CAPEC - VIEW SLICE: CAPEC-683: Supply Chain Risks(Version 3.9)


Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks

Home > CAPEC List > VIEW SLICE: CAPEC-683: Supply Chain Risks(Version 3.9)

CAPEC VIEW: Supply Chain Risks

View ID: 683

Structure: Graph

Downloads: Booklet | CSV | XML

Objective

This view covers patterns that fall within the CISA Supply Chain Lifecycle

Relationships

The following graph shows the tree-like relationships between attack patterns that exist at different levels of abstraction. At the highest level, categories exist to group patterns that share a common characteristic. Within categories, meta level attack patterns are used to present a decidedly abstract characterization of a methodology or technique. Below these are standard and detailed level patterns that are focused on a specific methodology or technique used.

Show Details:

Expand All | Collapse All

683 - Supply Chain Risks

Category - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Design - (684)

683 (Supply Chain Risks) > 684 (Design)

Attack patterns within this category focus on the exploitation of weaknesses within the Design phase of the CISA Supply Chain Lifecycle.

Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Design Alteration - (447)

683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration)

An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Documentation Alteration to Circumvent Dial-down - (517)

683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 517 (Documentation Alteration to Circumvent Dial-down)

An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.

683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 518 (Documentation Alteration to Produce Under-performing Systems)

An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.

683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 519 (Documentation Alteration to Cause Errors in System Design)

An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.

683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 521 (Hardware Design Specifications Are Altered)

An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Requirements for ASIC Functionality Maliciously Altered - (671)

683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 671 (Requirements for ASIC Functionality Maliciously Altered)

An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.

683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 674 (Design for FPGA Maliciously Altered)

An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.

683 (Supply Chain Risks) > 685 (Development and Production)

Attack patterns within this category focus on the exploitation of weaknesses within the Development and Production phase of the CISA Supply Chain Lifecycle.

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration)

An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 206 (Signing Malicious Code)

The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Inserted Into Product by Authorized Developer - (443)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 443 (Malicious Logic Inserted Into Product by Authorized Developer)

An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product Software via Configuration Management Manipulation - (445)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 445 (Malicious Logic Insertion into Product Software via Configuration Management Manipulation)

An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product via Inclusion of Third-Party Component - (446)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 446 (Malicious Logic Insertion into Product via Inclusion of Third-Party Component)

An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Software Development Environment - (511)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 511 (Infiltration of Software Development Environment)

An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Hardware Component Substitution During Baselining - (516)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 516 (Hardware Component Substitution During Baselining)

An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Counterfeit Hardware Component Inserted During Product Assembly - (520)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 520 (Counterfeit Hardware Component Inserted During Product Assembly)

An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 532 (Altered Installed BIOS)

An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Hardware Development Environment - (537)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 537 (Infiltration of Hardware Development Environment)

An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 538 (Open-Source Library Manipulation)

Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 539 (ASIC With Malicious Functionality)

An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Software Development Tools Maliciously Altered - (670)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 670 (Software Development Tools Maliciously Altered)

An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Code Implanted During Chip Programming - (672)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 672 (Malicious Code Implanted During Chip Programming)

During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Developer Signing Maliciously Altered Software - (673)

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 673 (Developer Signing Maliciously Altered Software)

Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems. This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.

683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 678 (System Build Data Maliciously Altered)

During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system.

Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Metadata Spoofing - (690)

683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing)

An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.

683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata)

An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Spoof Version Control System Commit Metadata - (692)

683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 692 (Spoof Version Control System Commit Metadata)

An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.

683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 693 (StarJacking)

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

683 (Supply Chain Risks) > 686 (Distribution)

Attack patterns within this category focus on the exploitation of weaknesses within the Distribution phase of the CISA Supply Chain Lifecycle.

683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution)

An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.

683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution) > 522 (Malicious Hardware Component Replacement)

An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution) > 523 (Malicious Software Implanted)

An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.

683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution) > 524 (Rogue Integration Procedures)

An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.

683 (Supply Chain Risks) > 687 (Acquisition and Deployment)

Attack patterns within this category focus on the exploitation of weaknesses within the Acquisition and Deployment phase of the CISA Supply Chain Lifecycle.

683 (Supply Chain Risks) > 687 (Acquisition and Deployment) > 536 (Data Injected During Configuration)

An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.

683 (Supply Chain Risks) > 688 (Sustainment)

Attack patterns within this category focus on the exploitation of weaknesses within the Sustainment phase of the CISA Supply Chain Lifecycle.

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack)

An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 185 (Malicious Software Download)

An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update)

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Automated Software Update via Redirection - (187)

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 187 (Malicious Automated Software Update via Redirection)

An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 533 (Malicious Manual Software Update)

An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Automated Software Update via Spoofing - (657)

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 657 (Malicious Automated Software Update via Spoofing)

An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution)

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution) > 696 (Load Value Injection)

An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.

