1000 - Mechanisms of Attack

Category - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Engage in Deceptive Interactions - (156)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions)

Attack patterns within this category focus on malicious interactions with a target in an attempt to deceive the target and convince the target that it is interacting with some other principal and as such take actions based on the level of trust that exists between the target and the other principal. These types of attacks assume that some piece of content or functionality is associated with an identity and that the content / functionality is trusted by the target because of this association. Often identified by the term "spoofing", these types of attacks rely on the falsification of the content and/or identity in such a way that the target will incorrectly trust the legitimacy of the content. For example, an attacker may modify a financial transaction between two parties so that the participants remain unchanged but the amount of the transaction is increased. If the recipient cannot detect the change, they may incorrectly assume the modified message originated with the original sender. Attacks of these type may involve an adversary crafting the content from scratch or capturing and modifying legitimate content.

Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Content Spoofing - (148)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing)

An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Checksum Spoofing - (145)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 145 (Checksum Spoofing)

An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to verify message integrity. They consist of some value based on the value of the message they are protecting. Hash codes are a common checksum mechanism. Both the sender and recipient are able to compute the checksum based on the contents of the message. If the message contents change between the sender and recipient, the sender and recipient will compute different checksum values. Since the sender's checksum value is transmitted with the message, the recipient would know that a modification occurred. In checksum spoofing an adversary modifies the message body and then modifies the corresponding checksum so that the recipient's checksum calculation will match the checksum (created by the adversary) in the message. This would prevent the recipient from realizing that a change occurred.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 218 (Spoofing of UDDI/ebXML Messages)

An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.

Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Intent Spoof - (502)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 502 (Intent Spoof)

An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in an attempt to achieve a variety of different objectives including modification of data, information disclosure, and data injection. Components that have been unintentionally exported and made public are subject to this type of an attack. If the component trusts the intent's action without verififcation, then the target application performs the functionality at the adversary's request, helping the adversary achieve the desired negative technical impact.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 627 (Counterfeit GPS Signals)

An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 148 (Content Spoofing) > 627 (Counterfeit GPS Signals) > 628 (Carry-Off GPS Attack)

A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genuine signals observed by the target receiver. The power of the counterfeit signals is then gradually increased and drawn away from the genuine signals. Over time, the adversary can carry the target away from their intended destination and toward a location chosen by the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing)

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data)

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 275 (DNS Rebinding)

An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or similar client), the adversary changes the IP address to which its name resolves, to an address within the target organization that is not publicly accessible. This allows the web browser to examine this internal address on behalf of the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 543 (Counterfeit Websites)

Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 544 (Counterfeit Organizations)

An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects corrupted/malicious information system components into the organizational supply chain.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 598 (DNS Spoofing)

An adversary sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record) response to a target's route request before a legitimate resolver can. This technique requires an On-path or In-path device that can monitor and respond to the target's DNS requests. This attack differs from BGP Tampering in that it directly responds to requests made by the target instead of polluting the routing the target's infrastructure uses.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 633 (Token Impersonation)

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 194 (Fake the Source of Data) > 697 (DHCP Spoofing)

An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of redirecting network traffic or denying service to DHCP.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 195 (Principal Spoof)

A Principal Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished by crafting a message (either written, verbal, or visual) that appears to come from a person other than the adversary. Phishing and Pharming attacks often attempt to do this so that their attempts to gather sensitive information appear to come from a legitimate source. A Principal Spoof does not use stolen or spoofed authentication credentials, instead relying on the appearance and content of the message to reflect identity.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 195 (Principal Spoof) > 599 (Terrestrial Jamming)

In this attack pattern, the adversary transmits disruptive signals in the direction of the target's consumer-level satellite dish (as opposed to the satellite itself). The transmission disruption occurs in a more targeted range. Portable terrestrial jammers have a range of 3-5 kilometers in urban areas and 20 kilometers in rural areas. This technique requires a terrestrial jammer that is more powerful than the frequencies sent from the satellite.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof)

An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 459 (Creating a Rogue Certification Authority Certificate)

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 474 (Signature Spoofing by Key Theft)

An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 475 (Signature Spoofing by Improper Validation)

An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing the key.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 476 (Signature Spoofing by Misrepresentation)

An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 477 (Signature Spoofing by Mixing Signed and Unsigned Content)

An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 479 (Malicious Root Certificate)

An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 473 (Signature Spoof) > 485 (Signature Spoofing by Key Recreation)

An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 89 (Pharming)

A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a trading platform. An attacker can impersonate these supposedly trusted sites and have the victim be directed to their site rather than the originally intended one. Pharming does not require script injection or clicking on malicious links for the attack to succeed.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing)

Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information (very frequently authentication credentials) that can later be used by an attacker. Phishing is essentially a form of information gathering or "fishing" for information.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing) > 163 (Spear Phishing)

An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance and deceptive capability. Spear Phishing is an enhanced version of the Phishing attack targeted to a specific user or group. The quality of the targeted email is usually enhanced by appearing to come from a known or trusted entity. If the email account of some trusted entity has been compromised the message may be digitally signed. The message will contain information specific to the targeted users that will enhance the probability that they will follow the URL to the compromised site. For example, the message may indicate knowledge of the targets employment, residence, interests, or other information that suggests familiarity. As soon as the user follows the instructions in the message, the attack proceeds as a standard Phishing attack.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing) > 164 (Mobile Phishing)

An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Mobile Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a text or SMS message, rather than email. The user is enticed to provide information or visit a compromised web site via this message. Apart from the manner in which the attack is initiated, the attack proceeds as a standard Phishing attack.SmishingMobPhishing

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 151 (Identity Spoofing) > 98 (Phishing) > 656 (Voice Phishing)

An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phishing is a variation of the Phishing social engineering technique where the attack is initiated via a voice call, rather than email. The user is enticed to provide sensitive information by the adversary, who masquerades as a legitimate employee of the alleged organization. Voice Phishing attacks deviate from standard Phishing attacks, in that a user doesn't typically interact with a compromised website to provide sensitive information and instead provides this information verbally. Voice Phishing attacks can also be initiated by either the adversary in the form of a "cold call" or by the victim if calling an illegitimate telephone number.VishingVoIP Phishing

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing)

An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the adversary can cause an alternate resource to be used, often one that the adversary controls and can be used to help them achieve their malicious goals.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries)

An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversary supplied library or code base. This pattern of attack allows the adversary to compromise the application or server via the execution of unauthorized code. An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. If an adversary can redirect an application's attempts to access these libraries to other libraries that the adversary supplies, the adversary will be able to force the targeted application to execute arbitrary code. This is especially dangerous if the targeted application has enhanced privileges. Access can be redirected through a number of techniques, including the use of symbolic links, search path modification, and relative path manipulation.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 132 (Symlink Attack)

An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 38 (Leveraging/Manipulating Configuration File Search Paths)

This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 471 (Search Order Hijacking)

An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the process loading the library searches first in the same directory in which the process binary resides and then in other directories. Exploitation of this preferential search order can allow an attacker to make the loading process load the adversary's rogue library rather than the legitimate library. This attack can be leveraged with many different libraries and with many different loading processes. No forensic trails are left in the system's registry or file system that an incorrect library had been loaded.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 159 (Redirect Access to Libraries) > 641 (DLL Side-Loading)

An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating system into loading this malicious DLL instead of a legitimate DLL. Programs specify the location of the DLLs to load via the use of WinSxS manifests or DLL redirection and if they aren't used then Windows searches in a predefined set of directories to locate the file. If the applications improperly specify a required DLL or WinSxS manifests aren't explicit about the characteristics of the DLL to be loaded, they can be vulnerable to side-loading.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location)

An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After establishing the rogue location, the adversary waits for a victim to visit the location and access the malicious resource.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 505 (Scheme Squatting)

An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been installed. Thereafter, messages intended for the target application are handled by the malicious application. Upon receiving a message, the malicious application displays a screen that mimics the target application, thereby convincing the user to enter sensitive information. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user as they think that they are interacting with the intended target application.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 611 (BitSquatting)

An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Internet traffic to adversary-controlled destinations. BitSquatting requires no exploitation or complicated reverse engineering, and is operating system and architecture agnostic. Experimental observations show that BitSquatting popular websites could redirect non-trivial amounts of Internet traffic to a malicious entity.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 615 (Evil Twin Wi-Fi Attack)

Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data traffic is intercepted, captured, and analyzed. This also allows the adversary to use "adversary-in-the-middle" (CAPEC-94) for all communications.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 617 (Cellular Rogue Base Station)

In this attack scenario, the attacker imitates a cellular base station with their own "rogue" base station equipment. Since cellular devices connect to whatever station has the strongest signal, the attacker can easily convince a targeted cellular device (e.g. the retransmission device) to talk to the rogue base station.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 630 (TypoSquatting)

An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instances where a user mistypes a URL (e.g. www.goggle.com) or not does visually verify a URL before clicking on it (e.g. phishing attack). As a result, the user is directed to an adversary-controlled destination. TypoSquatting does not require an attack against the trusted domain or complicated reverse engineering.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 631 (SoundSquatting)

An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantage of a user's confusion of the two words to direct Internet traffic to adversary-controlled destinations. SoundSquatting does not require an attack against the trusted domain or complicated reverse engineering.Homophone Attack

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 632 (Homograph Attack via Homoglyphs)

An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph attack leverages the fact that different characters among various character sets look the same to the user. Homograph attacks must generally be combined with other attacks, such as phishing attacks, in order to direct Internet traffic to the adversary-controlled destinations.Homoglyph Attack

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 667 (Bluetooth Impersonation AttackS (BIAS))

An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 154 (Resource Location Spoofing) > 616 (Establish Rogue Location) > 695 (Repo Jacking)

An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into incorporating malicious code into their applications.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing)

An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking)

An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely different, usually an adversary controlled or intended, system.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking) > 181 (Flash File Overlay)

An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In this technique, the Flash file provides a transparent overlay over HTML content. Because the Flash application is on top of the content, user actions, such as clicks, are caught by the Flash application rather than the underlying HTML. The action is then interpreted by the overlay to perform the actions the attacker wishes.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking) > 222 (iFrame Overlay)

In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingly completely different system.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 103 (Clickjacking) > 587 (Cross Frame Scripting (XFS))

This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to interact with a legitimate webpage in a manner that is unknown to the user. This attack usually leverages some element of social engineering in that an attacker must convinces a user to visit a web page that the attacker controls.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 501 (Android Activity Hijack)

An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place. The malicious activity is then used to mimic the trusted activity's user interface and prompt the target to enter sensitive data as if they were interacting with the trusted activity.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 504 (Task Impersonation)

An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 504 (Task Impersonation) > 654 (Credential Prompt Impersonation)

An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 173 (Action Spoofing) > 506 (Tapjacking)

An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior)

An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate the target into performing an action that serves the adversary's interests. Many interpersonal social engineering techniques do not involve outright deception, although they can; many are subtle ways of manipulating a target to remove barriers, make the target feel comfortable, and produce an exchange in which the target is either more likely to share information directly, or let key information slip out unintentionally. A skilled adversary uses these techniques when appropriate to produce the desired outcome. Manipulation techniques vary from the overt, such as pretending to be a supervisor to a help desk, to the subtle, such as making the target feel comfortable with the adversary's speech and thought patterns.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting)

An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 383 (Harvesting Information via API Event Monitoring)

An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 412 (Pretexting via Customer Service)

An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 413 (Pretexting via Tech Support)

An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. An adversary who uses social engineering to impersonate a tech support worker can have devastating effects on a network. This is an effective attack vector, because it can give an adversary physical access to network computers. It only takes a matter of seconds for someone to compromise a computer with physical access. One of the best technological tools at the disposal of a social engineer, posing as a technical support person, is a USB thumb drive. These are small, easy to conceal, and can be loaded with different payloads depending on what task needs to be done. However, this form of attack does not require physical access as it can also be effectively carried out via phone or email.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 414 (Pretexting via Delivery Person)

An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. Usually the hardest part is looking the part and having all of the proper credentials, papers and "deliveries" in order to be able to pull it off.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 407 (Pretexting) > 415 (Pretexting via Phone)

An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. This is the most common social engineering attack. Some of the most commonly effective approaches are to impersonate a fellow employee, impersonate a computer technician or to target help desk personnel.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception)

The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves. This goal is to persuade the target to unknowingly perform an action or divulge information that is advantageous to the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 418 (Influence Perception of Reciprocation)

An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensitive or key piece of information. Obligation has to do with actions one feels they need to take due to some sort of social, legal, or moral requirement, duty, contract, or promise. There are various techniques for fostering a sense of obligation to reciprocate or concede during ordinary modes of communication. One method is to compliment the target, and follow up the compliment with a question. If performed correctly the target may volunteer a key piece of information, sometimes involuntarily.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 420 (Influence Perception of Scarcity)

The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adversary. By conveying a perception of scarcity, or a situation of limited supply, the adversary aims to create a sense of urgency in the context of a target's decision-making process.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 421 (Influence Perception of Authority)

An adversary uses a social engineering technique to convey a sense of authority that motivates the target to reveal specific information or take specific action. There are various techniques for producing a sense of authority during ordinary modes of communication. One common method is impersonation. By impersonating someone with a position of power within an organization, an adversary may motivate the target individual to reveal some piece of sensitive information or perform an action that benefits the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 422 (Influence Perception of Commitment and Consistency)

