Common Attack Pattern Enumeration and Classification

1. Survey: The attacker surveys the target application, possibly as a valid and authenticated user

   Techniques
   Spidering web sites for all available links
   Brute force guessing of resource names
   Brute force guessing of user names / credentials
   Brute force guessing of function names / actions

2. Identify Functionality: At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions

   Techniques
   Use the web inventory of all forms and inputs and apply attack data to those inputs.
   Use a packet sniffer to capture and record network traffic
   Execute the software in a debugger and record API calls into the operating system or important libraries. This might occur in an environment other than a production environment, in order to find weaknesses that can be exploited in a production environment.

1. Iterate over access capabilities: Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.

   Techniques
   Fuzzing of API parameters (URL parameters, OS API parameters, protocol parameters)

Term: Man in the Browser

Term: Boy in the Browser

Term: Man in the Mobile

1. The adversary tricks the victim into installing the Trojan Horse malware onto their system.

   Techniques
   Conduct phishing attacks, drive-by malware installations, or masquerade malicious browser extensions as being legitimate.

2. The adversary inserts themself into the communication channel initially acting as a routing proxy between the two targeted components.

1. The adversary observes, filters, or alters passed data of their choosing to gain access to sensitive information or to manipulate the actions of the two target components for their own purposes.

1. Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.

1. Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.

1. Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.

1. Find an android application that uses implicit intents: Since this attack only works on android applications that use implicit intents, rather than explicit intents, an adversary must first identify an app that uses implicit intents. They must also determine what the contents of the intents being sent are such that a malicious application can get sent these intents.

1. Create a malicious app: The adversary must create a malicious android app meant to intercept implicit intents from a target application

   Techniques
   Specify the type of intent wished to be intercepted in the malicious app's manifest file using an intent filter

2. Get user to download malicious app: The adversary must get a user using the targeted app to download the malicious app by any means necessary

1. Intercept Implicit Intents: Once the malicious app is downloaded, the android device will forward any implicit intents from the target application to the malicious application, allowing the adversary to gaina access to the contents of the intent. The adversary can proceed with any attack using the contents of the intent.

   Techniques
   Block the intent from reaching the desired location, causing a denial of service
   Gather sensitive information from the intercepted intent
   Modify the contents of the intent and forward along to another application

1. Discovery of potential injection vectors: Using an automated tool or manual discovery, the attacker identifies services or methods with arguments that could potentially be used as injection vectors (OS, API, SQL procedures, etc.).

   Techniques
   Manually cover the application and record the possible places where arguments could be passed into external systems.
   Use a spider, for web applications, to create a list of URLs and associated inputs.

1. 1. Attempt variations on argument content: Possibly using an automated tool, the attacker will perform injection variations of the arguments.

   Techniques
   Use a very large list of probe strings in order to detect if there is a positive result, and, what type of system has been targeted (if obscure).
   Use a proxy tool to record results, error messages and/or log if accessible.

1. Abuse of the application: The attacker injects specific syntax into a particular argument in order to generate a specific malicious effect in the targeted application.

   Techniques
   Manually inject specific payload into targeted argument.

1. Scan for Bluetooth Enabled Devices: Using BlueZ along with an antenna, an adversary searches for devices with Bluetooth on.

   Techniques
   Note the MAC address of the device you want to attack.

1. Change L2CAP Packet Length: The adversary must change the L2CAP packet length to create packets that will overwhelm a Bluetooth enabled device.

   Techniques
   An adversary downloads and installs BlueZ, the standard Bluetooth utility package for Linux.

1. Flood: An adversary sends the packets to the target device, and floods it until performance is degraded.

1. Identify potential targets: The adversary identifies an application or service that the target is likely to use.

   Techniques
   The adversary stands up a server to host the transparent browser and entices victims to use it by using a domain name similar to the legitimate application. In addition to the transparent browser, the adversary could also install a web proxy, sniffer, keylogger, and other tools to assist in their goals.

1. Lure victims: The adversary crafts a phishing campaign to lure unsuspecting victims into using the transparent browser.

   Techniques
   An adversary can create a convincing email with a link to download the web client and interact with the transparent browser.

1. Monitor and Manipulate Data: When the victim establishes the connection to the transparent browser, the adversary can view victim activity and make alterations to what the victim sees when browsing the web.

   Techniques
   Once a victim has established a connection to the transparent browser, the adversary can use installed tools such as a web proxy, keylogger, or additional malicious browser extensions to gather and manipulate data or impersonate the victim.