683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 669 (Alteration of a Software Update)

An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack)

An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware)

An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware) > 402 (Bypassing ATA Password Security)

An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update)

An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution)

An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution) > 530 (Provide Counterfeit Component)

An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution) > 535 (Malicious Gray Market Hardware)

An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.

683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 677 (Server Motherboard Compromise)

Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 206 (Signing Malicious Code)

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Inserted Into Product by Authorized Developer - (443)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 443 (Malicious Logic Inserted Into Product by Authorized Developer)

An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product Software via Configuration Management Manipulation - (445)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 445 (Malicious Logic Insertion into Product Software via Configuration Management Manipulation)

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product via Inclusion of Third-Party Component - (446)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 446 (Malicious Logic Insertion into Product via Inclusion of Third-Party Component)

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Software Development Environment - (511)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 511 (Infiltration of Software Development Environment)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 532 (Altered Installed BIOS)

An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Hardware Development Environment - (537)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 537 (Infiltration of Hardware Development Environment)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 538 (Open-Source Library Manipulation)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 539 (ASIC With Malicious Functionality)

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Software Development Tools Maliciously Altered - (670)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 670 (Software Development Tools Maliciously Altered)

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Developer Signing Maliciously Altered Software - (673)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 673 (Developer Signing Maliciously Altered Software)

683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 678 (System Build Data Maliciously Altered)

683 (Supply Chain Risks) > 688 (Sustainment) > 536 (Data Injected During Configuration)

683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing)

An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.

683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata)

An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.

Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Spoof Version Control System Commit Metadata - (692)

683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 692 (Spoof Version Control System Commit Metadata)

683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 693 (StarJacking)

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

683 (Supply Chain Risks) > 689 (Disposal)

Attack patterns within this category focus on the exploitation of weaknesses within the Disposal phase of the CISA Supply Chain Lifecycle.

683 (Supply Chain Risks) > 689 (Disposal) > 675 (Retrieve Data from Decommissioned Devices)

An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.

References

[REF-718] "Supply Chain Risks for Information and Communication Technology". Cyber and Infrastructure Security Agency (CISA). 2018-12. <https://www.cisa.gov/sites/default/files/publications/19_0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf>. URL validated: 2022-07-26.

View Metrics

	CAPECs in this view		Total CAPECs
Attack Patterns	51	out of	559
Categories	6	out of	21
Views	0	out of	13
Total	57	out of	593

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

View Components

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

CAPEC CATEGORY: Acquisition and Deployment

Category ID: 687

Summary

Attack patterns within this category focus on the exploitation of weaknesses within the Acquisition and Deployment phase of the CISA Supply Chain Lifecycle.

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	683	Supply Chain Risks
HasMember	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	536	Data Injected During Configuration

References

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-669: Alteration of a Software Update

Attack Pattern ID: 669

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

This table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	670	Software Development Tools Maliciously Altered
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	673	Developer Signing Maliciously Altered Software

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Execution Flow

Explore

Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.

Experiment

Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.

Exploit

Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.

Prerequisites

An adversary would need to have penetrated an organization’s software update infrastructure including gaining access to components supporting the configuration management of software versions and updates related to the software maintenance of customer systems.

Skills Required

[Level: High]

Skills required include the ability to infiltrate the organization’s software update infrastructure either from the Internet or from within the organization, including subcontractors, and be able to change software being delivered to customer/user systems in an undetected manner.

Consequences

This table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Access Control	Gain Privileges
Authorization	Execute Unauthorized Commands
Integrity	Modify Data
Confidentiality	Read Data

Mitigations

Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.

Require elevated privileges for distribution of software and software updates.

Example Instances

A subcontractor to a software developer injects maliciously altered software updates into an automated update process that distributes to government and commercial customers software containing a hidden backdoor.

Related Weaknesses

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

CWE leads to CAPEC: This entry highlights the rare case where a CAPEC creates an instance of a CWE, as opposed to the usual other way around. At this time, this field only includes mappings to weaknesses that cause the CAPEC, instead of CWEs that could arise due to the CAPEC.

Taxonomy Mappings

CAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

[REF-658] "Defending Against Software Supply Chain Attacks". Cybersecurity and Infrastructure Security Agency (CISA). 2021-04. <https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf>. URL validated: 2021-06-22.

[REF-659] Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski and Dr. Craig J. Wiener. "Deliver Uncompromised: Securing Critical Software Supply Chains". The MITRE Corporation. 2021-01. <https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains>. URL validated: 2021-06-22.

[REF-660] Melinda Reed, John F. Miller and Paul Popick. "Supply Chain Attack Patterns: Framework and Catalog". Office of the Assistant Secretary of Defense for Research and Engineering. 2014-08. <https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html>. URL validated: 2021-06-22.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-532: Altered Installed BIOS

Attack Pattern ID: 532

Abstraction: Detailed

View customized information:

Description

An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Advanced knowledge about the installed target system design.

Advanced knowledge about the download and update installation processes.

