide Activities::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:TECHNICAL IMPACT:Alter Execution Logic:TECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Before downloading open-source software, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.::Within package managers, look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.::Reference vulnerability databases to determine if the software contains known vulnerabilities.::Only download open-source software from reputable hosting sites or package managers.::Only download open-source software that has been adequately signed by the developer(s). For repository commits/tags, look for the Verified status and for developers leveraging Vigilant Mode (GitHub) or similar modes.::After downloading open-source software, ensure integrity values have not changed.::Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.::",
        "Example Instances": "::An adversary provides a malicious open-source library, claiming to provide extended logging features and functionality, and spoofs the metadata with that of a widely used legitimate library. The adversary then tricks victims into including this library in their underlying application. Once the malicious software is incorporated into the application, the adversary is able to manipulate and exfiltrate log data.::",
        "Related Weaknesses": "::494::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.001:ENTRY NAME:Supply Chain Compromise: Compromise Software Dependencies and Development Tools::::TAXONOMY NAME:ATTACK:ENTRY ID:1195.002:ENTRY NAME:Supply Chain Compromise: Compromise Software Supply Chain::",
        "Notes": ""
    },
    {
        "CAPEC ID": "694",
        "ID": "System Location Discovery",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary collects information about the target system in an attempt to identify the system's geographical location. Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very Low",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:169::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[System Locale Information Discovery] The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target systemTECHNIQUE:Registry Query: Query the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlContentIndexLanguageLanguage_Dialect on Windows to obtain system language, ComputerHKEY_CURRENT_USERKeyboard LayoutPreload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTimeZoneInformation to obtain the system timezone configuration:TECHNIQUE:Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings.:TECHNIQUE:Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font.::",
        "Prerequisites": "::The adversary must have some level of access to the system and have a basic understanding of the operating system in order to query the appropriate sources for relevant information.::",
        "Skills Required": "::SKILL:The adversary must know how to query various system sources of information respective of the system's operating system to obtain the relevant information.:LEVEL:Low::",
        "Resources Required": "::The adversary requires access to the target's operating system tools to query relevant system information. On windows, registry queries can be conducted with powershell, wmi, or regedit. On Linux or macOS, queries can be performed with through a shell.::",
        "Indicators": "",
        "Consequences": "::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::To reduce the amount of information gathered, one could disable various geolocation features of the operating system not required for system operation.::",
        "Example Instances": "",
        "Related Weaknesses": "::497::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1614:ENTRY NAME:System Language Discovery::",
        "Notes": ""
    },
    {
        "CAPEC ID": "695",
        "ID": "Repo Jacking",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:616::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify target] The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack.::STEP:2:PHASE:Experiment:DESCRIPTION:[Recreate initial repository path] The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse.::STEP:3:PHASE:Exploit:DESCRIPTION:[Exploit victims] The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.::",
        "Prerequisites": "::Identification of a popular repository that may be directly referenced in numerous software applications::A repository owner/maintainer who has recently changed their username or deleted their account::",
        "Skills Required": "::SKILL:Ability to create an account on a VCS hosting site and recreate an existing directory structure.:LEVEL:Low::SKILL:Ability to create malware that can exploit various software applications.:LEVEL:Low::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Read Data:TECHNICAL IMPACT:Modify Data::SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Execute Unauthorized Commands:TECHNICAL IMPACT:Alter Execution Logic:TECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Leverage dedicated package managers instead of directly linking to VCS repositories.::Utilize version pinning and lock files to prevent use of maliciously modified repositories.::Implement vendoring (i.e., including third-party dependencies locally) and leverage automated testing techniques (e.g., static analysis) to determine if the software behaves maliciously.::Leverage automated tools, such as Checkmarx's ChainJacking tool, to determine susceptibility to Repo Jacking attacks.::",