An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions. After complying with a request, individuals are more likely to agree to subsequent requests that are similar in type and required effort.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 423 (Influence Perception of Liking)

The adversary influences the target's actions by building a relationship where the target has a liking to the adversary. People are more likely to be influenced by people of whom they are fond, so the adversary attempts to ingratiate themself with the target via actions, appearance, or a combination thereof.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 417 (Influence Perception) > 424 (Influence Perception of Consensus or Social Proof)

The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate. In situations of uncertainty, people tend to behave in ways they see others behaving. The adversary convinces the target of adopting behavior or actions that is advantageous to the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 425 (Target Influence via Framing)

An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of view. Framing is information and experiences in life that alter the way we react to decisions we must make. This type of persuasive technique exploits the way people are conditioned to perceive data and its significance, while avoiding negative or avoidance responses from the target. Rather than a specific technique framing is a methodology of conversation that slowly encourages the target to adopt to the adversary's perspective. One technique of framing is to avoid the use of the word "No" and to contextualize responses in a manner that is positive. When performed skillfully the target is much more likely to volunteer information or perform actions favorable to the adversary.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 426 (Influence via Incentives)

The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ideological incentivization. Examples include monetary fraud, peer pressure, and preying on the target's morals or ethics. The most effective incentive against one target might not be as effective against another, therefore the adversary must gather information about the target's vulnerability to particular incentives.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles)

The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and social psychology. In a variety of ways, a target can be influenced to behave or perform an action through capitalizing on what scholarship and research has learned about how and why humans react to specific scenarios and cues.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 428 (Influence via Modes of Thinking)

The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communication. This method is a way of building rapport with a target by matching their speech patterns and the primary ways or dominant senses with which they make abstractions. This technique can be used to make the target more receptive to sharing information because the adversary has adapted their communication forms to match those of the target. When skillfully employed, the target is likely to be unaware that they are being manipulated.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 429 (Target Influence via Eye Cues)

The adversary gains information via non-verbal means from the target through eye movements.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 433 (Target Influence via The Human Buffer Overflow)

An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow methodology does not rely on over-stimulating the mind of the target, but rather embedding messages within communication that the mind of the listener assembles at a subconscious level. The human buffer-overflow method is similar to subconscious programming to the extent that messages are embedded within the message.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 434 (Target Influence via Interview and Interrogation)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 416 (Manipulate Human Behavior) > 427 (Influence via Psychological Principles) > 435 (Target Influence via Instant Rapport)

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing)

An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata)

An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 692 (Spoof Version Control System Commit Metadata)

An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.

1000 (Mechanisms of Attack) > 156 (Engage in Deceptive Interactions) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 693 (StarJacking)

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality)

An adversary uses or manipulates one or more functions of an application in order to achieve a malicious objective not originally intended by the application, or to deplete a resource to the point that the target's functionality is affected. This is a broad class of attacks wherein the adversary is able to alter the intended result or purpose of the functionality and thereby affect application behavior or information integrity. Outcomes can range from information exposure, vandalism, degrading or denial of service, as well as execution of arbitrary code on the target machine.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation)

An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in an adverse impact upon the security of the system implementing the interface. This can allow the adversary to bypass access control and/or execute functionality not intended by the interface implementation, possibly compromising the system which integrates the interface. Interface manipulation can take on a number of forms including forcing the unexpected use of an interface or the use of an interface in an unintended way.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 121 (Exploit Non-Production Interfaces)

An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with the goal of gleaning information or leveraging functionality that would otherwise be unavailable.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 121 (Exploit Non-Production Interfaces) > 661 (Root/Jailbreak Detection Evasion via Debugging)

An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 133 (Try All Common Switches)

An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. For example, in some applications, adding a --debug switch causes debugging information to be displayed, which can sometimes reveal sensitive processing or configuration information to an attacker. This attack differs from other forms of API abuse in that the attacker is indiscriminately attempting to invoke options in the hope that one of them will work rather than specifically targeting a known option. Nonetheless, even if the attacker is familiar with the published options of a targeted application this attack method may still be fruitful as it might discover unpublicized functionality.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 160 (Exploit Script-Based APIs)

Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script> tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 113 (Interface Manipulation) > 36 (Using Unpublished Interfaces or Functionality)

An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding)

An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the adversary can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 482 (TCP Flood)

An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain. This often involves the use of TCP SYN messages.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 486 (UDP Flood)

An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. Additionally, firewalls often open a port for each UDP connection destined for a service with an open UDP port, meaning the firewalls in essence save the connection state thus the high packet nature of a UDP flood can also overwhelm resources allocated to the firewall. UDP attacks can also target services like DNS or VoIP which utilize these protocols. Additionally, due to the session-less nature of the UDP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 487 (ICMP Flood)

An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 488 (HTTP Flood)

An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resources at the application layer such as web services and their infrastructure. These attacks use legitimate session-based HTTP GET requests designed to consume large amounts of a server's resources. Since these are legitimate sessions this attack is very difficult to detect.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 489 (SSL Flood)

An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the available resources on the server side. These attacks take advantage of the asymmetric relationship between the processing power used by the client and the processing power used by the server to create a secure connection. In this manner the attacker can make a large number of HTTPS requests on a low provisioned machine to tie up a disproportionately large number of resources on the server. The clients then continue to keep renegotiating the SSL connection. When multiplied by a large number of attacking machines, this attack can result in a crash or loss of service to legitimate users.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 490 (Amplification)

An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this attack is to use a relatively few resources to create a large amount of traffic against a target server. To execute this attack, an adversary send a request to a 3rd party service, spoofing the source address to be that of the target server. The larger response that is generated by the 3rd party service is then sent to the target server. By sending a large number of initial requests, the adversary can generate a tremendous amount of traffic directed at the target. The greater the discrepancy in size between the initial request and the final payload delivered to the target increased the effectiveness of this attack.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 528 (XML Flood)

An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are accomplished by sending a large number of XML based requests and letting the service attempt to parse each one. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing.XML Denial of Service (XML DoS)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 528 (XML Flood) > 147 (XML Ping of the Death)

An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 125 (Flooding) > 666 (BlueSmacking)

An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS. This attack must be carried out within close proximity to a Bluetooth enabled device.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation)

An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 230 (Serialized Data with Nested Payloads)

Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. By nesting these structures, causing the data to be repeatedly substituted, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization.XML Denial of Service (XML DoS)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 230 (Serialized Data with Nested Payloads) > 197 (Exponential Data Expansion)

An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data format languages allow the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.Billion Laughs AttackXML BombXML Entity Expansion (XEE)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 230 (Serialized Data with Nested Payloads) > 491 (Quadratic Data Expansion)

An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the data. The result of this denial of service could cause the application to freeze or crash. This involves defining a very large entity and using it multiple times in a single entity substitution. CAPEC-197 is a similar attack pattern, but it is easier to discover and defend against. This attack pattern does not perform multi-level substitution and therefore does not obviously appear to consume extensive resources.XML Entity Expansion (XEE)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 231 (Oversized Serialized Data Payloads)

An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.XML Denial of Service (XML DoS)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 231 (Oversized Serialized Data Payloads) > 221 (Data Serialization External Entities Blowup)

This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of the replacement is a URI. A well-crafted file could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 231 (Oversized Serialized Data Payloads) > 229 (Serialized Data Parameter Blowup)

This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an serialized data file with multiple configuration parameters in the same dataset. In a vulnerable parser, this results in a denial of service condition where CPU resources are exhausted because of the parsing algorithm. The weakness being exploited is tied to parser implementation and not language specific.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 492 (Regular Expression Exponential Blowup)

An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extreme situation for the Regex. A typical extreme situation operates at exponential time compared to the input size. This is due to most implementations using a Nondeterministic Finite Automaton(NFA) state machine to be built by the Regex algorithm since NFA allows backtracking and thus more complex regular expressions.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 493 (SOAP Array Blowup)

An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the web service, the attacker forces the web service to allocate space for the array elements before they are parsed by the XML parser. The attacker message is typically small in size containing a large array declaration of say 1,000,000 elements and a couple of array elements. This attack targets exhaustion of the memory resources of the web service.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 494 (TCP Fragmentation)

An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempting to fragment the TCP packet such that the headers flag field is pushed into the second fragment which typically is not filtered.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 495 (UDP Fragmentation)

An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmentation occurs when an IP datagram is larger than the MTU of the route the datagram has to traverse. Typically the attacker will use large UDP packets over 1500 bytes of data which forces fragmentation as ethernet MTU is 1500 bytes. This attack is a variation on a typical UDP flood but it enables more network bandwidth to be consumed with fewer packets. Additionally it has the potential to consume server CPU resources and fill memory buffers associated with the processing and reassembling of fragmented packets.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 130 (Excessive Allocation) > 496 (ICMP Fragmentation)

An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker crafts a large number of identical fragmented IP packets containing a portion of a fragmented ICMP message. The attacker these sends these messages to a target host which causes the host to become non-responsive. Another vector may be sending a fragmented ICMP message to a target host with incorrect sizes in the header which causes the host to hang.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 131 (Resource Leak Exposure)

An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse)

An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality is not altered or modified but used in a way that was not intended. This is often accomplished through the overuse of a specific functionality or by leveraging functionality with design flaws that enables the adversary to gain access to unauthorized, sensitive data.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 111 (JSON Hijacking (aka JavaScript Hijacking))

An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 2 (Inducing Account Lockout)

An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 48 (Passing Local Filenames to Functions That Expect a URL)

This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but instead receives a request for a local file, that execution is likely to occur in the browser process space with the browser's authority to local files. The attacker can send the results of this request to the local files out to a site that they control. This attack may be used to steal sensitive authentication data (either local or remote), or to gain system profile information to launch further attacks.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 50 (Password Recovery Exploitation)

An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system with the same privileges as the original user. Generally password recovery schemes tend to be weak and insecure.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 620 (Drop Encryption Level)

An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 620 (Drop Encryption Level) > 606 (Weakening of Cellular Encryption)

An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile device (e.g., the retransmission device) to use no encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode).

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 212 (Functionality Misuse) > 682 (Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities)

An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally or inadvertently designing devices incapable of updating their software. Additionally, with updatable devices, the manufacturer may decide not to support the device and stop making updates to their software.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 216 (Communication Channel Manipulation)

An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information exposure, insertion/removal of information from the communications stream, and/or potentially system compromise.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 216 (Communication Channel Manipulation) > 12 (Choosing Message Identifier)

This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for another client by determining the parameter value assigned to that client. This attack allows the adversary to gain access to potentially privileged information, and to possibly perpetrate other attacks through the distribution means by impersonation. If the channel/message being manipulated is an input rather than output mechanism for the system, (such as a command bus), this style of attack could be used to change the adversary's identifier to more a privileged one.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 216 (Communication Channel Manipulation) > 217 (Exploiting Incorrectly Configured SSL/TLS)

An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary may also use this type of attack to inject commands or other traffic into the encrypted stream to cause compromise of either the client or server.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 227 (Sustained Client Engagement)

An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource tied up as long as possible. The adversary's primary goal is not to crash or flood the target, which would alert defenders; rather it is to repeatedly perform actions or abuse algorithmic flaws such that a given resource is tied up and not available to a legitimate user. By carefully crafting a requests that keep the resource engaged through what is seemingly benign requests, legitimate users are limited or completely denied access to the resource.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 227 (Sustained Client Engagement) > 469 (HTTP DoS)

An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connection. This denial of service attack requires substantially fewer packets to be sent which makes DoS harder to detect. This is an equivalent of SYN flood in HTTP. The idea is to keep the HTTP session alive indefinitely and then repeat that hundreds of times. This attack targets resource depletion weaknesses in web server software. The web server will wait to attacker's responses on the initiated HTTP sessions while the connection threads are being exhausted.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation)

An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation)

An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communication protocols are necessary to transfer messages between client and server applications. Moreover, different protocols may be used for different types of interactions.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 105 (HTTP Request Splitting)

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to split a single HTTP request into multiple unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 273 (HTTP Response Smuggling)

An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., server). See CanPrecede relationships for possible consequences. HTTP Desync

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 274 (HTTP Verb Tampering)

An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators to restrict access based on the HTTP Verb used with requests. However, attackers can often provide a different HTTP Verb, or even provide a random string as a verb in order to bypass these protections. This allows the attacker to access data that should otherwise be protected.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 33 (HTTP Request Smuggling)

An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP headers, request-line and body parameters as well as message sizes (denoted by the end of message signaled by a given HTTP header) by different intermediary HTTP agents (e.g., load balancer, reverse proxy, web caching proxies, application firewalls, etc.) to secretly send unauthorized and malicious HTTP requests to a back-end HTTP agent (e.g., web server). See CanPrecede relationships for possible consequences. HTTP Desync

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 34 (HTTP Response Splitting)

An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site. See CanPrecede relationships for possible consequences.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 220 (Client-Server Protocol Manipulation) > 5 (Blue Boxing)

This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions. This attack pattern is included in CAPEC for historical purposes.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 276 (Inter-component Protocol Manipulation)

Inter-component protocols are used to communicate between different software and hardware modules within a single computer. Common examples are: interrupt signals and data pipes. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 276 (Inter-component Protocol Manipulation) > 665 (Exploitation of Thunderbolt Protection Flaws)

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 277 (Data Interchange Protocol Manipulation)