Access to the download and update system(s) used to deliver BIOS images.

Skills Required

[Level: High]

Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption.

Mitigations

Deploy strong code integrity policies to allow only authorized apps to run.

Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.

Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.

Require SSL for update channels and implement certificate transparency based verification.

Sign update packages and BIOS patches.

Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.

Example Instances

An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1495	Firmware Corruption
1542.001	Pre-OS Boot:System Firmware

References

[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.

[REF-716] Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany and Beth Woodbury. "Supply chain attacks". Microsoft. 2021-10-28. <https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated References, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Altered BIOS Installed After Installation

CAPEC-539: ASIC With Malicious Functionality

Attack Pattern ID: 539

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.

Advanced knowledge about the ASIC installed within the target system.

Skills Required

[Level: High]

Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes.

Example Instances

A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-402: Bypassing ATA Password Security

Attack Pattern ID: 402

Abstraction: Detailed

View customized information:

Description

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	401	Physically Hacking Hardware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Access to the system containing the ATA Drive so that the drive can be physically removed from the system.

Mitigations

Avoid using ATA password security when possible.

Use full disk encryption to protect the entire contents of the drive or sensitive partitions on the drive.

Leverage third-party utilities that interface with self-encrypting drives (SEDs) to provide authentication, while relying on the SED itself for data encryption.

Example Instances

The A-FF Repair Station tool is a data recovery utility that can be used for ATA password removal (both High and Maximum level) and firmware area recovery. An adversary with access to this tool could reset the ATA password to bypass this security feature and unlock the hard drive. The adversary could then obtain any data contained within the drive. [REF-702]

An adversary gains physical access to the targeted hard drive and installs it into a system that does not support ATA security features. Once the drive is installed in the feature-lacking system, the adversary is able to reset the hard drive password via the BIOS. As a result, the adversary is able to bypass ATA password security and access content on the drive.

Related Weaknesses

CWE-ID	Weakness Name
285	Improper Authorization

References

[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.

[REF-701] Oliver Tennert. "Using the ATA security features of modern hard disks and SSDs". Admin Magazine. 2014. <https://www.admin-magazine.com/Archive/2014/19/Using-the-ATA-security-features-of-modern-hard-disks-and-SSDs>. URL validated: 2022-02-16.

[REF-702] "Breaking ATA Password Security". The University of Texas at Austin Information Security Office. <https://security.utexas.edu/education-outreach/BreakingATA>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, References

CAPEC-520: Counterfeit Hardware Component Inserted During Product Assembly

Attack Pattern ID: 520

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production

Prerequisites

The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.

Skills Required

[Level: High]

Resources to maliciously construct components used by the manufacturer.

[Level: High]

Resources to physically infiltrate manufacturer or manufacturer's supplier.

Mitigations

Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.

Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.

Example Instances

A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The adversary constructs a counterfeit card that functions normally except that packets from the adversary's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the adversary to bypass the firewall unrestricted.

In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-712] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 2: Hardware risks". Microsoft. 2020-02-03. <https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/>. URL validated: 2022-02-17.

[REF-713] Jordan Robertson and Michael Riley. "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies". Bloomberg. 2018-10-04. <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>. URL validated: 2022-02-17.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-536: Data Injected During Configuration

Attack Pattern ID: 536

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	176	Configuration/Environment Manipulation

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Acquisition and Deployment, Sustainment

Execution Flow

Explore

Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.
Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.
Techniques
Look for a weekly update cycle or repeated update schedule.
Insert a malicious process into the target system that notifies the adversary when configuration is occurring.

Experiment

Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.
Techniques
Add false log data
Change configuration files
Change data files

Exploit

Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.

Prerequisites

The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.

Advanced knowledge of software and hardware capabilities of a manufacturer's product.

Skills Required

[Level: High]

Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system.

Mitigations

Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.

Example Instances

An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system.

Related Weaknesses

CWE-ID	Weakness Name
284	Improper Access Control

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2017-01-09 (Version 2.9)	CAPEC Content Team	The MITRE Corporation
2017-01-09 (Version 2.9)	Updated Examples-Instances, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Abstraction
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Execution_Flow

CAPEC CATEGORY: Design

Category ID: 684

Summary

Attack patterns within this category focus on the exploitation of weaknesses within the Design phase of the CISA Supply Chain Lifecycle.

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	683	Supply Chain Risks
HasMember	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

References

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-447: Design Alteration

Attack Pattern ID: 447

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	438	Modification During Manufacture
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	517	Documentation Alteration to Circumvent Dial-down
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	518	Documentation Alteration to Produce Under-performing Systems
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	519	Documentation Alteration to Cause Errors in System Design
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	521	Hardware Design Specifications Are Altered
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	671	Requirements for ASIC Functionality Maliciously Altered
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	674	Design for FPGA Maliciously Altered

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Access to system design documentation prior to the development phase. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Ability to forge web communications to deliver modified design documentation.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands
Availability	Unreliable Execution
Integrity	Alter Execution Logic

Mitigations

Assess design documentation prior to development to ensure that they function as intended and without any malicious functionality.