        "Example Instances": "::In May 2022, the CTX Python package and PhPass PHP package were both exploited by the same adversary via Repo Jacking attacks. For the CTX package, the adversary performed an account takeover via a password reset, due to an expired domain-hosting email. The attack on PhPass entailed bypassing GitHub's authentication for retired repositories. In both cases, sensitive data in the form of API keys and passwords, each stored in the form of environment variables, were exfiltrated. [REF-732] [REF-733]::In October 2021, the popular JavaScript library UAParser.js was exploited via the takeover of the author's Node Package Manager (NPM) account. The adversary-provided malware downloaded and executed binaries from a remote server to conduct crypto-mining and to exfiltrate sensitive data on Windows systems. This was a wide-scale attack as the package receives 8 to 9 million downloads per week. [REF-732]::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1195.001:ENTRY NAME:Supply Chain Compromise: Compromise Software Dependencies and Development Tools::",
        "Notes": ""
    },
    {
        "CAPEC ID": "697",
        "ID": "DHCP Spoofing",
        "Abstraction": "Standard",
        "Status": "Stable",
        "Description": "An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Low",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:194::NATURE:CanPrecede:CAPEC ID:158::NATURE:CanPrecede:CAPEC ID:94::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine Exsisting DHCP lease] An adversary observes network traffic and waits for an existing DHCP lease to expire on a target machine in the LAN.TECHNIQUE:Adversary observes LAN traffic for DHCP solicitations::STEP:2:PHASE:Experiment:DESCRIPTION:[Capture the DHCP DISCOVER message] The adversary captures DISCOVER messages and crafts OFFER responses for the identified target MAC address. The success of this attack centers on the capturing of and responding to these DISCOVER messages.TECHNIQUE:Adversary captures and responds to DHCP DISCOVER messages tailored to the target subnet.::STEP:3:PHASE:Exploit:DESCRIPTION:[Compromise Network Access and Collect Network Activity] An adversary successfully acts as a rogue DHCP server by redirecting legitimate DHCP requests to itself.TECHNIQUE:Adversary sends repeated DHCP REQUEST messages to quickly lease all the addresses within network's DHCP pool and forcing new DHCP requests to be handled by the rogue DHCP server.::",
        "Prerequisites": "::The adversary must have access to a machine within the target LAN which can send DHCP offers to the target.::",
        "Skills Required": "::SKILL:The adversary must identify potential targets for DHCP Spoofing and craft network configurations to obtain the desired results.:LEVEL:Medium::",
        "Resources Required": "::The adversary requires access to a machine within the target LAN on a network which does not secure its DHCP traffic through MAC-Forced Forwarding, port security, etc.::",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access ControlTECHNICAL IMPACT:Read Data::SCOPE:Integrity:SCOPE:Access ControlTECHNICAL IMPACT:Modify Data:TECHNICAL IMPACT:Execute Unauthorized Commands::SCOPE:AvailabilityTECHNICAL IMPACT:Resource Consumption::",
        "Mitigations": "::Design: MAC-Forced Forwarding::Implementation: Port Security and DHCP snooping::Implementation: Network-based Intrusion Detection Systems::",
        "Example Instances": "::In early 2019, Microsoft patched a critical vulnerability (CVE-2019-0547) in the Windows DHCP client which allowed remote code execution via crafted DHCP OFFER packets. [REF-739]::",
        "Related Weaknesses": "::923::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1557.003:ENTRY NAME:Adversary-in-the-Middle: DHCP Spoofing::",
        "Notes": "",
    },
    {
        "CAPEC ID": "698",
        "ID": "Install Malicious Extension",
        "Abstraction": "Detailed",
        "Status": "Stable",
        "Description": "An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:542::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base.::STEP:2:PHASE:Experiment:DESCRIPTION:[Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic.::STEP:3:PHASE:Exploit:DESCRIPTION:[Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.TECHNIQUE:Adversary-Installed: Having already compromised the target system, the adversary simply installs the malicious extension/plugin themself.:TECHNIQUE:User-Installed: The adversary tricks the user into installing the malicious extension/plugin, via means such as social engineering, or may upload the malware on a reputable extension/plugin hosting site and wait for unknowing victims to install the malicious component.::",