Data Interchange Protocols are used to transmit structured data between entities. These protocols are often specific to a particular domain (B2B: purchase orders, invoices, transport logistics and waybills, medical records). They are often, but not always, XML-based. Subverting the protocol can allow an adversary to impersonate others, discover sensitive information, control the outcome of a session, or perform other attacks. This type of attack targets invalid assumptions that may be inherent in implementers of the protocol, incorrect implementations of the protocol, or vulnerabilities in the protocol itself.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation)

An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either be performed through the manipulation of call parameters to include unexpected values, or by changing the called function to one that should normally be restricted or limited. By leveraging this pattern of attack, the adversary is able to gain access to data or resources normally restricted, or to cause the application or service to crash.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation) > 201 (Serialized Data External Linking)

An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation) > 221 (Data Serialization External Entities Blowup)

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 278 (Web Services Protocol Manipulation) > 279 (SOAP Manipulation)

Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an XML-based protocol, and therefore suffers from many of the same shortcomings as other XML-based protocols. Adversaries can make use of these shortcomings and manipulate the content of SOAP paramters, leading to undesirable behavior on the server and allowing the adversary to carry out a number of further attacks.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 272 (Protocol Manipulation) > 90 (Reflection Attack in Authentication Protocol)

An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An adversary can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass)

An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in place, but the functionality behind those protections has been disabled by the adversary.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass) > 179 (Calling Micro-Services Directly)

An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gathering information about their implementation and function. Micro-services in web pages allow portions of a page to connect to the server and update content without needing to cause the entire page to update. This allows user activity to change portions of the page more quickly without causing disruptions elsewhere.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass) > 464 (Evercookie)

An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim's machine in over ten places. When the victim clears the cookie cache via traditional means inside the browser, that operation removes the cookie from certain places but not others. The malicious code then replicates the cookie from all of the places where it was not deleted to all of the possible storage locations once again. So the victim again has the cookie in all of the original storage locations. In other words, failure to delete the cookie in even one location will result in the cookie's resurrection everywhere. The evercookie will also persist across different browsers because certain stores (e.g., Local Shared Objects) are shared between different browsers.

1000 (Mechanisms of Attack) > 210 (Abuse Existing Functionality) > 554 (Functionality Bypass) > 465 (Transparent Proxy Abuse)

A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures)

Attack patterns in this category manipulate and exploit characteristics of system data structures in order to violate the intended usage and protections of these structures. This is done in such a way that yields either improper access to the associated system data or violations of the security properties of the system itself due to vulnerabilities in how the system processes and manages the data structures. Often, vulnerabilities and therefore exploitability of these data structures exist due to ambiguity and assumption in their design and prescribed handling.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation)

An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer attacks are distinguished in that it is the buffer space itself that is the target of the attack rather than any code responsible for interpreting the content of the buffer. In virtually all buffer attacks the content that is placed in the buffer is immaterial. Instead, most buffer attacks involve retrieving or providing more input than can be stored in the allocated buffer, resulting in the reading or overwriting of other unintended program memory.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers)

Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As a consequence, an adversary is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the adversaries' choice.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 10 (Buffer Overflow via Environment Variables)

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 14 (Client-side Injection-induced Buffer Overflow)

This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. This hostile service is created to deliver the correct content to the client software. For example, if the client-side application is a browser, the service will host a webpage that the browser loads.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 24 (Filter Failure through Buffer Overflow)

In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 256 (SOAP Array Overflow)

An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transmission naively trusts the specified size, then an attacker can intentionally understate the size of the array, possibly resulting in a buffer overflow if the server attempts to read the entire data set into the memory it allocated for a smaller array.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 42 (MIME Conversion)

An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 44 (Overflow Binary Resource File)

An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the adversary access to the execution stack and execute arbitrary code in the target process.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 45 (Buffer Overflow via Symbolic Links)

This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 46 (Overflow Variables and Tags)

This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The adversary crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 47 (Buffer Overflow via Parameter Expansion)

In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 67 (String Format Overflow in syslog())

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 8 (Buffer Overflow in an API Call)

This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulnerable libraries or shared code can easily target software that makes use of these libraries. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 100 (Overflow Buffers) > 9 (Buffer Overflow in Local Command-Line Utilities)

This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utility to escalate privilege to root.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 123 (Buffer Manipulation) > 540 (Overread Buffers)

An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 124 (Shared Resource Manipulation)

An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resources may be shared between multiple applications or between multiple threads of a single application. Resource sharing is usually accomplished through mutual access to a single memory location or multiplexed hardware pins. If an adversary can manipulate this shared resource (usually by co-opting one of the applications or threads) the other applications or threads using the shared resource will often continue to trust the validity of the compromised shared resource and use it in their calculations. This can result in invalid trust assumptions, corruption of additional data through the normal operations of the other users of the shared resource, or even cause a crash or compromise of the sharing applications.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 129 (Pointer Manipulation)

This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended memory location. This can result in the crashing of the application or, for certain pointer values, access to data that would not normally be possible or the execution of arbitrary code. Since pointers are simply integer variables, Integer Attacks may often be used in Pointer Attacks.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation)

An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface. By supplying input of a non-standard or unexpected form an attacker can adversely impact the security of the target.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal)

An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be retrievable by ordinary well-formed requests. A typical variety of this attack involves specifying a path to a desired file together with dot-dot-slash characters, resulting in the file access API or function traversing out of the intended directory structure and into the root file system. By replacing or modifying the expected path information the access function or API retrieves the file desired by the attacker. These attacks either involve the attacker providing a complete path to a targeted file or using control characters (e.g. path separators (/ or \) and/or dots (.)) to reach desired directories or files.Directory Traversal

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal) > 139 (Relative Path Traversal)

An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal) > 597 (Absolute Path Traversal)

An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as ".." to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 126 (Path Traversal) > 76 (Manipulating Web Input to File System Calls)

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 128 (Integer Attacks)

An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application. For example, adding one to the largest positive integer in a signed integer variable results in a negative number. Negative numbers may be illegal in an application and the application may prevent an attacker from providing them directly, but the application may not consider that adding two positive numbers can create a negative number do to the structure of integer storage formats.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 128 (Integer Attacks) > 92 (Forced Integer Overflow)

This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding)

An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffective at validating this encoding standard.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 120 (Double Encoding)

The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character) to obfuscate the payload of a particular request. This may allow the adversary to bypass filters that attempt to detect illegal characters or strings, such as those that might be used in traversal or injection attacks. Filters may be able to catch illegal encoded strings, but may not catch doubly encoded strings. For example, a dot (.), often used in path traversal attacks and therefore often blocked by filters, could be URL encoded as %2E. However, many filters recognize this encoding and would still block the request. In a double encoding, the % in the above URL encoding would be encoded again as %25, resulting in %252E which some filters might not catch, but which could still be interpreted as a dot (.) by interpreters on the target.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 3 (Using Leading 'Ghost' Character Sequences to Bypass Input Filters)

Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (extra characters that don't affect the validity of the request at the API layer) that enable the input to pass the filters and therefore process the adversary's input. This occurs when the targeted API will accept input data in several syntactic forms and interpret it in the equivalent semantic way, while the filter does not take into account the full spectrum of the syntactic forms acceptable to the targeted API.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 4 (Using Alternative IP Address Encodings)

This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location information in a specific format, such as fully qualified domains names (FQDNs), URL, IP address, or IP Address ranges. If the location information is not validated against a variety of different possible encodings and formats, the adversary can use an alternate format to bypass application access control.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 43 (Exploiting Multiple Input Interpretation Layers)

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 52 (Embedding NULL Bytes)

An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string terminator in many environments. The goal is for certain components of the target software to stop processing the input when it encounters the null byte(s).

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 53 (Postfix, Null Terminate, and Backslash)

If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an adversary to embed the NULL mid-string while postfixing the proper data so that the filter is avoided. One example is a filter that looks for a trailing slash character. If a string insertion is possible, but the slash must exist, an alternate encoding of NULL in mid-string may be used.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 64 (Using Slashes and URL Encoding Combined to Bypass Validation Logic)

This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways of encoding a URL and abuse the interpretation of the URL. A URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 71 (Using Unicode Encoding to Bypass Validation Logic)

An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classifying mechanism to fail to properly understanding the request. That may allow the attacker to slip malicious data past the content filter and/or possibly cause the application to route the request incorrectly.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 72 (URL Encoding)

This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 78 (Using Escaped Slashes in Alternate Encoding)

This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 79 (Using Slashes in Alternate Encoding)

This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.

1000 (Mechanisms of Attack) > 255 (Manipulate Data Structures) > 153 (Input Data Manipulation) > 267 (Leverage Alternate Encoding) > 80 (Using UTF-8 Encoding to Bypass Validation Logic)

This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the "shortest possible" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources)

Attack patterns within this category focus on the adversary's ability to manipulate one or more resources in order to achieve a desired outcome. This is a broad class of attacks wherein the attacker is able to change some aspect of a resource's state or availability and thereby affect system behavior or information integrity. Examples of resources include files, applications, libraries, infrastructure, and configuration information. Outcomes can range from vandalism and reduction in service to the execution of arbitrary code on the target machine.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack)

An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 185 (Malicious Software Download)

An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update)

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 187 (Malicious Automated Software Update via Redirection)

An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 533 (Malicious Manual Software Update)

An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 614 (Rooting SIM Cards)

SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets. This attack leverages over-the-air (OTA) updates deployed via cryptographically-secured SMS messages to deliver executable code to the SIM. By cracking the DES key, an attacker can send properly signed binary SMS messages to a device, which are treated as Java applets and are executed on the SIM. These applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 657 (Malicious Automated Software Update via Spoofing)

An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution)

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution) > 696 (Load Value Injection)

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 184 (Software Integrity Attack) > 669 (Alteration of a Software Update)

An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack)

An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware)

An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware) > 402 (Bypassing ATA Password Security)

An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update)

An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution)

An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution) > 530 (Provide Counterfeit Component)

An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.

An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 677 (Server Motherboard Compromise)

Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation)

An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 141 (Cache Poisoning)

An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 141 (Cache Poisoning) > 142 (DNS Cache Poisoning)

A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 166 (Force the System to Reset Values)

An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 268 (Audit Log Manipulation)

The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or cover tracks of an attack. Due to either insufficient access controls of the log files or the logging mechanism, the attacker is able to perform such actions.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 268 (Audit Log Manipulation) > 81 (Web Server Logs Tampering)

Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behavior. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern. This pattern of attack is similar to "Log Injection-Tampering-Forging" except that in this case, the attack is targeting the logs of the web server and not the application.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 268 (Audit Log Manipulation) > 93 (Log Injection-Tampering-Forging)

This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 481 (Contradictory Destinations in Traffic Routing Schemes)

Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers available at different levels of the OSI model. In a Content Delivery Network (CDN) multiple domains might be available, and if there are contradictory domain names provided it is possible to route traffic to an inappropriate destination. The technique, called Domain Fronting, involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. An alternative technique, called Domainless Fronting, is similar, but the SNI field is left blank.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 571 (Block Logging to Central Repository)

An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 161 (Infrastructure Manipulation) > 700 (Network Boundary Bridging)

An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted networks. Boundary devices do not necessarily have to be on the network’s edge, but rather must serve to segment portions of the target network the adversary wishes to cross into.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation)

An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application. Attackers use this class of attacks to cause applications to enter unstable states, overwrite or expose sensitive information, and even execute arbitrary code with the application's privileges. This class of attacks differs from attacks on configuration information (even if file-based) in that file manipulation causes the file processing to result in non-standard behaviors, such as buffer overflows or use of the incorrect interpreter. Configuration attacks rely on the application interpreting files correctly in order to insert harmful configuration information. Likewise, resource location attacks rely on controlling an application's ability to locate files, whereas File Manipulation attacks do not require the application to look in a non-default location, although the two classes of attacks are often combined.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 572 (Artificially Inflate File Sizes)

An adversary modifies file contents by adding data to files for several reasons. Many different attacks could “follow” this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 572 (Artificially Inflate File Sizes) > 655 (Avoid Security Tool Identification by Adding Data)

An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions. In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 635 (Alternative Execution Due to Deceptive Filenames)

The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 635 (Alternative Execution Due to Deceptive Filenames) > 11 (Cause Web Server Misclassification)

An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handled by different server processes, misclassification may force the Web server to take unexpected action, or expected actions in an unexpected sequence. This may cause the server to exhaust resources, supply debug or system data to the attacker, or bind an attacker to a remote process.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 635 (Alternative Execution Due to Deceptive Filenames) > 649 (Adding a Space to a File Extension)

An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing special elements in file names. This extra space, which can be difficult for a user to notice, affects which default application is used to operate on the file and can be leveraged by the adversary to control execution.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 636 (Hiding Malicious Data or Code within Files)

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 636 (Hiding Malicious Data or Code within Files) > 168 (Windows ::DATA Alternate Data Stream)

An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 636 (Hiding Malicious Data or Code within Files) > 35 (Leverage Executable Code in Non-Executable Files)

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 165 (File Manipulation) > 73 (User-Controlled Filename)

An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly that is then used by the target software to generate HTML text or other potentially executable content. Many websites rely on user-generated content and dynamically build resources like files, filenames, and URL links directly from user supplied data. In this attack pattern, the attacker uploads code that can execute in the client browser and/or redirect the client browser to a site that the attacker owns. All XSS attack payload variants can be used to pass and exploit these vulnerabilities.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation)