Ensure that design documentation is saved in a secure location and has proper access controls set in place to avoid unnecessary modification.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, References, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Logic Insertion into Product Software during Update

CAPEC-674: Design for FPGA Maliciously Altered

Attack Pattern ID: 674

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed.

Skills Required

[Level: High]

An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic

Mitigations

Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.

Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.

Require that provenance of COTS microelectronic components be known whenever procured.

Conduct detailed vendor assessment before acquiring COTS hardware.

Example Instances

An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-662] Jeremy Muldavin. "Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC)". Office of the Deputy Assistant Secretary of Defense for Systems Engineering. 2017-11.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-673: Developer Signing Maliciously Altered Software

Attack Pattern ID: 673

Abstraction: Detailed

View customized information:

Description

This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	669	Alteration of a Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

An adversary would need to have access to a targeted developer’s software development environment, including to their software build processes, where the adversary could ensure code maliciously tainted prior to a build process is included in software packages built.

Skills Required

[Level: High]

The adversary must have the skills to infiltrate a developer’s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process.

Consequences

Scope	Impact	Likelihood
Integrity Confidentiality	Read Data Modify Data
Access Control Authorization	Gain Privileges Execute Unauthorized Commands

Mitigations

Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.

Employ intrusion detection and malware detection capabilities on IDE systems where feasible.

Example Instances

An adversary who has infiltrated an organization’s build environment maliciously alters code intended to be included in a product’s software build via software dependency inclusion, part of the software build process. When the software product has been built, the developer electronically signs the finished product using their signing key. The recipient of the software product, an end user/customer, believes the software to reflect the developer’s intent with respect to functionality unaware of the adversary’s malicious intent harbored within.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-444: Development Alteration

Attack Pattern ID: 444

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	438	Modification During Manufacture
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	206	Signing Malicious Code
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	443	Malicious Logic Inserted Into Product by Authorized Developer
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	445	Malicious Logic Insertion into Product Software via Configuration Management Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	446	Malicious Logic Insertion into Product via Inclusion of Third-Party Component
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	511	Infiltration of Software Development Environment
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	516	Hardware Component Substitution During Baselining
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	520	Counterfeit Hardware Component Inserted During Product Assembly
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	532	Altered Installed BIOS
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	537	Infiltration of Hardware Development Environment
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	538	Open-Source Library Manipulation
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	539	ASIC With Malicious Functionality
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	670	Software Development Tools Maliciously Altered
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	672	Malicious Code Implanted During Chip Programming
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	673	Developer Signing Maliciously Altered Software
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	678	System Build Data Maliciously Altered
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the system during the development phase to alter and/or modify software and hardware components. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands
Availability	Unreliable Execution
Integrity	Alter Execution Logic

Mitigations

Assess software and software components during development and prior to deployment to ensure that they function as intended and without any malicious functionality.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, References, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Logic Insertion into Product Software via Externally Manipulated Component

CAPEC CATEGORY: Development and Production

Category ID: 685

Summary

Attack patterns within this category focus on the exploitation of weaknesses within the Development and Production phase of the CISA Supply Chain Lifecycle.

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	683	Supply Chain Risks
HasMember	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	690	Metadata Spoofing

References

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)
Modifications
Modification Date	Modifier	Organization
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Relationships

CAPEC CATEGORY: Disposal

Category ID: 689

Summary

Attack patterns within this category focus on the exploitation of weaknesses within the Disposal phase of the CISA Supply Chain Lifecycle.

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	683	Supply Chain Risks
HasMember	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	675	Retrieve Data from Decommissioned Devices

References

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC CATEGORY: Distribution

Category ID: 686

Summary

Attack patterns within this category focus on the exploitation of weaknesses within the Distribution phase of the CISA Supply Chain Lifecycle.

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	683	Supply Chain Risks
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution

References

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-519: Documentation Alteration to Cause Errors in System Design

Attack Pattern ID: 519

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of software capabilities of a manufacturer's product.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in system design.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain multiple instances of the document across different privileged users for recovery and verification.

Example Instances

During operation, a firewall will restart various subsystems to reload and implement new rules as added by the user. An attacker alters the software design dependencies in the manufacturer's documentation so that under certain predictable conditions the reload will fail to load in rules resulting in a "fail open" state. Once deployed at a victim site, this will allow the attacker to bypass the victim's firewall.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-517: Documentation Alteration to Circumvent Dial-down

Attack Pattern ID: 517

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of internal software and hardware components within manufacturer's development environment.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to prevent dial-down capabilities.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain backups of the document for recovery and verification.