        "Prerequisites": "::The adversary must craft malware based on the type of software and system(s) they intend to exploit.::If the adversary intends to install the malicious extension themself, they must first compromise the target machine via some other means.::",
        "Skills Required": "::SKILL:Ability to create malicious extensions that can exploit specific software applications and systems.:LEVEL:Medium::SKILL:Optional: Ability to exploit target system(s) via other means in order to gain entry.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access ControlTECHNICAL IMPACT:Read Data::SCOPE:Integrity:SCOPE:Access ControlTECHNICAL IMPACT:Modify Data::SCOPE:Authorization:SCOPE:Access ControlTECHNICAL IMPACT:Execute Unauthorized Commands:TECHNICAL IMPACT:Alter Execution Logic:TECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Only install extensions/plugins from official/verifiable sources.::Confirm extensions/plugins are legitimate and not malware masquerading as a legitimate extension/plugin.::Ensure the underlying software leveraging the extension/plugin (including operating systems) is up-to-date.::Implement an extension/plugin allow list, based on the given security policy.::If applicable, confirm extensions/plugins are properly signed by the official developers.::For web browsers, close sessions when finished to prevent malicious extensions/plugins from executing the the background.::",
        "Example Instances": "::In January 2018, Palo Alto's Unit 42 reported that a malicious Internet Information Services (IIS) extension they named RGDoor was used to create a backdoor into several Middle Eastern government organizations, as well as a financial institution and an educational institution. This malware was used in conjunction with the TwoFace webshell and allowed the adversaries to upload/download files and execute unauthorized commands. [REF-740]::In December 2018, it was reported that North Korea-based APT Kimusky (also known as Velvet Chollima) infected numerous legitimate academic organizations within the U.S., many specializing in biomedical engineering, with a malicious Google Chrome extension. Dubbed Operation STOLEN PENCIL, the attack entailed conducting spear-phishing attacks to trick victims into installing a malicious PDF reader named Auto Font Manager. Once installed, the malware allowed adversaries to steal cookies and site passwords, as well as forward emails from some compromised accounts. [REF-741]::",
        "Related Weaknesses": "::507::829::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1176:ENTRY NAME:Browser Extensions::::TAXONOMY NAME:ATTACK:ENTRY ID:1505.004:ENTRY NAME:Server Software Component: IIS Components::",
        "Notes": "",
    },
    {
        "CAPEC ID": "70",
        "ID": "Try Common or Default Usernames and Passwords",
        "Abstraction": "Detailed",
        "Status": "Draft",
        "Description": "An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. secret or password) that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "Medium",
        "Typical Severity": "High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:49::NATURE:CanPrecede:CAPEC ID:600::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:560::NATURE:CanPrecede:CAPEC ID:561::NATURE:CanPrecede:CAPEC ID:653::",
        "Execution Flow": "",
        "Prerequisites": "::The system uses one factor password based authentication.The adversary has the means to interact with the system.::",
        "Skills Required": "::SKILL:An adversary just needs to gain access to common default usernames/passwords specific to the technologies used by the system. Additionally, a brute force attack leveraging common passwords can be easily realized if the user name is known.:LEVEL:Low::",
        "Resources Required": "::Technology or vendor specific list of default usernames and passwords.::",
        "Indicators": "::Many incorrect login attempts are detected by the system.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::",
        "Mitigations": "::Delete all default account credentials that may be put in by the product vendor.::Implement a password throttling mechanism. This mechanism should take into account both the IP address and the log in name of the user.::Put together a strong password policy and make sure that all user created passwords comply with it. Alternatively automatically generate strong passwords for users.::Passwords need to be recycled to prevent aging, that is every once in a while a new password must be chosen.::",
        "Example Instances": "::A user sets their password to 123 or intentionally leaves their password blank. If the system does not have password strength enforcement against a sound password policy, this password may be admitted. Passwords like these two examples are two simple and common passwords that are easily able to be guessed by the adversary.::Cisco 2700 Series Wireless Location Appliances (version 2.1.34.0 and earlier) have a default administrator username root with a password password. This allows remote attackers to easily obtain administrative privileges. See also: CVE-2006-5288::In April 2019, adversaries attacked several popular IoT devices (a VOIP phone, an office printer, and a video decoder) across multiple customer locations. An investigation conducted by the Microsoft Security Resposne Center (MSRC) discovered that these devices were used to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer\u2019s passwords and in the third instance the latest security update had not been applied to the device. [REF-572]::",