An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applications use external configuration files and libraries - modification of these entities or otherwise affecting the application's ability to use them would constitute a configuration/environment manipulation attack.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information)

An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information) > 270 (Modification of Registry Run Keys)

An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. In this way, the adversary can get their executable to operate and run on the target system with the authorized user's level of permissions. This attack is a good way for an adversary to run persistent spyware on a user's machine, such as a keylogger.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information) > 478 (Modification of Windows Service Configuration)

An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a malicious binary in place of an existing service.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 203 (Manipulate Registry Information) > 51 (Poison Web Service Registry)

SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 271 (Schema Poisoning)

An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure and content definitions for resources used by an application. By replacing or modifying a schema, the adversary can affect how the application handles or interprets a resource, often leading to possible denial of service, entering into an unexpected state, or recording incomplete data.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 271 (Schema Poisoning) > 146 (XML Schema Poisoning)

An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the security of the target. XML Schemas provide the structure and content definitions for XML documents. Schema poisoning is the ability to manipulate a schema either by replacing or modifying it to compromise the programs that process documents that use this schema.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 536 (Data Injected During Configuration)

An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 578 (Disable Security Software)

An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing processes, deleting registry keys so that tools do not start at run time, deleting log files, or other methods.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 176 (Configuration/Environment Manipulation) > 75 (Manipulating Writeable Configuration Files)

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction)

An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the system into a degraded state or cause the system to stop working as intended. This can cause the system components to be unavailable until the obstruction mitigated.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 547 (Physical Destruction of Device or Component)

An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling)

An adversary disables the network route between two targets. The goal is to completely sever the communications channel between two entities. This is often the result of a major error or the use of an "Internet kill switch" by those in control of critical infrastructure. This attack pattern differs from most other obstruction patterns by targeting the route itself, as opposed to the data passed over the route.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling) > 583 (Disabling Network Hardware)

In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or shutting off critical system resources prevents them from performing their service as intended, which can have direct and indirect consequences on other systems. This attack pattern is considerably less technical than the selective blocking used in most obstruction attacks.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling) > 584 (BGP Route Disabling)

An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP protocol helps traffic move throughout the Internet by selecting the most efficient route between Autonomous Systems (AS), or routing domains. BGP is the basis for interdomain routing infrastructure, providing connections between these ASs. By suppressing the intended AS routing advertisements and/or forcing less effective routes for traffic to ASs, the adversary can deny availability for the target network.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 582 (Route Disabling) > 585 (DNS Domain Seizure)

In this attack pattern, an adversary influences a target's web-hosting company to disable a target domain. The goal is to prevent access to the targeted service provided by that domain. It usually occurs as the result of civil or criminal legal interventions.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming)

An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate traffic, service is denied to the legitimate traffic of authorized users.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming) > 559 (Orbital Jamming)

In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmission. Those within the satellite's footprint are prevented from reaching the satellite's targeted or neighboring channels. The satellite's footprint size depends upon its position in the sky; higher orbital satellites cover multiple continents.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming) > 604 (Wi-Fi Jamming)

In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targeted Wi-Fi network. There are several known techniques to perform this attack – for example: the attacker may flood the Wi-Fi access point (e.g. the retransmission device) with deauthentication frames. Another method is to transmit high levels of noise on the RF band used by the Wi-Fi network.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 601 (Jamming) > 605 (Cellular Jamming)

In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a cell tower. Several existing techniques are known in the open literature for this attack for 2G, 3G, and 4G LTE cellular technology. For example, some attacks target cell towers by overwhelming them with false status messages, while others introduce high levels of noise on signaling channels.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage)

An adversary blocks the delivery of an important system resource causing the system to fail or stop working.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage) > 589 (DNS Blocking)

An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the availability of specific services or content to the user even if the IP address is changed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage) > 590 (IP Address Blocking)

An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at the target IP address.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 607 (Obstruction) > 603 (Blockage) > 96 (Block Access to Libraries)

An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the operating system or they may be third party libraries. It is possible that the application does not handle situations properly where access to these libraries has been blocked. Depending on the error handling within the application, blocked access to libraries may leave the system in an insecure state that could be leveraged by an attacker.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture)

An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration)

An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 206 (Signing Malicious Code)

The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 443 (Malicious Logic Inserted Into Product by Authorized Developer)

An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 445 (Malicious Logic Insertion into Product Software via Configuration Management Manipulation)

An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 446 (Malicious Logic Insertion into Product via Inclusion of Third-Party Component)

An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 511 (Infiltration of Software Development Environment)

An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 516 (Hardware Component Substitution During Baselining)

An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 520 (Counterfeit Hardware Component Inserted During Product Assembly)

An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 532 (Altered Installed BIOS)

An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 537 (Infiltration of Hardware Development Environment)

An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 538 (Open-Source Library Manipulation)

Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 539 (ASIC With Malicious Functionality)

An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 670 (Software Development Tools Maliciously Altered)

An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 672 (Malicious Code Implanted During Chip Programming)

During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 673 (Developer Signing Maliciously Altered Software)

Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems. This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 444 (Development Alteration) > 678 (System Build Data Maliciously Altered)

During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration)

An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 517 (Documentation Alteration to Circumvent Dial-down)

An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 518 (Documentation Alteration to Produce Under-performing Systems)

An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 519 (Documentation Alteration to Cause Errors in System Design)

An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 521 (Hardware Design Specifications Are Altered)

An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 671 (Requirements for ASIC Functionality Maliciously Altered)

An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 438 (Modification During Manufacture) > 447 (Design Alteration) > 674 (Design for FPGA Maliciously Altered)

An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution)

An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution) > 522 (Malicious Hardware Component Replacement)

An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution) > 523 (Malicious Software Implanted)

An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 439 (Manipulation During Distribution) > 524 (Rogue Integration Procedures)

An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion)

An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. With the proliferation of mass digital storage and inexpensive multimedia devices, Bluetooth and 802.11 support, new attack vectors for spreading malware are emerging for things we once thought of as innocuous greeting cards, picture frames, or digital projectors. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems and their components that are still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 442 (Infected Software)

An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of the software and works behind the scenes to achieve negative impacts. Many times, the malicious logic is inserted into empty space between legitimate code, and is then called when the software is executed. This pattern of attack focuses on software already fielded and used in operation as opposed to software that is still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 442 (Infected Software) > 448 (Embed Virus into DLL)

An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of compiler optimizations that pad memory blocks for performance gains. The embedded virus then attempts to infect any machine which interfaces with the product, and possibly steal private data or eavesdrop.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 452 (Infected Hardware)

An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user of the hardware and works behind the scenes to achieve negative impacts. This pattern of attack focuses on hardware already fielded and used in operation as opposed to hardware that is still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 452 (Infected Hardware) > 638 (Altered Component Firmware)

An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal of executing malicious code from within the component's Master Boot Record (MBR). Conducting this type of attack entails the adversary infecting the target with firmware altering malware, using known tools, and a payload. Once this malware is executed, the MBR is modified to include instructions to execute the payload at desired intervals and when the system is booted up. A successful attack will obtain persistence within the victim system even if the operating system is reinstalled and/or if the component is formatted or has its data erased.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 456 (Infected Memory)

An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system and works behind the scenes to achieve negative impacts. This pattern of attack focuses on systems already fielded and used in operation as opposed to systems that are still under development and part of the supply chain.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 456 (Infected Memory) > 457 (USB Memory Attacks)

An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a significant security risk for business and government agencies. Given the ability to integrate wireless functionality into a USB stick, it is possible to design malware that not only steals confidential data, but sniffs the network, or monitor keystrokes, and then exfiltrates the stolen data off-site via a Wireless connection. Also, viruses can be transmitted via the USB interface without the specific use of a memory stick. The attacks from USB devices are often of such sophistication that experts conclude they are not the work of single individuals, but suggest state sponsorship. These attacks can be performed by an adversary with direct access to a target system or can be executed via means such as USB Drop Attacks.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 441 (Malicious Logic Insertion) > 456 (Infected Memory) > 458 (Flash Memory Attacks)

An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. Various attacks exist against the integrity of flash memory, the most direct being rootkits coded into the BIOS or chipset of a device.

1000 (Mechanisms of Attack) > 262 (Manipulate System Resources) > 548 (Contaminate Resource)

An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classification/sensitivity for which they have not been authorized. When this happens, the contaminated information system, device, or network must be brought offline to investigate and mitigate the data spill, which denies availability of the system until the investigation is complete.Data Spill

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items)

Attack patterns within this category focus on the ability to control or disrupt the behavior of a target either through crafted data submitted via an interface for data input, or the installation and execution of malicious code on the target system. The former happens when an adversary adds material to their input that is interpreted by the application causing the targeted application to perform steps unintended by the application manager or causing the application to enter an unstable state. Attacks of this type differ from Data Structure Attacks in that the latter attacks subvert the underlying structures that hold user-provided data, either pre-empting interpretation of the input (in the case of Buffer Overflows) or resulting in values that the targeted application is unable to handle correctly (in the case of Integer Overflows). In Injection attacks, the input is interpreted by the application, but the attacker has included instructions to the interpreting functions that the target application then follows.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection)

An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use text characters as separators. For example, parameters in a HTTP GET message are encoded as name-value pairs separated by an ampersand (&). If an attacker can supply text strings that are used to fill in these parameters, then they can inject special characters used in the encoding scheme to add or modify parameters. For example, if user input is fed directly into an HTTP GET request and the user provides the value "myInput&new_param=myValue", then the input parameter is set to myInput, but a new parameter (new_param) is also added with a value of myValue. This can significantly change the meaning of the query that is processed by the server. Any encoding scheme where parameters are identified and separated by text characters is potentially vulnerable to this attack - the HTTP GET encoding used above is just one example.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 134 (Email Injection)

An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 134 (Email Injection) > 41 (Using Meta-characters in E-mail Headers to Inject Malicious Payloads)

This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 135 (Format String Injection)

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 135 (Format String Injection) > 67 (String Format Overflow in syslog())

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 138 (Reflection Injection)

An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example, in the Java programming language the reflection libraries permit an application to inspect, load, and invoke classes and their components by name. If an adversary can control the input into these methods including the name of the class/method/field or the parameters passed to methods, they can cause the targeted application to invoke incorrect methods, read random fields, or even to load and utilize malicious classes that the adversary created. This can lead to the application revealing sensitive information, returning incorrect results, or even having the adversary take control of the targeted application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 15 (Command Delimiters)

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 15 (Command Delimiters) > 460 (HTTP Parameter Pollution (HPP))

An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcoded HTTP parameters, modify the application behaviors, access and, potentially exploit, uncontrollable variables, and bypass input validation checkpoints and WAF rules.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 182 (Flash Injection)

An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 182 (Flash Injection) > 174 (Flash Parameter Injection)

An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. Flash files can leverage user-submitted data to configure the Flash document and access the embedding HTML document.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 182 (Flash Injection) > 178 (Cross-Site Flashing)

An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 137 (Parameter Injection) > 6 (Argument Injection)

An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion)

An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion)

The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion) > 252 (PHP Local File Inclusion)

The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion) > 640 (Inclusion of Code in Existing Process)

The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 251 (Local Code Inclusion) > 660 (Root/Jailbreak Detection Evasion via Hooking)

An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion)

The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion) > 101 (Server Side Include (SSI) Injection)

An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion) > 193 (PHP Remote File Inclusion)

In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished through an insecurely configured PHP runtime environment and an improperly sanitized "include" or "require" call, which the user can then control to point to any web-accessible file. This allows adversaries to hijack the targeted application and force it to execute their own instructions.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 175 (Code Inclusion) > 253 (Remote Code Inclusion) > 500 (WebView Injection)

An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 240 (Resource Injection)

An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 240 (Resource Injection) > 610 (Cellular Data Injection)

Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance operations.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection)

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 19 (Embedding Scripts within Scripts)

An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execute due to programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 23 (File Content Injection)

An adversary poisons files with a malicious payload (targeting the file systems accessible by the target software), which may be passed through by standard channels such as via email, and standard web content like PDF and multimedia files. The adversary exploits known vulnerabilities or handling routines in the target processes, in order to exploit the host's trust in executing remote content, including binary files.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 23 (File Content Injection) > 44 (Overflow Binary Resource File)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 41 (Using Meta-characters in E-mail Headers to Inject Malicious Payloads)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 468 (Generic Cross-Browser Cross-Domain Theft)

An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing the standards relating to loading of CSS: 1. Send cookies on any load of CSS (including cross-domain) 2. When parsing returned CSS ignore all data that does not make sense before a valid CSS descriptor is found by the CSS parser.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS))

An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS)

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web browser. Content served by a vulnerable web application includes script code used to manipulate the Document Object Model (DOM). This script code either does not properly validate input, or does not perform proper output encoding, thus creating an opportunity for an adversary to inject a malicious script launch a XSS attack. A key distinction between other XSS attacks and DOM-based attacks is that in other XSS attacks, the malicious script runs when the vulnerable web page is initially loaded, while a DOM-based attack executes sometime after the page loads. Another distinction of DOM-based attacks is that in some cases, the malicious script is never sent to the vulnerable web server at all. An attack like this is guaranteed to bypass any server-side filtering attempts to protect users.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 18 (XSS Targeting Non-Script Elements)