Example Instances

A product for manufacture exists that contains advanced cryptographic capabilities, including algorithms that are restricted from being shipped to some nations. An attacker from one of the restricted nations alters the documentation to ensure that when the product is manufactured for shipment to a restricted nation, the software compilation steps that normally would prevent the advanced cryptographic capabilities from being included are actually included. When the product is shipped to the attacker's home country, the attacker is able to retrieve and/or use the advanced cryptographic capabilities.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-518: Documentation Alteration to Produce Under-performing Systems

Attack Pattern ID: 518

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of software and hardware capabilities of a manufacturer's product.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to misrepresent system capabilities.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain backups of the document for recovery and verification.

Separate need-to-know information from system configuration information depending on the user.

Example Instances

A security subsystem involving encryption is a part of a product, but due to the demands of this subsystem during operation, the subsystem only runs when a specific amount of memory and processing is available. An attacker alters the descriptions of the system capabilities so that when deployed with the minimal requirements at the victim location, the encryption subsystem is never operational, leaving the system in a weakened security state.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-663: Exploitation of Transient Instruction Execution

Attack Pattern ID: 663

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	74	Manipulating State
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	696	Load Value Injection
PeerOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	124	Shared Resource Manipulation
PeerOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	180	Exploiting Incorrectly Configured Access Control Security Levels
PeerOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	212	Functionality Misuse
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	141	Cache Poisoning

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources, Manipulate Timing and State
Supply Chain Risks	Sustainment

Execution Flow

Explore

Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.
Techniques
Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.
Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.
Techniques
Run OS or application specific tools that examine the contents of cache.

Experiment

Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.

Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.

Techniques

Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass.

Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass.

Exploit

Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.

Techniques
Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data.
Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed.
Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process.

Prerequisites

The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.

Skills Required

[Level: High]

Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.

[Level: High]

Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.

Resources Required

C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.

Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine.

Indicators

File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Access Control	Bypass Protection Mechanism
Authorization	Execute Unauthorized Commands

Mitigations

Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources

Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables

Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution

Configuration: Disable SharedArrayBuffer for Web Browsers

Configuration: Disable Copy-on-Write between Cloud VMs

Configuration: Privilege Checks on Cache Flush Instructions

Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks

Example Instances

A web browser with user-privileges executes JavaScript code imbedded within a malicious website. The system does not disable shared buffers for the web browser and there is no restriction or check upon user-process execution of flush or evict instructions. The Javascript code executes vulnerable transient instructions upon system to cause microarchitectural changes that establish covert channel and transfer sensitive/secret data into shared cache from address space of either kernel, web browser or another executing process on the system.

Related Weaknesses

CWE-ID	Weakness Name
1037	Processor Optimization Removal or Modification of Security-critical Code
1303	Non-Transparent Sharing of Microarchitectural Resources
1264	Hardware Logic with Insecure De-Synchronization between Control and Data Channels

References

[REF-637] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz and Yuval Yarom. "Spectre Attacks: Exploiting Speculative Execution". Graz University of Technology. 2019. <https://spectreattack.com/spectre.pdf>. URL validated: 2021-03-05.

[REF-638] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom and Mike Hamburg. "Meltdown: Reading Kernel Memory from User Space". Graz University of Technology. 2018. <https://meltdownattack.com/meltdown.pdf>. URL validated: 2021-03-05.

[REF-639] Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin and Daniel Gruss. "A Systematic Evaluation of Transient Execution Attacks and Defenses". Graz University of Technology. 2019-05-15. <https://arxiv.org/abs/1811.05441>. URL validated: 2021-03-05.

[REF-640] Qian Ge, Yuval Yarom and Gernot Heiser. "A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware". Journal of Cryptographic Engineering. 2016-12-26. <https://eprint.iacr.org/2016/613.pdf>. URL validated: 2021-03-05.

[REF-641] Nael Abu-Ghazaleh, Dmitry Ponomarev and Dmitry Evtyushkin. "How the Spectre and Meltdown Hacks Really Worked". IEEE Spectrum. 2019-02-28. <https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked>. URL validated: 2021-03-05.

[REF-642] James Sanders. "Spectre and Meltdown explained: A comprehensive guide for professionals". TechRepublic. 2019-05-15. <https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked>. URL validated: 2021-03-05.

[REF-643] "Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance". CISA. 2018-01-04. <https://us-cert.cisa.gov/ncas/alerts/TA18-004A>. URL validated: 2021-03-05.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Related_Attack_Patterns

CAPEC-531: Hardware Component Substitution

Attack Pattern ID: 531

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	534	Malicious Hardware Update
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	530	Provide Counterfeit Component
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	535	Malicious Gray Market Hardware

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Physical access to the system or the integration facility where hardware components are kept.

Skills Required

[Level: High]

Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts.

Example Instances

An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Hardware Component Substitution After Installation

CAPEC-516: Hardware Component Substitution During Baselining

Attack Pattern ID: 516

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production

Prerequisites

The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.

Skills Required

[Level: Medium]

Intelligence data on victim's purchasing habits.

[Level: High]

Resources to maliciously construct/alter hardware components used for testing by the supplier.

[Level: High]

Resources to physically infiltrate supplier.

Mitigations

Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.