        "Related Weaknesses": "::521::262::263::798::654::308::309::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1078.001:ENTRY NAME:Valid Accounts:Default Accounts::",
        "Notes": ""
    },
    {
        "CAPEC ID": "94",
        "ID": "Adversary in the Middle (AiTM)",
        "Abstraction": "Meta",
        "Status": "Stable",
        "Description": "An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.",
        "Alternate Terms": "::TERM:Man-in-the-Middle / MITM:DESCRIPTION:::TERM:Person-in-the-Middle / PiTM:DESCRIPTION:::TERM:Monkey-in-the-Middle:DESCRIPTION:::TERM:Monster-in-the-Middle:DESCRIPTION:::TERM:On-path Attacker:DESCRIPTION:::",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:CanPrecede:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:668::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Determine Communication Mechanism] The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.TECHNIQUE:Perform a sniffing attack and observe communication to determine a communication protocol.:TECHNIQUE:Look for application documentation that might describe a communication mechanism used by a target.::STEP:2:PHASE:Experiment:DESCRIPTION:[Position In Between Targets] The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.TECHNIQUE:Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.:TECHNIQUE:Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.::STEP:3:PHASE:Exploit:DESCRIPTION:[Use Intercepted Data Maliciously] The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.TECHNIQUE:Prevent some messages from reaching their destination, causing a denial of service.::",
        "Prerequisites": "::There are two components communicating with each other.::An attacker is able to identify the nature and mechanism of communication between the two target components.::An attacker can eavesdrop on the communication between the target components.::Strong mutual authentication is not used between the two target components yielding opportunity for attacker interposition.::The communication occurs in clear (not encrypted) or with insufficient and spoofable encryption.::",
        "Skills Required": "::SKILL:This attack can get sophisticated since the attack may use cryptography.:LEVEL:Medium::",
        "Resources Required": "",
        "Indicators": "",
        "Consequences": "::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::",
        "Mitigations": "::Ensure Public Keys are signed by a Certificate Authority::Encrypt communications using cryptography (e.g., SSL/TLS)::Use Strong mutual authentication to always fully authenticate both ends of any communications channel.::Exchange public keys using a secure channel::",
        "Example Instances": "::In 2017, security researcher Jerry Decime discovered that Equifax mobile applications were not leveraging HTTPS in all areas. Although authentication was properly utilizing HTTPS, in addition to validating the root of trust of the server certificate, other areas of the application were using HTTP to communicate. Adversaries could then conduct MITM attacks on rogue WiFi or cellular networks and hijack the UX. This further allowed the adversaries to prompt users for sensitive data, which could then be obtained in the plaintext response. [REF-636]::",
        "Related Weaknesses": "::300::290::593::287::294::",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1557:ENTRY NAME:Adversary-in-the-Middle::::TAXONOMY NAME:OWASP Attacks:ENTRY NAME:Man-in-the-middle attack::",
        "Notes": ""
    },
    {
        "CAPEC ID": "98",
        "ID": "Phishing",
        "Abstraction": "Standard",
        "Status": "Draft",
        "Description": "Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or fishing for information.",
        "Alternate Terms": "",
        "Likelihood Of Attack": "High",
        "Typical Severity": "Very High",
        "Related Attack Patterns": "::NATURE:ChildOf:CAPEC ID:151::NATURE:CanPrecede:CAPEC ID:89::NATURE:CanPrecede:CAPEC ID:543::NATURE:CanPrecede:CAPEC ID:611::NATURE:CanPrecede:CAPEC ID:630::NATURE:CanPrecede:CAPEC ID:631::NATURE:CanPrecede:CAPEC ID:632::",