This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an adversary to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote adversary to collect and interpret the output of said attack.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 198 (XSS Targeting Error Pages)

An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 199 (XSS Using Alternate Syntax)

An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 243 (XSS Targeting HTML Attributes)

An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes against the presence of potentially dangerous commands even if they adequately sanitize tags. For example, dangerous expressions could be inserted into a style attribute in an anchor tag, resulting in the execution of malicious code when the resulting page is rendered. If a victim is tricked into viewing the rendered page the attack proceeds like a normal XSS attack, possibly resulting in the loss of sensitive cookies or other malicious activities.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 244 (XSS Targeting URI Placeholders)

An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable content placeholders. This attack consists of passing a malicious URI in an anchor tag HREF attribute or any other similar attributes in other HTML tags. Such malicious URI contains, for example, a base64 encoded HTML content with an embedded cross-site scripting payload. The attack is executed when the browser interprets the malicious content i.e., for example, when the victim clicks on the malicious link.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 245 (XSS Using Doubled Characters)

The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recognize dangerous sequences if they are preceded by repeated characters. For example, by doubling the < before a script command, (<<script or %3C%3script using URI encoding) the filters of some web applications may fail to recognize the presence of a script tag. If the targeted server is vulnerable to this type of bypass, the adversary can create a crafted URL or other trap to cause a victim to view a page on the targeted server where the malicious content is executed, as per a normal XSS attack.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 247 (XSS Using Invalid Characters)

An adversary inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but during later stages of processing content that follows these invalid characters may still be processed. This allows the adversary to sneak prohibited commands past filters and perform normally prohibited operations. Invalid characters may include null, carriage return, line feed or tab in an identifier. Successful bypassing of the filter can result in a XSS attack, resulting in the disclosure of web cookies or possibly other results.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 32 (XSS Through HTTP Query Strings)

An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 588 (DOM-Based XSS) > 86 (XSS Through HTTP Headers)

An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data submitted by other actors. XSS in HTTP Headers attacks target the HTTP headers which are hidden from most users and may not be validated by web applications.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS)

This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then executed by a victim's browser. The process starts with an adversary delivering a malicious script to a victim and convincing the victim to send the script to the vulnerable web application.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 18 (XSS Targeting Non-Script Elements)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 198 (XSS Targeting Error Pages)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 199 (XSS Using Alternate Syntax)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 243 (XSS Targeting HTML Attributes)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 244 (XSS Targeting URI Placeholders)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 245 (XSS Using Doubled Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 247 (XSS Using Invalid Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 32 (XSS Through HTTP Query Strings)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 591 (Reflected XSS) > 86 (XSS Through HTTP Headers)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS)

An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerable web application as valid input.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 18 (XSS Targeting Non-Script Elements)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 198 (XSS Targeting Error Pages)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 199 (XSS Using Alternate Syntax)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 209 (XSS Using MIME Type Mismatch)

An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The adversary tricks the victim into accessing a URL that responds with the script file. Some browsers will detect that the specified MIME type of the file does not match the actual type of its content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the adversary's script may run on the target unsanitized, possibly revealing the victim's cookies or executing arbitrary script in their browser.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 243 (XSS Targeting HTML Attributes)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 244 (XSS Targeting URI Placeholders)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 245 (XSS Using Doubled Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 247 (XSS Using Invalid Characters)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 32 (XSS Through HTTP Query Strings)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 242 (Code Injection) > 63 (Cross-Site Scripting (XSS)) > 592 (Stored XSS) > 86 (XSS Through HTTP Headers)

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection)

An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 136 (LDAP Injection)

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 183 (IMAP/SMTP Command Injection)

An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection)

An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL injection. The user-controllable input can allow for unauthorized viewing of data, bypassing authentication or the front-end application for direct XML database access, and possibly altering database information.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection) > 228 (DTD Injection)

An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection) > 83 (XPath Injection)

An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean information that they normally would not be able to. XPath Injection enables an attacker to talk directly to the XML database, thus bypassing the application completely. XPath Injection results from the failure of an application to properly sanitize input used as part of dynamic XPath expressions used to query an XML database.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 250 (XML Injection) > 84 (XQuery Injection)

This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to RDBMS, XQuery Injection uses improperly validated data that is passed to XQuery commands to traverse and execute commands that the XQuery routines have access to. XQuery injection can be used to enumerate elements on the victim's environment, inject commands to the local host, or execute queries to remote files and data sources.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 40 (Manipulating Writeable Terminal Devices)

This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection)

This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 108 (Command Line Execution through SQL Injection)

An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 109 (Object Relational Mapping Injection)

An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject their own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 110 (SQL Injection through SOAP Parameter Tampering)

An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 470 (Expanding Control over the Operating System from the Database)

An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 66 (SQL Injection) > 7 (Blind SQL Injection)

Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best practice, the suppression alone is not sufficient to prevent SQL Injection. Blind SQL Injection is a form of SQL Injection that overcomes the lack of error messages. Without the error messages that facilitate SQL Injection, the adversary constructs input strings that probe the target through simple Boolean SQL expressions. The adversary can determine if the syntax and structure of the injection was successful based on whether the query was executed or not. Applied iteratively, the adversary determines how and where the target is vulnerable to SQL Injection.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 676 (NoSQL Injection)

An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replacement in order to achieve a variety of technical impacts such as escalating privileges, bypassing authentication, and/or executing code.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 248 (Command Injection) > 88 (OS Command Injection)

In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code)

An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware)

An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 550 (Install New Service)

When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed at startup (on a Windows system, by modifying the registry). The service name may be disguised by using a name from a related operating system or benign software. Services are usually run with elevated privileges.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 551 (Modify Existing Service)

When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 552 (Install Rootkit )

An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating system API calls. Often referred to as rootkits, it is often used to hide the presence of programs, files, network connections, services, drivers, and other system components.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 556 (Replace File Extension Handlers)

When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many operating systems. Applications can modify the file handler for a given file extension to call an arbitrary program when a file with the given extension is opened.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 558 (Replace Trusted Executable)

An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the execution of malware when that trusted executable is called.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 564 (Run Software at Logon)

Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they may insert additional code into the logon script. This code can allow them to maintain persistence or move laterally within an enclave because it is executed every time the affected user or users logon to a computer. Modifying logon scripts can effectively bypass workstation and enclave firewalls. Depending on the access configuration of the logon scripts, either local credentials or a remote administrative account may be necessary.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 579 (Replace Winlogon Helper DLL)

Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 549 (Local Execution of Code) > 542 (Targeted Malware) > 698 (Install Malicious Extension)

An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of achieving a variety of negative technical impacts.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 624 (Hardware Fault Injection)

The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.Side-Channel Attack

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 624 (Hardware Fault Injection) > 625 (Mobile Device Fault Injection)

Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) to cause faulty behavior. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information. Although this attack usually requires physical control of the mobile device, it is non-destructive, and the device can be used after the attack without any indication that secret keys were compromised.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 594 (Traffic Injection)

An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potentially modify the content. This is not a flooding attack, as the adversary is not focusing on exhausting resources. Instead, the adversary is crafting a specific input to affect the system in a particular way.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 594 (Traffic Injection) > 595 (Connection Reset)

In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able to have the target and/or the destination server sever the connection without having to directly filter the traffic between them.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 594 (Traffic Injection) > 595 (Connection Reset) > 596 (TCP RST Injection)

An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the target and/or destination web server terminate the TCP connection.

1000 (Mechanisms of Attack) > 152 (Inject Unexpected Items) > 586 (Object Injection)

An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers leverage serialization in order to convert data or state into a static, binary format for saving to disk or transferring over a network. These objects are then deserialized when needed to recover the data/state. By injecting a malformed object into a vulnerable application, an adversary can potentially compromise the application by manipulating the deserialization process. This can result in a number of unwanted outcomes, including remote code execution.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques)

An attacker utilizes probabilistic techniques to explore and overcome security properties of the target that are based on an assumption of strength due to the extremely low mathematical probability that an attacker would be able to identify and exploit the very rare specific conditions under which those security properties do not hold.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force)

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 20 (Encryption Brute Forcing)

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing)

An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 16 (Dictionary-based Password Attack)

An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern. Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 55 (Rainbow Table Password Cracking)

An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to attempt to look up the original password. Once the original password corresponding to the hash is obtained, the attacker uses the original password to gain access to the system.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 565 (Password Spraying)

In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 112 (Brute Force) > 49 (Password Brute Forcing) > 70 (Try Common or Default Usernames and Passwords)

An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversary may try an intelligent brute force using empty passwords, known vendor default credentials, as well as a dictionary of common usernames and passwords. Many vendor products come preconfigured with default (and thus well-known) usernames and passwords that should be deleted prior to usage in a production environment. It is a common mistake to forget to remove these default login credentials. Another problem is that users would pick very simple (common) passwords (e.g. "secret" or "password") that make it easier for the attacker to gain access to the system compared to using a brute force attack or even a dictionary attack using a full dictionary.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 28 (Fuzzing)

In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionality testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. Fuzzing can help an attacker discover certain assumptions made about user input in the system. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions despite not necessarily knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve their goals.

1000 (Mechanisms of Attack) > 223 (Employ Probabilistic Techniques) > 28 (Fuzzing) > 215 (Fuzzing for application mapping)

An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State)

An attacker exploits weaknesses in timing or state maintaining functions to perform actions that would otherwise be prevented by the execution flow of the target code and processes. An example of a state attack might include manipulation of an application's information to change the apparent credentials or similar information, possibly allowing the application to access material it would not normally be allowed to access. A common example of a timing attack is a test-action race condition where some state information is tested and, if it passes, an action is performed. If the attacker can change the state between the time that the application performs the test and the time the action is performed, then they might be able to manipulate the outcome of the action to malicious ends.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 25 (Forced Deadlock)

The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 26 (Leveraging Race Conditions)

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 26 (Leveraging Race Conditions) > 29 (Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions)

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 26 (Leveraging Race Conditions) > 29 (Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions) > 27 (Leveraging Race Conditions via Symbolic Links)

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State)

The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner. State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits. If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State) > 140 (Bypassing of Intermediate Forms in Multiple-Form Sets)

Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amount of information being collected or if information on earlier forms is used to pre-populate fields or determine which additional information the application needs to collect. An attacker who knows the names of the various forms in the sequence may be able to explicitly type in the name of a later form and navigate to it without first going through the previous forms. This can result in incomplete collection of information, incorrect assumptions about the information submitted by the attacker, or other problems that can impair the functioning of the application.

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State) > 663 (Exploitation of Transient Instruction Execution)

1000 (Mechanisms of Attack) > 172 (Manipulate Timing and State) > 74 (Manipulating State) > 663 (Exploitation of Transient Instruction Execution) > 696 (Load Value Injection)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information)

Attack patterns within this category focus on the gathering, collection, and theft of information by an adversary. The adversary may collect this information through a variety of methods including active querying as well as passive observation. By exploiting weaknesses in the design or configuration of the target and its communications, an adversary is able to get the target to reveal more information than intended. Information retrieved may aid the adversary in making inferences about potential weaknesses, vulnerabilities, or techniques that assist the adversary's objectives. This information may include details regarding the configuration or capabilities of the target, clues as to the timing or nature of activities, or otherwise sensitive information. Often this sort of attack is undertaken in preparation for some other type of attack, although the collection of information by itself may in some cases be the end goal of the adversary.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation)

An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations)

An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 143 (Detect Unpublicized Web Pages)

An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to information that the targeted site did not intend to make public.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 144 (Detect Unpublicized Web Services)

An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished but available services may not have adequate security controls placed upon them given that an administrator may believe they are unreachable.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 155 (Screen Temporary Files for Sensitive Information)

An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an application's routine execution flow. Many applications use temporary files to accelerate processing or to provide records of state across multiple executions of the application. Sometimes, however, these temporary files may end up storing sensitive information. By screening an application's temporary files, an adversary might be able to discover such sensitive information. For example, web browsers often cache content to accelerate subsequent lookups. If the content contains sensitive information then the adversary could recover this from the web cache.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 406 (Dumpster Diving)

An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally discarded for information items which may be useful to the dumpster diver. The devastating nature of the items and/or information found can be anything from medical records, resumes, personal photos and emails, bank statements, account details or information about software, tech support logs and so much more, including hardware devices. By collecting this information an adversary may be able to learn important facts about the person or organization that play a role in helping the adversary in their attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 637 (Collect Data from Clipboard)

The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboard. Data copied to the clipboard can be accessed by other applications, such as malware built to exfiltrate or log clipboard contents on a periodic basis. In this way, the adversary aims to garner information to which they are unauthorized.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 647 (Collect Data from Registries)

An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 150 (Collect Data from Common Resource Locations) > 648 (Collect Data from Screen Capture)

An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information)

An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates its robustness by submitting requests and examining responses. Often, this is accomplished by sending variants of expected queries in the hope that these modified queries might return information beyond what the expected set of queries would provide.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 127 (Directory Indexing)

An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 215 (Fuzzing for application mapping)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 261 (Fuzzing for garnering other adjacent user/sensitive data)

An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return information (directly or indirectly through error logs) beyond what the expected set of queries should provide.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 462 (Cross-Domain Search Timing)

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 54 (Query System for Information) > 95 (WSDL Scanning)