Example Instances

An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-521: Hardware Design Specifications Are Altered

Attack Pattern ID: 521

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

Advanced knowledge of hardware capabilities of a manufacturer's product.

Access to the manufacturer's documentation.

Skills Required

[Level: High]

Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in design specifications.

[Level: High]

Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.

Mitigations

Digitize documents and cryptographically sign them to verify authenticity.

Password protect documents and make them read-only for unauthorized users.

Avoid emailing important documents and configurations.

Ensure deleted files are actually deleted.

Maintain backups of the document for recovery and verification.

Separate need-to-know information from system configuration information depending on the user.

Example Instances

To operate at full capability, a manufacturer's network intrusion detection device needs to have either a Intel Xeon E7-2820 or AMD FX-8350 which have 8 "cores" available, allowing for advanced threading needed to handle large volumes of network traffic without resorting to dropping packets from the detection process. The attacker alters the documentation to state that the system design must use the Intel Core Duo or the AMD Phenom II X2, which only have 2 cores, causing the system to drop large amounts of packets during deployment at a victim site with large amounts of network traffic.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

References

[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-440: Hardware Integrity Attack

Attack Pattern ID: 440

Abstraction: Meta

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	401	Physically Hacking Hardware
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	534	Malicious Hardware Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Influence over the deployed system at a victim location.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain
1200	Hardware Additions

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Description Summary, Examples-Instances, References
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Description, Taxonomy_Mappings
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Integrity Modification During Deployed Use

CAPEC-537: Infiltration of Hardware Development Environment

Attack Pattern ID: 537

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).

The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.

The adversary must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.

Skills Required

[Level: Medium]

Intelligence about the manufacturer's operating environment and infrastructure.

[Level: High]

Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.

[Level: High]

Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)

Mitigations

Verify software downloads and updates to ensure they have not been modified be adversaries

Leverage antivirus tools to detect known malware

Do not download software from untrusted sources

Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks

Example Instances

The adversary, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for hardware and/or firmware design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the adversary to remotely compromise the adjacent hardware development system from the manufacturer's workstation. The adversary is then able to exfiltrate and alter sensitive data on the hardware system, allowing for future compromise once the developed system is deployed at the victim location.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Weaknesses
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-511: Infiltration of Software Development Environment

Attack Pattern ID: 511

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).

The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.

The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.

Skills Required

[Level: Medium]

Intelligence about the manufacturer's operating environment and infrastructure.

[Level: High]

Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.

[Level: High]

Mitigations

Avoid the common delivery mechanisms of adversaries, such as email attachments, which could introduce the malware.

Example Instances

The attacker, knowing the victim runs email on a system adjacent to the IDE system, sends a phishing email with a malicious attachment to the victim. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent IDE system from the victim's workstation. The attacker is then able to exfiltrate sensitive data about the software being developed on the IDE system.

Using rogue versions of Xcode (Apple's app development tool) downloaded from third-party websites, it was possible for the adversary to insert malicious code into legitimate apps during the development process.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Some type of access control weakness (CWE-284 or its descendants) is related to this CAPEC, probably as a prerequisite.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Mitigations
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-696: Load Value Injection

Attack Pattern ID: 696

Abstraction: Detailed

View customized information:

Description

Extended Description

This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious.

Likelihood Of Attack

Low

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware
Mechanisms of Attack	Manipulate System Resources, Manipulate Timing and State
Supply Chain Risks	Sustainment

Execution Flow

Explore

Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.
Techniques
Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.

Experiment

Fill microarchitectural buffer with controlled value: The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.

Techniques
The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access
The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system

Set up instruction to page fault or microcode assist: The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.

Techniques
When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists.
When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call
An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization
When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit

Exploit

Operate on adversary-controlled data: Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.

Techniques
Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget.
Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.

Prerequisites

The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.

The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads

The adversary needs the ability to induce page faults or microcode assists on the target system.

Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state.

Skills Required

[Level: High]

Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.

[Level: High]

Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.

[Level: High]

The ability to provoke faulting or assisted loads in legitimate execution.

Indicators

File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution

Consequences

Scope	Impact	Likelihood
Confidentiality	Read Data
Access Control	Bypass Protection Mechanism
Authorization	Execute Unauthorized Commands

Mitigations

Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.

Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.

Related Weaknesses

CWE-ID	Weakness Name
1342	Information Exposure through Microarchitectural State after Transient Execution

References

[REF-735] Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss and Frank Piessens. "LVI - Hijacking Transient Execution with Load Value Injection". <https://lviattack.eu/>. URL validated: 2022-09-23.

[REF-736] "Load Value Injection". Intel. 2020-01-27. <https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/load-value-injection.html>. URL validated: 2022-09-23.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-187: Malicious Automated Software Update via Redirection

Attack Pattern ID: 187

Abstraction: Detailed

View customized information:

Description

Extended Description

One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains.

The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality.