        "Execution Flow": "::STEP:1:PHASE:Explore:DESCRIPTION:[Obtain domain name and certificate to spoof legitimate site] This optional step can be used to help the attacker impersonate the legitimate site more convincingly. The attacker can use homograph attacks to convince users that they are using the legitimate website. Note that this step is not required for phishing attacks, and many phishing attacks simply supply URLs containing an IP address and no SSL certificate.TECHNIQUE:Optionally obtain a domain name that visually looks similar to the legitimate site's domain name. An example is www.paypaI.com vs. www.paypal.com (the first one contains a capital i, instead of a lower case L):TECHNIQUE:Optionally obtain a legitimate SSL certificate for the new domain name.::STEP:2:PHASE:Explore:DESCRIPTION:[Explore legitimate website and create duplicate] An attacker creates a website (optionally at a URL that looks similar to the original URL) that closely resembles the website that they are trying to impersonate. That website will typically have a login form for the victim to put in their authentication credentials. There can be different variations on a theme here.TECHNIQUE:Use spidering software to get copy of web pages on legitimate site.:TECHNIQUE:Manually save copies of required web pages from legitimate site.:TECHNIQUE:Create new web pages that have the legitimate site's look and feel, but contain completely new content.::STEP:3:PHASE:Exploit:DESCRIPTION:[Convince user to enter sensitive information on attacker's site.] An attacker sends an e-mail to the victim that has some sort of a call to action to get the user to click on the link included in the e-mail (which takes the victim to attacker's website) and log in. The key is to get the victim to believe that the e-mail is coming from a legitimate entity with which the victim does business and that the website pointed to by the URL in the e-mail is the legitimate website. A call to action will usually need to sound legitimate and urgent enough to prompt action from the user.TECHNIQUE:Send the user a message from a spoofed legitimate-looking e-mail address that asks the user to click on the included link.:TECHNIQUE:Place phishing link in post to online forum.::STEP:4:PHASE:Exploit:DESCRIPTION:[Use stolen credentials to log into legitimate site] Once the attacker captures some sensitive information through phishing (login credentials, credit card information, etc.) the attacker can leverage this information. For instance, the attacker can use the victim's login credentials to log into their bank account and transfer money to an account of their choice.TECHNIQUE:Log in to the legitimate site using another user's supplied credentials::",
        "Prerequisites": "::An attacker needs to have a way to initiate contact with the victim. Typically that will happen through e-mail.::An attacker needs to correctly guess the entity with which the victim does business and impersonate it. Most of the time phishers just use the most popular banks/services and send out their hooks to many potential victims.::An attacker needs to have a sufficiently compelling call to action to prompt the user to take action.::The replicated website needs to look extremely similar to the original website and the URL used to get to that website needs to look like the real URL of the said business entity.::",
        "Skills Required": "::SKILL:Basic knowledge about websites: obtaining them, designing and implementing them, etc.:LEVEL:Medium::",
        "Resources Required": "::Some web development tools to put up a fake website.::",
        "Indicators": "::You receive an e-mail from an entity that you are not even a customer of prompting you to log into your account.::You receive any e-mail that provides you with a link which takes you to a website on which you need to enter your log in information.::",
        "Consequences": "::SCOPE:Confidentiality:SCOPE:Access Control:SCOPE:AuthorizationTECHNICAL IMPACT:Gain Privileges::SCOPE:ConfidentialityTECHNICAL IMPACT:Read Data::SCOPE:IntegrityTECHNICAL IMPACT:Modify Data::",
        "Mitigations": "::Do not follow any links that you receive within your e-mails and certainly do not input any login credentials on the page that they take you too. Instead, call your Bank, PayPal, eBay, etc., and inquire about the problem. A safe practice would also be to type the URL of your bank in the browser directly and only then log in. Also, never reply to any e-mails that ask you to provide sensitive information of any kind.::",
        "Example Instances": "::The target gets an official looking e-mail from their bank stating that their account has been temporarily locked due to suspected unauthorized activity and that they need to click on the link included in the e-mail to log in to their bank account in order to unlock it. The link in the e-mail looks very similar to that of their bank and once the link is clicked, the log in page is the exact replica. The target supplies their login credentials after which they are notified that their account has now been unlocked and that everything is fine. An attacker has just collected the target's online banking information which can now be used by the attacker to log into the target's bank account and transfer money to a bank account of the attackers' choice.::An adversary may use BlueJacking, or Bluetooth Phishing to send unsolicited contact cards, messages, or pictures to nearby devices that are listening via Bluetooth. These messages may contain phishing content.::",
        "Related Weaknesses": "",
        "Taxonomy Mappings": "TAXONOMY NAME:ATTACK:ENTRY ID:1566:ENTRY NAME:Phishing::::TAXONOMY NAME:ATTACK:ENTRY ID:1598:ENTRY NAME:Phishing for Information::",
        "Notes": ""
    }
]