This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities. This type of probing is carried out to perform more serious attacks (e.g. parameter tampering, malicious content injection, command injection, etc.). WSDL files provide detailed information about the services ports and bindings available to consumers. For instance, the attacker can submit special characters or malicious content to the Web service and can cause a denial of service condition or illegal access to database records. In addition, the attacker may try to guess other private methods by using the information provided in the WSDL files.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources)

An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 498 (Probe iOS Screenshots)

An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots created by the underlying OS while the application remains open in the background.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 546 (Incomplete Data Deletion in a Multi-Tenant Environment)

An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails to completely delete storage and data from former cloud tenants' systems/resources, once these resources are allocated to new, potentially malicious tenants, the latter can probe the provided resources for sensitive information still there.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 634 (Probe Audio and Video Peripherals)

The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive information about the target for financial, personal, political, or other gains which is accomplished by collecting communication data between two parties via the use of peripheral devices (e.g. microphones and webcams) or applications with audio and video capabilities (e.g. Skype) on a system.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 545 (Pull Data from System Resources) > 639 (Probe System Files)

An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is not protected by proper access control, then an adversary can access the file and search for sensitive information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 569 (Collect Data as Provided by Users)

An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is often needed by the attacker to launch a follow-on attack. This attack is different than Social Engineering as the adversary is not tricking or deceiving the user. Instead the adversary is putting a mechanism in place that captures the information that a user legitimately enters into a system. Deploying a keylogger, performing a UAC prompt, or wrapping the Windows default credential provider are all examples of such interactions.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 569 (Collect Data as Provided by Users) > 568 (Capture Credentials via Keylogger)

An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a user, the adversary can analyze the data and determine which string are likely to be passwords or other credential related information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 116 (Excavation) > 675 (Retrieve Data from Decommissioned Devices)

An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception)

An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks)

In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, and/or hear the communication traffic, but not necessarily block the communication or change its content. Any transmission medium can theoretically be sniffed if the adversary can examine the contents between the sender and recipient. Sniffing Attacks are similar to Adversary-In-The-Middle attacks (CAPEC-94), but are entirely passive. AiTM attacks are predominantly active and often alter the content of the communications themselves.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 158 (Sniffing Network Traffic)

In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive information at the protocol level. Network sniffing applications can reveal TCP/IP, DNS, Ethernet, and other low-level network communication information. The adversary takes a passive role in this attack pattern and simply observes and analyzes the traffic. The adversary may precipitate or indirectly influence the content of the observed transaction, but is never the intended recipient of the target information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 31 (Accessing/Intercepting/Modifying HTTP Cookies)

This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several different forms of this attack. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the adversary to impersonate the remote user/session. The third form is when the cookie's content is modified by the adversary before it is sent back to the server. Here the adversary seeks to convince the target server to operate on this falsified information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 57 (Utilizing REST's Trust in the System Resource to Obtain Sensitive Data)

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 609 (Cellular Traffic Intercept)

Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can deploy their own cellular tower equipment and intercept cellular traffic surreptitiously. Additionally, government agencies of adversaries and malicious actors can intercept cellular traffic via the telecommunications backbone over which mobile traffic is transmitted.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 157 (Sniffing Attacks) > 65 (Sniff Application Code)

An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 499 (Android Intent Intercept)

An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to achieve a variety of different objectives including denial of service, information disclosure, and data injection. An implicit intent sent from a trusted application can be received by any application that has declared an appropriate intent filter. If the intent is not protected by a permission that the malicious application lacks, then the attacker can gain access to the data contained within the intent. Further, the intent can be either blocked from reaching the intended destination, or modified and potentially forwarded along.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 499 (Android Intent Intercept) > 501 (Android Activity Hijack)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping)

An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), hardware (e.g., recording equipment), or physical means (e.g., physical proximity). The goal of eavesdropping is typically to gain unauthorized access to sensitive information about the target for financial, personal, political, or other gains. Eavesdropping is different from a sniffing attack as it does not take place on a network-based communication channel (e.g., IP traffic). Instead, it entails listening in on the raw audio source of a conversation between two or more parties.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping) > 508 (Shoulder Surfing)

In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining sensitive information. One motive for this attack is to obtain sensitive information about the target for financial, personal, political, or other gains. From an insider threat perspective, an additional motive could be to obtain system/application credentials or cryptographic keys. Shoulder surfing attacks are accomplished by observing the content "over the victim's shoulder", as implied by the name of this attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping) > 634 (Probe Audio and Video Peripherals)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 117 (Interception) > 651 (Eavesdropping) > 699 (Eavesdropping on a Monitor)

An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting)

An adversary engages in probing and exploration activities to identify constituents and properties of the target.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery)

An adversary sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissance. The adversary usually starts with a range of IP addresses belonging to a target network and uses various methods to determine if a host is present at that IP address. Host discovery is usually referred to as 'Ping' scanning using a sonar analogy. The goal is to send a packet through to the IP address and solicit a response from the host. As such, a 'ping' can be virtually any crafted packet whatsoever, provided the adversary can identify a functional host based on its response. An attack of this nature is usually carried out with a 'ping sweep,' where a particular kind of ping is sent to a range of IP addresses.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 285 (ICMP Echo Request Ping)

An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the request is not blocked by a firewall or ACL, the target host will respond with an ICMP Type 0 Echo Reply datagram. This type of exchange is usually referred to as a 'Ping' due to the Ping utility present in almost all operating systems. Ping, as commonly implemented, allows a user to test for alive hosts, measure round-trip time, and measure the percentage of packet loss.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 294 (ICMP Address Mask Request)

An adversary sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration. ICMP Address Mask Requests are defined by RFC-950, "Internet Standard Subnetting Procedure." An Address Mask Request is an ICMP type 17 message that triggers a remote system to respond with a list of its related subnets, as well as its default gateway and broadcast address via an ICMP type 18 Address Mask Reply datagram. Gathering this type of information helps the adversary plan router-based attacks as well as denial-of-service attacks against the broadcast address.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 295 (Timestamp Request)

This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 296 (ICMP Information Request)

An adversary sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism. ICMP Information Requests are a deprecated message type. Information Requests were originally used for diskless machines to automatically obtain their network configuration, but this message type has been superseded by more robust protocol implementations like DHCP.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 297 (TCP ACK Ping)

An adversary sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several TCP 'ping' types. The RFC 793 expected behavior for a service is to respond with a RST 'reset' packet to any unsolicited ACK segment that is not part of an existing connection. So by sending an ACK segment to a port, the adversary can identify that the host is alive by looking for a RST packet. Typically, a remote server will respond with a RST regardless of whether a port is open or closed. In this way, TCP ACK pings cannot discover the state of a remote port because the behavior is the same in either case. The firewall will look up the ACK packet in its state-table and discard the segment because it does not correspond to any active connection. A TCP ACK Ping can be used to discover if a host is alive via RST response packets sent from the host.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 298 (UDP Ping)

An adversary sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very often no response, so a typical strategy for using a UDP ping is to send the datagram to a random high port on the target. The goal is to solicit an 'ICMP port unreachable' message from the target, indicating that the host is alive. UDP pings are useful because some firewalls are not configured to block UDP datagrams sent to strange or typically unused ports, like ports in the 65K range. Additionally, while some firewalls may filter incoming ICMP, weaknesses in firewall rule-sets may allow certain types of ICMP (host unreachable, port unreachable) which are useful for UDP ping attempts.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 299 (TCP SYN Ping)

An adversary uses TCP SYN packets as a means towards host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must respond to an incoming SYN "synchronize" packet by completing stage two of the 'three-way handshake' - by sending an SYN/ACK in response. When a port is closed, RFC 793 behavior is to respond with a RST "reset" packet. This behavior can be used to 'ping' a target to see if it is alive by sending a TCP SYN packet to a port and then looking for a RST or an ACK packet in response.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 612 (WiFi MAC Address Tracking)

In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addresses are intended to be unique to each wireless device (although they can be configured and changed by software). Once the attacker is able to associate a MAC address with a particular user or set of users (for example, when attending a public event), the attacker can then scan for that MAC address to track that user in the future.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 613 (WiFi SSID Tracking)

In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiFi network. These messages are frequently transmitted by WiFi access points (e.g., the retransmission device) as well as by clients that are accessing the network (e.g., the handset/mobile device). Once the attacker is able to associate an SSID with a particular user or set of users (for example, when attending a public event), the attacker can then scan for this SSID to track that user in the future.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 618 (Cellular Broadcast Message Request)

In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retransmission device) to cause the cellular network to send broadcast messages to alert the mobile device. Since the network knows which cell tower the target’s mobile device is attached to, the broadcast messages are only sent in the Location Area Code (LAC) where the target is currently located. By triggering the cellular broadcast message and then listening for the presence or absence of that message, an attacker could verify that the target is in (or not in) a given location.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 292 (Host Discovery) > 619 (Signal Strength Tracking)

In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the strength of the signal (with directional antennas and/or from multiple listening points at once) to identify the source location of the signal. Obtaining the signal of the target can be accomplished through multiple techniques such as through Cellular Broadcast Message Request or through the use of IMSI Tracking or WiFi MAC Address Tracking.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning)

An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP or UDP networking will have a port open for communications over the network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 287 (TCP SYN Scan)

An adversary uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is used because of its many advantages and few drawbacks. As a result, novice attackers tend to overly rely on the SYN scan while performing system reconnaissance. As a scanning method, the primary advantages of SYN scanning are its universality and speed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 301 (TCP Connect Scan)

An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'three-way handshake' with a remote port, and reports the port as closed if the full handshake cannot be established. An advantage of TCP connect scanning is that it works against any TCP/IP stack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 302 (TCP FIN Scan)

An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with the FIN bit set in the packet header. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow the adversary to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 303 (TCP Xmas Scan)

An adversary uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with all possible flags set in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 304 (TCP Null Scan)

An adversary uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with no flags in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 305 (TCP ACK Scan)

An adversary uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover information about filter configurations rather than port state. This type of scanning is rarely useful alone, but when combined with SYN scanning, gives a more complete picture of the type of firewall rules that are present.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 306 (TCP Window Scan)

An adversary engages in TCP Window scanning to analyze port status and operating system type. TCP Window scanning uses the ACK scanning method but examine the TCP Window Size field of response RST packets to make certain inferences. While TCP Window Scans are fast and relatively stealthy, they work against fewer TCP stack implementations than any other type of scan. Some operating systems return a positive TCP window size when a RST packet is sent from an open port, and a negative value when the RST originates from a closed port. TCP Window scanning is one of the most complex scan types, and its results are difficult to interpret. Window scanning alone rarely yields useful information, but when combined with other types of scanning is more useful. It is a generally more reliable means of making inference about operating system versions than port status.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 307 (TCP RPC Scan)

An adversary scans for RPC services listing on a Unix/Linux host.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 300 (Port Scanning) > 308 (UDP Scan)

An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP datagram to the target port and looking for evidence that the port is closed. Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the protocol that requires building or establishing a session. Responses to UDP datagrams are therefore application specific and cannot be relied upon as a method of detecting an open port. UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a remote port.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping)

An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reconnaissance during the early stages of attack against an external network. Many types of scanning utilities are typically employed, including ICMP tools, network mappers, port scanners, and route testing utilities such as traceroute.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 290 (Enumerate Mail Exchange (MX) Records)

An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the network. Mail servers are often not exposed to the Internet but are located within the DMZ of a network protected by a firewall. A side effect of this configuration is that enumerating the MX records for an organization my reveal the IP address of the firewall or possibly other internal systems. Attackers often resort to MX record enumeration when a DNS Zone Transfer is not possible.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 291 (DNS Zone Transfers)

An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP address and valid hostnames. Under certain conditions, it may even be possible to obtain Zone data about the organization's internal network. When successful the attacker learns valuable information about the topology of the target organization, including information about particular servers, their role within the IT structure, and possibly information about the operating systems running upon the network. This is configuration dependent behavior so it may also be required to search out multiple DNS servers while attempting to find one with ZONE transfers allowed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 293 (Traceroute Route Enumeration)

An adversary uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can allow the adversary to construct a working topology of systems and routers by listing the systems through which data passes through on their way to the targeted machine. This attack can return varied results depending upon the type of traceroute that is performed. Traceroute works by sending packets to a target while incrementing the Time-to-Live field in the packet header. As the packet traverses each hop along its way to the destination, its TTL expires generating an ICMP diagnostic message that identifies where the packet expired. Traditional techniques for tracerouting involved the use of ICMP and UDP, but as more firewalls began to filter ingress ICMP, methods of traceroute using TCP were developed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 309 (Network Topology Mapping) > 643 (Identify Shared Files/Directories on System)

An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common areas. Through the identification of shared folders/drives between systems, the adversary may further their goals of locating and collecting sensitive information/files, or map potential routes for lateral movement within the network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 497 (File Discovery)

An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 497 (File Discovery) > 149 (Explore for Predictable Temporary File Names)

An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks against the target. This involves analyzing naming conventions and storage locations of the temporary files created by a target application. If an attacker can predict the names of temporary files they can use this information to mount other attacks, such as information gathering and symlink attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 529 (Malware-Directed Internal Reconnaissance)

Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the composition, configuration, and security mechanisms of a targeted application, system or network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 573 (Process Footprinting)

An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user. By knowing what processes are running on the target system, the adversary can learn about the target environment as a means towards further malicious behavior.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 574 (Services Footprinting)

An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what services are registered on the target system, the adversary can learn about the target environment as a means towards further malicious behavior. Depending on the operating system, commands that can obtain services information include "sc" and "tasklist/svc" using Tasklist, and "net start" using Net.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 575 (Account Footprinting)

An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an authorized user. By knowing what accounts are registered on the target system, the adversary can inform further and more targeted malicious behavior. Example Windows commands which can acquire this information are: "net user" and "dsquery".

