Common Attack Pattern Enumeration and Classification

1. Survey: The attacker surveys the target application, possibly as a valid and authenticated user

   Techniques
   Spidering web sites for all available links
   Brute force guessing of resource names
   Brute force guessing of user names / credentials
   Brute force guessing of function names / actions

2. Identify Functionality: At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions

   Techniques
   Use the web inventory of all forms and inputs and apply attack data to those inputs.
   Use a packet sniffer to capture and record network traffic
   Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.

1. Iterate over access capabilities: Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.

   Techniques
   Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)

1. Obtain copy of cookie: The adversary first needs to obtain a copy of the cookie. The adversary may be a legitimate end user wanting to escalate privilege, or could be somebody sniffing on a network to get a copy of HTTP cookies.

   Techniques
   Sniff cookie using a network sniffer such as Wireshark
   Obtain cookie using a utility such as the Firefox Cookie Manager, Chrome DevTools or AnEC Cookie Editor.
   Steal cookie via a cross-site scripting attack.
   Guess cookie contents if it contains predictable information.

1. Obtain sensitive information from cookie: The adversary may be able to get sensitive information from the cookie. The web application developers may have assumed that cookies are not accessible by end users, and thus, may have put potentially sensitive information in them.

   Techniques
   If cookie shows any signs of being encoded using a standard scheme such as base64, decode it.
   Analyze the cookie's contents to determine whether it contains any sensitive information.

2. Modify cookie to subvert security controls.: The adversary may be able to modify or replace cookies to bypass security controls in the application.

   Techniques
   Modify logical parts of cookie and send it back to server to observe the effects.
   Modify numeric parts of cookie arithmetically and send it back to server to observe the effects.
   Modify cookie bitwise and send it back to server to observe the effects.
   Replace cookie with an older legitimate cookie and send it back to server to observe the effects. This technique would be helpful in cases where the cookie contains a "points balance" for a given user where the points have some value. The user may spend their points and then replace their cookie with an older one to restore their balance.

Term: Man in the Browser

Term: Boy in the Browser

Term: Man in the Mobile

1. The adversary tricks the victim into installing the Trojan Horse malware onto their system.

   Techniques
   Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.

2. The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

1. The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

Term: Man-in-the-Middle / MITM

Term: Person-in-the-Middle / PiTM

Term: Monkey-in-the-Middle

Term: Monster-in-the-Middle

Term: On-path Attacker

1. Determine Communication Mechanism: The adversary determines the nature and mechanism of communication between two components, looking for opportunities to exploit.

   Techniques
   Perform a sniffing attack and observe communication to determine a communication protocol.
   Look for application documentation that might describe a communication mechanism used by a target.

1. Position In Between Targets: The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

   Techniques
   Install spyware on a client that will intercept outgoing packets and route them to their destination as well as route incoming packets back to the client.
   Exploit a weakness in an encrypted communication mechanism to gain access to traffic. Look for outdated mechanisms such as SSL.

1. Use Intercepted Data Maliciously: The adversary observes, filters, or alters passed data of its choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

   Techniques
   Prevent some messages from reaching their destination, causing a denial of service.

1. Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.

1. Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.

1. Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.

1. Select Target: The adversary searches for a suitable target to attack, such as government and/or private industry organizations.

   Techniques
   Conduct reconnaissance to determine potential targets to exploit.

2. Identify Components: After selecting a target, the adversary determines whether a vulnerable component, such as a specific make and model of a HDD, is contained within the target system.

   Techniques
   [Remote Access Vector] The adversary gains remote access to the target, typically via additional malware, and explores the system to determine hardware components that are being leveraged.
   [Physical Access Vector] The adversary intercepts components in transit and determines if the component is vulnerable to attack.

1. Optional: Create Payload: If not using an already existing payload, the adversary creates their own to be executed at defined intervals and upon system boot processes. This payload may then be tested on the target system or a test system to confirm its functionality.

1. Insert Firmware Altering Malware: Once a vulnerable component has been identified, the adversary leverages known malware tools to infect the component's firmware and drop the payload within the component's MBR. This allows the adversary to maintain persistence on the target and execute the payload without being detected.

   Techniques
   The adversary inserts the firmware altering malware on the target component, via the use of known malware tools.
   [Physical Access Vector] The adversary then sends the component to its original intended destination, where it will be installed onto a victim system.