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Consequences

Scope	Impact	Likelihood
Access Control Availability Confidentiality	Execute Unauthorized Commands

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1072	Software Deployment Tools

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Architectural_Paradigms, Injection_Vector, Payload, Payload_Activation_Impact, References, Technical_Context
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated @Name, Consequences, Description, Likelihood_Of_Attack, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Extended_Description
Previous Entry Names
Change Date	Previous Entry Name
2020-12-17 (Version 3.4)	Malicious Automated Software Update

CAPEC-657: Malicious Automated Software Update via Spoofing

Attack Pattern ID: 657

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

High

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	194	Fake the Source of Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Consequences

Scope	Impact	Likelihood
Access Control Availability Confidentiality	Execute Unauthorized Commands

Example Instances

An example of the spoofing strategy would be the eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1072	Software Deployment Tools

Content History

Submissions
Submission Date	Submitter	Organization
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-672: Malicious Code Implanted During Chip Programming

Attack Pattern ID: 672

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production

Prerequisites

An adversary would need to have access to a foundry’s or chip maker’s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale.

Skills Required

[Level: Medium]

An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic

Mitigations

Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.

Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.

Require that provenance of COTS microelectronic components be known whenever procured.

Conduct detailed vendor assessment before acquiring COTS hardware.

Example Instances

Following a chip’s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip’s function(s) inserts a malicious instruction that will become part of the chip’s program. When integrated into a system, the chip will produce an effect intended by the adversary.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-535: Malicious Gray Market Hardware

Attack Pattern ID: 535

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	531	Hardware Component Substitution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Physical access to a gray market reseller's hardware components supply, or the ability to appear as a gray market reseller to the victim's buyer.

Skills Required

[Level: High]

Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.

Mitigations

Purchase only from authorized resellers.

Validate serial numbers from multiple sources

Example Instances

An attacker develops co-processor boards with malicious capabilities that are technically the same as a manufacturer's expensive upgrade to their flagship system. The victim has installed the manufacturer's base system without the expensive upgrade. The attacker contacts the victim and states they have the co-processor boards at a drastically-reduced price, falsely stating they were acquired from a bankruptcy liquidation of a company that had purchased them from the manufacturer. The victim after hearing the drastically reduced price decides to take advantage of the situation and purchases the upgrades from the attacker, and installs them. This allows the attacker to further compromise the victim.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations

CAPEC-522: Malicious Hardware Component Replacement

Attack Pattern ID: 522

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Execution Flow

Explore

Determine Target Hardware: The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.

Techniques
Look for datasheets containing the system schematics that can help identify possible target hardware.
Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.

Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.
Techniques
Procure a system and observe the steps it takes in the shipment process.
Identify possible warehouses that systems are stored after manufacturing.

Experiment

Test a Malicious Component Replacement: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

Techniques
Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.
Obtain already designed malicious components that just need to be placed into the system.

Exploit

Substitute Components in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

Prerequisites

Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.

Skills Required

[Level: High]

Advanced knowledge of the design of the system.

[Level: High]

Hardware creation and manufacture of replacement components.

Mitigations

Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.

Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.

Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.

Example Instances

During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Typical_Likelihood_of_Exploit
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Mitigations
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Execution_Flow, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-534: Malicious Hardware Update

Attack Pattern ID: 534

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	440	Hardware Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	531	Hardware Component Substitution
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	677	Server Motherboard Compromise

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Skills Required

[Level: High]

Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.

Example Instances

An adversary develops a malicious networking card that allows for normal function plus the addition of malicious functionality that is of benefit to the adversary. The adversary sends the victim an email stating that the existing networking card is faulty, and that the victim can order a replacement card free of charge. The victim orders the card, and the adversary sends the malicious networking card. The malicious networking card replaces the perfectly-functioning original networking card, and the adversary is able to take advantage of the additional malicious functionality to further compromise the victim's network.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-711] Omer Shwartz, Amir Cohen, Asaf Shabtai and Yossi Oren. "Shattered Trust: When Replacement Smartphone Components Attack". 11th USENIX Workshop on Offensive Technologies. USENIX. 2017. <https://www.usenix.org/system/files/conference/woot17/woot17-paper-shwartz.pdf>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Description Summary, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References

CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer

Attack Pattern ID: 443

Abstraction: Detailed

View customized information:

Description

An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.

Extended Description

Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In further cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the product during the initial or continuous development.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.

Example Instances

In January 2022 the author of popular JavaScript packages "Faker" and "colors", used for generating mock data and including colored text within NodeJS consoles respectively, introduced malicious code that resulted in a Denial of Service (DoS) via an infinite loop. When applications that leveraged these packages updated to the malicious version, their applications executed the infinite loop and output gibberish ASCI characters endlessly. This resulted in the application being unusable until a stable version of the package was obtained. [REF-705]

During initial development, an authorized hardware developer implants a malicious microcontroller within an Internet of Things (IOT) device and programs the microcontroller to communicate with the vulnerable device. Each time the device initializes, the malicious microcontroller's code is executed, which ultimately provides the adversary with backdoor access to the vulnerable device. This can further allow the adversary to sniff network traffic, exfiltrate date, execute unauthorized commands, and/or pivot to other vulnerable devices.