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 576 (Group Permission Footprinting)

An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized user. By knowing what users/permissions are registered on the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command which can list local groups is "net localgroup".

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 577 (Owner Footprinting)

An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do this, for example, by reviewing logins or file modification times. By knowing what owners use the target system, the adversary can inform further and more targeted malicious behavior. An example Windows command that may accomplish this is "dir /A ntuser.dat". Which will display the last modified time of a user's ntuser.dat file when run within the root folder of a user. This time is synonymous with the last time that user was logged in.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 580 (System Footprinting)

An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adversaries will rely on remote applications that can be probed for system configurations.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 580 (System Footprinting) > 581 (Security Software Footprinting)

Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 580 (System Footprinting) > 85 (AJAX Footprinting)

This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. A common first step for an attacker is to footprint the target environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on. The knowledge gained through Ajax fingerprinting can be used to support other attacks, such as XSS.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 646 (Peripheral Footprinting)

Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 169 (Footprinting) > 694 (System Location Discovery)

An adversary collects information about the target system in an attempt to identify the system's geographical location. Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting)

An adversary compares output from a target system to known indicators that uniquely identify specific details about the target. Most commonly, fingerprinting is done to determine operating system and application versions. Fingerprinting can be done passively as well as actively. Fingerprinting by itself is not usually detrimental to the target. However, the information gathered through fingerprinting often enables an adversary to discover existing weaknesses in the target.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting)

An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 317 (IP ID Sequencing Probe)

This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis - IP 'ID' Sequencing: analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host and Shared IP 'ID' Sequencing: analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 318 (IP 'ID' Echoed Byte-Order Probe)

This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP datagram with an arbitrary IP 'ID' value to a closed port on the remote host to observe the manner in which this bit is echoed back in the ICMP error message. The identification field (ID) is typically utilized for reassembling a fragmented packet. Some operating systems or router firmware reverse the bit order of the ID field when echoing the IP Header portion of the original datagram within an ICMP error message.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 319 (IP (DF) 'Don't Fragment Bit' Echoing Probe)

This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet. An attacker sends a UDP datagram with the DF bit set to a closed port on the remote host to observe whether the 'DF' bit is set in the response packet. Some operating systems will echo the bit in the ICMP error message while others will zero out the bit in the response packet.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 320 (TCP Timestamp Probe)

This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within the TCP header, but when timestamps are used then this provides the attacker with a means to guess the operating system of the target. The attacker begins by probing any active TCP service in order to get response which contains a TCP timestamp. Different Operating systems update the timestamp value using different intervals. This type of analysis is most accurate when multiple timestamp responses are received and then analyzed. TCP timestamps can be found in the TCP Options field of the TCP header.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 321 (TCP Sequence Number Probe)

This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is to send a probe packet to an open port on the target and then compare the how the Sequence Number generated by the target relates to the Acknowledgement Number in the probe packet. Different operating systems assign Sequence Numbers differently, so a fingerprint of the operating system can be obtained by categorizing the relationship between the acknowledgement number and sequence number as follows: 1) the Sequence Number generated by the target is Zero, 2) the Sequence Number generated by the target is the same as the acknowledgement number in the probe, 3) the Sequence Number generated by the target is the acknowledgement number plus one, or 4) the Sequence Number is any other non-zero number.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 322 (TCP (ISN) Greatest Common Divisor Probe)

This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 323 (TCP (ISN) Counter Rate Probe)

This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented using a time-based algorithm and are susceptible to a timing analysis that can determine the number of increments per unit time. The result of this analysis is then compared against a database of operating systems and versions to determine likely operation system matches.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 324 (TCP (ISN) Sequence Predictability Probe)

This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 325 (TCP Congestion Control Flag (ECN) Probe)

This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed to allow routers to notify a remote host when signal congestion problems are occurring. Explicit Congestion Notification messaging is defined by RFC 3168. Different operating systems and versions may or may not implement ECN notifications, or may respond uniquely to particular ECN flag types.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 326 (TCP Initial Window Size Probe)

This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maintain the "connected" state within TCP protocol logic. The initial window size specifies a range of acceptable sequence numbers that will qualify as a response to an ACK packet within a session. Various operating systems use different Initial window sizes. The initial window size can be sampled by establishing an ordinary TCP connection.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 327 (TCP Options Probe)

This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use unique ordering and different option sets when options are present. RFC 793 does not specify a required order when options are present, so different implementations use unique ways of ordering or structuring TCP options. TCP options can be generated by ordinary TCP traffic.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 328 (TCP 'RST' Flag Checksum Probe)

This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 329 (ICMP Error Message Quoting Probe)

An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the amount of data returned or "Quoted" from the originating request that generated the ICMP error message.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 330 (ICMP Error Message Echoing Integrity Probe)

An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded, Parameter Problem) from a target and then analyze the integrity of data returned or "Quoted" from the originating request that generated the error message.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 331 (ICMP IP Total Length Field Probe)

An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port Unreachable" error message. This type of behavior is useful for building a signature-base of operating system responses, particularly when error messages contain other types of information that is useful identifying specific operating system responses.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 312 (Active OS Fingerprinting) > 332 (ICMP IP 'ID' Field Error Message Probe)

An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the manner in which this bit is echoed back in the ICMP error message. This allows the attacker to construct a fingerprint of specific OS behaviors.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 313 (Passive OS Fingerprinting)

An adversary engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between devices, nodes, or applications. Passive techniques for operating system detection send no actual probes to a target, but monitor network or client-server communication between nodes in order to identify operating systems based on observed behavior as compared to a database of known signatures or values. While passive OS fingerprinting is not usually as reliable as active methods, it is generally better able to evade detection.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting)

An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting) > 170 (Web Application Fingerprinting)

An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting) > 310 (Scanning for Vulnerable Software)

An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services. Vulnerable or exploitable network configurations, such as improperly firewalled systems, or misconfigured systems in the DMZ or external network, provide windows of opportunity for an attacker. Common types of vulnerable software include unpatched operating systems or services (e.g FTP, Telnet, SMTP, SNMP) running on open ports that the attacker has identified. Attackers usually begin probing for vulnerable software once the external network has been port scanned and potential targets have been revealed.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 224 (Fingerprinting) > 541 (Application Fingerprinting) > 472 (Browser Fingerprinting)

An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering)

An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or "back engineer" some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices, or software, although the methodology and techniques involved in each type of analysis differ widely.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering)

An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 190 (Reverse Engineer an Executable to Expose Assumed Hidden Functionality)

An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by using a variety of analysis techniques to effectively determine how the software functions and operates. This type of analysis is also referred to as Reverse Code Engineering, as techniques exist for extracting source code from an executable. Several techniques are often employed for this purpose, both black box and white box. The use of computer bus analyzers and packet sniffers allows the binary to be studied at a level of interactions with its computing environment, such as a host OS, inter-process communication, and/or network communication. This type of analysis falls into the 'black box' category because it involves behavioral analysis of the software without reference to source code, object code, or protocol specifications.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 191 (Read Sensitive Constants Within an Executable)

An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 204 (Lifting Sensitive Data Embedded in Cache)

An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 167 (White Box Reverse Engineering) > 37 (Retrieve Embedded Sensitive Data)

An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering)

An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' methods involve interacting with the software indirectly, in the absence of direct access to the executable object. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs. Black Box Reverse Engineering also refers to gathering physical side effects of a hardware device, such as electromagnetic radiation or sounds.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering) > 621 (Analysis of Packet Timing and Sizes)

An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actual data may be encrypted, this metadata may reveal valuable information to an attacker. Note that this attack is applicable to VOIP data as well as application data, especially for interactive apps that require precise timing and low-latency (e.g. thin-clients).

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering) > 622 (Electromagnetic Side-Channel Attack)

In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unintentional side-effect of its processing. From these emanations, the attacker derives information about the data that is being processed (e.g. the attacker can recover cryptographic keys by monitoring emanations associated with cryptographic processing). This style of attack requires proximal access to the device, however attacks have been demonstrated at public conferences that work at distances of up to 10-15 feet. There have not been any significant studies to determine the maximum practical distance for such attacks. Since the attack is passive, it is nearly impossible to detect and the targeted device will continue to operate as normal after a successful attack.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 188 (Reverse Engineering) > 189 (Black Box Reverse Engineering) > 623 (Compromising Emanations Attack)

Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed by the targeted equipment. Commercial mobile devices and retransmission devices have displays, buttons, microchips, and radios that emit mechanical emissions in the form of sound or vibrations. Capturing these emissions can help an adversary understand what the device is doing.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis)

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis) > 97 (Cryptanalysis)

Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing the secret key (instance deduction). Sometimes the weakness is not in the cryptographic algorithm itself, but rather in how it is applied that makes cryptanalysis successful. An attacker may have other goals as well, such as: Total Break (finding the secret key), Global Deduction (finding a functionally equivalent algorithm for encryption and decryption that does not require knowledge of the secret key), Information Deduction (gaining some information about plaintexts or ciphertexts that was not previously known) and Distinguishing Algorithm (the attacker has the ability to distinguish the output of the encryption (ciphertext) from a random permutation of bits).

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis) > 97 (Cryptanalysis) > 463 (Padding Oracle Crypto Attack)

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 192 (Protocol Analysis) > 97 (Cryptanalysis) > 608 (Cryptanalysis of Cellular Encryption)

The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content. Some cellular encryption algorithms such as A5/1 and A5/2 (specified for GSM use) are known to be vulnerable to such attacks and commercial tools are available to execute these attacks and decrypt mobile phone conversations in real-time. Newer encryption algorithms in use by UMTS and LTE are stronger and currently believed to be less vulnerable to these types of attacks. Note, however, that an attacker with a Cellular Rogue Base Station can force the use of weak cellular encryption even by newer mobile devices.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation)

An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextual and environmental queues, such as knowing important information about the target company or individual can greatly increase the success of the attack and the quality of information gathered. Authentic mimicry combined with detailed knowledge increases the success of elicitation attacks.

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 383 (Harvesting Information via API Event Monitoring)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 412 (Pretexting via Customer Service)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 413 (Pretexting via Tech Support)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 414 (Pretexting via Delivery Person)

1000 (Mechanisms of Attack) > 118 (Collect and Analyze Information) > 410 (Information Elicitation) > 407 (Pretexting) > 415 (Pretexting via Phone)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control)

An attacker actively targets exploitation of weaknesses, limitations and assumptions in the mechanisms a target utilizes to manage identity and authentication as well as manage access to its resources or authorize functionality. Such exploitation can lead to the complete subversion of any trust the target system may have in the identity of any entity with which it interacts, or the complete subversion of any control the target has over its data or functionality. Weaknesses targeted by subversion of authorization controls are often due to three primary factors: 1) a fundamental dependence on authentication mechanisms being effective; 2) a lack of effective control over the separation of privilege between various entities; and 3) assumptions and over confidence in the strength or rigor of the implemented authorization mechanisms.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers)

An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 196 (Session Credential Falsification through Forging)

An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 196 (Session Credential Falsification through Forging) > 226 (Session Credential Falsification through Manipulation)

An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. An attacker may be able to manipulate a credential sniffed from an existing connection in order to gain access to a target server.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 196 (Session Credential Falsification through Forging) > 59 (Session Credential Falsification through Prediction)

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 510 (SaaS User Request Forgery)

An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) application (also known as a cloud based application) by leveraging the persistent and implicit trust placed on a trusted user's session. This attack is executed after a trusted user is authenticated into a cloud service, "piggy-backing" on the authenticated session, and exploiting the fact that the cloud service believes it is only interacting with the trusted user. If successful, the actions embedded in the malicious application will be processed and accepted by the targeted SaaS application and executed at the trusted user's privilege level.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking)

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 102 (Session Sidejacking)

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 107 (Cross Site Tracing)

Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 60 (Reusing Session IDs (aka Session Replay))

This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 593 (Session Hijacking) > 61 (Session Fixation)

The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user successfully authenticates to the target software, the attacker uses the (now privileged) session identifier in their own transactions. This attack leverages the fact that the target software either relies on client-generated session identifiers or maintains the same session identifiers after privilege elevation.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 62 (Cross Site Request Forgery)

An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.Session Riding

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 21 (Exploitation of Trusted Identifiers) > 62 (Cross Site Request Forgery) > 467 (Cross Site Identification)

An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep their session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing).

