New to CAPEC? Start Here
Home > CAPEC List > CAPEC-536: Data Injected During Configuration (Version 3.9)  

CAPEC-536: Data Injected During Configuration

Attack Pattern ID: 536
Abstraction: Standard
View customized information:
+ Description
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
+ Likelihood Of Attack


+ Typical Severity


+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.176Configuration/Environment Manipulation
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
  1. Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.

  2. Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.

    Look for a weekly update cycle or repeated update schedule.
    Insert a malicious process into the target system that notifies the adversary when configuration is occurring.
  1. Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.

    Add false log data
    Change configuration files
    Change data files
  1. Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.

+ Prerequisites
The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.
Advanced knowledge of software and hardware capabilities of a manufacturer's product.
+ Skills Required
[Level: High]
Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system.
+ Mitigations
Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.
+ Example Instances
An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system.
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <>.
+ Content History
Submission DateSubmitterOrganization
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Updated Examples-Instances, Typical_Likelihood_of_Exploit
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Examples-Instances, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated @Abstraction
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 31, 2018