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 114 (Authentication Abuse)

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 114 (Authentication Abuse) > 90 (Reflection Attack in Authentication Protocol)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass)

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 461 (Web Services API Signature Forgery Leveraging Hash Function Extension Weakness)

An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 480 (Escaping Virtualization)

An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 480 (Escaping Virtualization) > 237 (Escaping a Sandbox by Calling Code in Another Language)

The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 664 (Server Side Request Forgery)

An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, with the goal of forcing the server to make a request either to itself, to web services running in the server’s internal network, or to external third parties. If successful, the adversary’s request will be made with the server’s privilege level, bypassing its authentication controls. This ultimately allows the adversary to access sensitive data, execute commands on the server’s network, and make external requests with the stolen identity of the server. Server Side Request Forgery attacks differ from Cross Site Request Forgery attacks in that they target the server itself, whereas CSRF attacks exploit an insecure user authentication mechanism to perform unauthorized actions on the user's behalf.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 668 (Key Negotiation of Bluetooth Attack (KNOB))

An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 115 (Authentication Bypass) > 87 (Forceful Browsing)

An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client)

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 202 (Create Malicious Client)

An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients. Services that have designated client applications (as opposed to services that use general client applications, such as IMAP or POP mail servers which can interact with any IMAP or POP client) may assume that the client will follow specific procedures.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 207 (Removing Important Client Functionality)

An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 207 (Removing Important Client Functionality) > 200 (Removal of filters: Input filters, output filters, data masking)

An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an application (for example, overly large inputs that might cause a buffer overflow or other malformed inputs that may not be correctly handled by an application). Input filters might also be designed to constrained executable content.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 207 (Removing Important Client Functionality) > 208 (Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements)

An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the server. A server may rely on a client to correctly compute monetary information. For example, a server might supply a price for an item and then rely on the client to correctly compute the total cost of a purchase given the number of items the user is buying. If the attacker can remove or modify the logic that controls these calculations, they can return incorrect values to the server. The attacker can use this to make purchases for a fraction of the legitimate cost or otherwise avoid correct billing for activities.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 39 (Manipulating Opaque Client-based Data Tokens)

In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 39 (Manipulating Opaque Client-based Data Tokens) > 31 (Accessing/Intercepting/Modifying HTTP Cookies)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 77 (Manipulating User-Controlled Variables)

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 77 (Manipulating User-Controlled Variables) > 13 (Subverting Environment Variable Values)

The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 22 (Exploiting Trust in Client) > 77 (Manipulating User-Controlled Variables) > 162 (Manipulating Hidden Fields)

An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, and then submitting this data to the server, which processes the modified data. For example, eShoplifting is a data manipulation attack against an on-line merchant during a purchasing transaction. The manipulation of price, discount or quantity fields in the transaction message allows the adversary to acquire items at a lower cost than the merchant intended. The adversary performs a normal purchasing transaction but edits hidden fields within the HTML form response that store price or other information to give themselves a better deal. The merchant then uses the modified pricing information in calculating the cost of the selected items.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM))

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components. Man-in-the-Middle / MITMPerson-in-the-Middle / PiTMMonkey-in-the-MiddleMonster-in-the-MiddleOn-path Attacker

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 219 (XML Routing Detour Attacks)

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 384 (Application API Message Manipulation via Man-in-the-Middle)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack can allow the attacker to gain unauthorized privileges within the application, or conduct attacks such as phishing, deceptive strategies to spread malware, or traditional web-application attacks. The techniques require use of specialized software that allow the attacker to perform adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system. Despite the use of AiTH software, the attack is actually directed at the server, as the client is one node in a series of content brokers that pass information along to the application framework. Additionally, it is not true "Adversary-in-the-Middle" attack at the network layer, but an application-layer attack the root cause of which is the master applications trust in the integrity of code supplied by the client.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 384 (Application API Message Manipulation via Man-in-the-Middle) > 385 (Transaction or Event Tampering via Application API Manipulation)

An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 384 (Application API Message Manipulation via Man-in-the-Middle) > 389 (Content Spoofing Via Application API Manipulation)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 386 (Application API Navigation Remapping)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of links/buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains links/buttons that point to an attacker controlled destination. Some applications make navigation remapping more difficult to detect because the actual HREF values of images, profile elements, and links/buttons are masked. One example would be to place an image in a user's photo gallery that when clicked upon redirected the user to an off-site location. Also, traditional web vulnerabilities (such as CSRF) can be constructed with remapped buttons or links. In some cases navigation remapping can be used for Phishing attacks or even means to artificially boost the page view, user site reputation, or click-fraud.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 386 (Application API Navigation Remapping) > 387 (Navigation Remapping To Propagate Malicious Content)

An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and thereby circumvent the expected application logic.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 386 (Application API Navigation Remapping) > 388 (Application API Button Hijacking)

An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or content of buttons displayed to a user within API messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that looks authentic but contains buttons that point to an attacker controlled destination.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 466 (Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy)

An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. This active adversary in the middle attack could be launched, for instance, when the victim is connected to a public WIFI hot spot. An attacker is able to intercept requests and responses between the victim's browser and some non-sensitive website that does not use TLS.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 662 (Adversary in the Browser (AiTB))

An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between two endpoints. Man in the BrowserBoy in the BrowserMan in the Mobile

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 94 (Adversary in the Middle (AiTM)) > 701 (Browser in the Middle (BiTM))

An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's browser to the adversary's system. The adversary must deploy a web client with a remote desktop session that the victim can access.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse)

An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs)

In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 58 (Restful Privilege Elevation)

An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data due to lack of access control mechanisms implemented within the application service accepting HTTP messages.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 679 (Exploitation of Improperly Configured or Implemented Memory Protections)

An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 680 (Exploitation of Improperly Controlled Registers)

An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 1 (Accessing Functionality Not Properly Constrained by ACLs) > 681 (Exploitation of Improperly Controlled Hardware Security Identifiers)

An adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access control within a System-on-Chip (SoC), to read/write data or execute a given action.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files)

An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 177 (Create files with the same name as files protected with a higher classification)

An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privileged file. The attacker could manipulate the system if the attacker-created file is trusted by the operating system or an application component that attempts to load the original file. Applications often load or include external files, such as libraries or configuration files. These files should be protected against malicious manipulation. However, if the application only uses the name of the file when locating it, an attacker may be able to create a file with the same name and place it in a directory that the application will search before the directory with the legitimate file is searched. Because the attackers' file is discovered first, it would be used by the target application. This attack can be extremely destructive if the referenced file is executable and/or is granted special privileges based solely on having a particular name.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 263 (Force Use of Corrupted Files)

This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 562 (Modify Shared File)

An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens the shared content, the tainted content is executed.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 563 (Add Malicious File to Shared Webroot)

An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the server to execute the content. The malicious content will typically run under the context and permissions of the web server process, often resulting in local system or administrative privileges depending on how the web server is configured.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 642 (Replace Binaries)

Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 17 (Using Malicious Files) > 650 (Upload a Web Shell to a Web Server)

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels)

An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 58 (Restful Privilege Elevation)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 679 (Exploitation of Improperly Configured or Implemented Memory Protections)

An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious code into said memory.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 680 (Exploitation of Improperly Controlled Registers)

An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obtained or modified by a user.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 681 (Exploitation of Improperly Controlled Hardware Security Identifiers)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 180 (Exploiting Incorrectly Configured Access Control Security Levels) > 702 (Exploiting Incorrect Chaining or Granularity of Hardware Debug Components)

An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug functionality on a chip. This happens when authorization is not checked on a per function basis and is assumed for a chain or group of debug functionality.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 201 (Serialized Data External Linking)

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 122 (Privilege Abuse) > 503 (WebView Exposure)

An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJavascriptInterface API. Once an interface is registered to WebView through addJavascriptInterface, it becomes global and all pages loaded in the WebView can call this interface.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation)

An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 104 (Cross Zone Scripting)

An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 234 (Hijacking a privileged process)

An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some processes are assigned elevated privileges on an operating system, usually through association with a particular user, group, or role. If an attacker can hijack this process, they will be able to assume its level of privilege in order to execute their own code.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 30 (Hijacking a Privileged Thread of Execution)

An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their bidding, adversaries can evade process-based detection that would stop an attack that creates a new process. This can lead to an adversary gaining access to the process's memory and can also enable elevated privileges. The most common way to perform this attack is by suspending an existing thread and manipulating its memory.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 68 (Subvert Code-signing Facilities)

Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 233 (Privilege Escalation) > 69 (Target Programs with Elevated Privileges)

This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbitrary code to execute with elevated privileges.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security)

Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical alarms. Hardware security mechanisms range from the use of computer case and cable locks as well as RFID tags for tracking computer assets. This layered approach makes it difficult for random physical security breaches to go unnoticed, but is less effective at stopping deliberate and carefully planned break-ins. Avoiding detection begins with evading building security and surveillance and methods for bypassing the electronic or physical locks which secure entry points.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks)

An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional lock and key mechanisms, cable locks used to secure laptops or servers, locks on server cases, or other such devices. Techniques such as lock bumping, lock forcing via snap guns, or lock picking can be employed to bypass those locks and gain access to the facilities or devices they protect, although stealth, evidence of tampering, and the integrity of the lock following an attack, are considerations that may determine the method employed. Physical locks are limited by the complexity of the locking mechanism. While some locks may offer protections such as shock resistant foam to prevent bumping or lock forcing methods, many commonly employed locks offer no such countermeasures.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks) > 392 (Lock Bumping)

An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be tapped or bumped to cause the pins within the lock to fall into temporary alignment, allowing the lock to be opened. Lock bumping allows an attacker to open a lock without having the correct key. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A bump key is a specially constructed key that exploits this design. When the bump key is struck or firmly tapped, its teeth transfer the force of the tap into the key pins, causing the lock to momentarily shift into proper alignment for the mechanism to be opened.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks) > 393 (Lock Picking)

An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools to manipulate the pins within a lock. Different sets of tools are required for each type of lock. Lock picking attacks have the advantage of being non-invasive in that if performed correctly the lock will not be damaged. A standard lock pin-and-tumbler lock is secured by a set of internal pins that prevent the tumbler device from turning. Spring loaded driver pins push down on the key pins preventing rotation so that the bolt remains in a locked position.. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. Most common locks, such as domestic locks in the US, can be picked using a standard 2 tools (i.e. a torsion wrench and a hook pick).

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 391 (Bypassing Physical Locks) > 394 (Using a Snap Gun Lock to Force a Lock)

An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking instrument that works on similar principles as lock bumping. A snap gun is a hand-held device with an attached metal pick. The metal pick strikes the pins within the lock, transferring motion from the key pins to the driver pins and forcing the lock into momentary alignment. A standard lock is secured by a set of internal pins that prevent the device from turning. Spring loaded driver pins push down on the key pins. When the correct key is inserted, the ridges on the key push the key pins up and against the driver pins, causing correct alignment which allows the lock cylinder to rotate. A Snap Gun exploits this design by using a metal pin to strike all of the key pins at once, forcing the driver pins to shift into an unlocked position. Unlike bump keys or lock picks, a Snap Gun may damage the lock more easily, leaving evidence that the lock has been tampered with.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls)

An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access controls follow similar methods but utilize different tools. Some electronic locks utilize magnetic strip cards, others employ RFID tags embedded within a card or badge, or may involve more sophisticated protections such as voice-print, thumb-print, or retinal biometrics. Magnetic Strip and RFID technologies are the most widespread because they are cost effective to deploy and more easily integrated with other electronic security measures. These technologies share common weaknesses that an attacker can exploit to gain access to a facility protected by the mechanisms via copying legitimate cards or badges, or generating new cards using reverse-engineered algorithms.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 397 (Cloning Magnetic Strip Cards)

An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a person's private information. Magstripe cards encode data on a band of iron-based magnetic particles arrayed in a stripe along a rectangular card. Most magstripe card data formats conform to ISO standards 7810, 7811, 7813, 8583, and 4909. The primary advantage of magstripe technology is ease of encoding and portability, but this also renders magnetic strip cards susceptible to unauthorized duplication. If magstripe cards are used for access control, all an attacker need do is obtain a valid card long enough to make a copy of the card and then return the card to its location (i.e. a co-worker's desk). Magstripe reader/writers are widely available as well as software for analyzing data encoded on the cards. By swiping a valid card, it becomes trivial to make any number of duplicates that function as the original.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 398 (Magnetic Strip Card Brute Force Attacks)

An adversary analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthorized access and/or impersonation of individuals.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 399 (Cloning RFID Cards or Chips)

An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chip. In some cases RFID chips are used for building access control, employee identification, or as markers on products being delivered along a supply chain. Some organizations also embed RFID tags inside computer assets to trigger alarms if they are removed from particular rooms, zones, or buildings. Similar to Magnetic strip cards, RFID cards are susceptible to duplication (cloning) and reuse.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 400 (RFID Chip Deactivation or Destruction)

An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 390 (Bypassing Physical Security) > 395 (Bypassing Electronic Locks and Access Controls) > 626 (Smudge Attack)

Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 507 (Physical Theft)

An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique attacks to be executed and often provides the adversary with an extended timeframe for which to perform an attack. Most protections put in place to secure sensitive information can be defeated when an adversary has physical access and enough time.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials)

An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 555 (Remote Services with Stolen Credentials)

This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 600 (Credential Stuffing)

An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 652 (Use of Known Kerberos Credentials)

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 652 (Use of Known Kerberos Credentials) > 509 (Kerberoasting)

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 652 (Use of Known Kerberos Credentials) > 645 (Use of Captured Tickets (Pass The Ticket))

An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 653 (Use of Known Operating System Credentials)

An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 653 (Use of Known Operating System Credentials) > 561 (Windows Admin Shares with Stolen Credentials)

An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.

1000 (Mechanisms of Attack) > 225 (Subvert Access Control) > 560 (Use of Known Domain Credentials) > 653 (Use of Known Operating System Credentials) > 644 (Use of Captured Hashes (Pass The Hash))

An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.