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-379] Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook and Matthew Fallon. "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)". National Institute of Standards and Technology (NIST). 2021-10-28. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf>. URL validated: 2022-02-16.

[REF-704] Ax Sharma. "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps". BleepingComputer. 2022-01-09. <https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/>. URL validated: 2022-02-16.

[REF-705] Alberto Pellitteri. "Malicious modifications to open source projects affecting thousands". SysDig. 2022-01-12. <https://sysdig.com/blog/malicious-modifications-detection-sysdig/>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2022-09-29 (Version 3.8)	Malicious Logic Inserted Into Product Software by Authorized Developer

CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation

Attack Pattern ID: 445

Abstraction: Detailed

View customized information:

Description

Extended Description

Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an adversary who has compromised the server can alter the software baseline that clients must install, allowing the adversary to compromise a large number of satellite machines using the configuration management system. If an adversary can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the configuration management system during deployment or currently deployed at a victim location. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.

Leverage anti-virus products to detect and quarantine software with known virus.

Example Instances

In 2016, the policy-based configuration management system Chef was shown to be vulnerable to remote code execution attacks based on its Chef Manage add-on improperly deserializing user-driven cookie data. This allowed unauthenticated users the ability to craft cookie data that executed arbitrary code with the web server's privileges. [REF-706]

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools

References

[REF-706] "Chef Manage deserializes cookie data insecurely". Carnegie Mellon University. 2016-05-17. <https://www.kb.cert.org/vuls/id/586503>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Extended_Description, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Description, Extended_Description, Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component

Attack Pattern ID: 446

Abstraction: Detailed

View customized information:

Description

Extended Description

The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.

Consequences

Scope	Impact	Likelihood
Authorization	Execute Unauthorized Commands

Mitigations

Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.

Example Instances

From mid-2014 to early 2015, Lenovo computers were shipped with the Superfish Visual Search software that ultimately functioned as adware on the system. The Visual Search installation included a self-signed root HTTPS certificate that was able to intercept encrypted traffic for any site visited by the user. Of more concern was the fact that the certificate's corresponding private key was the same for every Lenovo machine. Once the private key was discovered [REF-709], an adversary could then conduct an Adversary-in-the-Middle (AitM) attack that would go undetected by machines that had this certificate installed on it. Adversaries could then masquerade as legitimate entities such as financial institutions, popular corporations, or other secure destinations on the Internet. [REF-708]

Related Weaknesses

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195	Supply Chain Compromise

References

[REF-707] Thomas Brewster. "How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It". Forbes. 2015-02-19. <https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776>. URL validated: 2022-02-16.

[REF-708] Dan Goodin. "Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections". Ars Technica. 2015-02-19. <https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/>. URL validated: 2022-02-16.

[REF-709] Rob Graham. "Extracting the SuperFish certificate". Errata Security. 2015-02-19. <https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, References, Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2022-09-29 (Version 3.8)	Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency

CAPEC-533: Malicious Manual Software Update

Attack Pattern ID: 533

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Advanced knowledge about the download and update installation processes.

Advanced knowledge about the deployed system and its various software subcomponents and processes.

Skills Required

[Level: High]

Able to develop malicious code that can be used on the victim's system while maintaining normal functionality.

Mitigations

Only accept software updates from an official source.

Example Instances

An email campaign was initiated, targetting victims of a ransomware attack. The email claimed to be a patch to address the ransomware attack, but was instead an attachment that caused the Cobalt Strike tools to be installed, which enabled further attacks.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-710] Sean Endicott. "Fake Microsoft update used in malicious email attack campaign". Microsoft News. 2021-07. <https://www.msn.com/en-us/news/technology/fake-microsoft-update-used-in-malicious-email-attack-campaign/ar-AALTcVs>. URL validated: 2022-02-16.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Related_Weaknesses
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Description
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Mitigations, References
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Malicious Software Update

CAPEC-185: Malicious Software Download

Attack Pattern ID: 185

Abstraction: Standard

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	159	Redirect Access to Libraries
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	662	Adversary in the Browser (AiTB)

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-523: Malicious Software Implanted

Attack Pattern ID: 523

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Execution Flow

Explore

Determine Entry Point: The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.
Techniques
Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.
Identify exposed USB connectors that could be used to load software.
Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.
Techniques
Procure a system and observe the steps it takes in the shipment process.
Identify possible warehouses that systems are stored after manufacturing.

Experiment

Test Malicious Software: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

Techniques
Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.
Obtain already designed malicious software that just need to be placed into the system.

Exploit

Implant Software in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

Prerequisites

Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.

Skills Required

[Level: High]

Advanced knowledge of the design of the system and it's operating system components and subcomponents.

[Level: High]

Malicious software creation.

Mitigations

Deploy strong code integrity policies to allow only authorized apps to run.

Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.

Require SSL for update channels and implement certificate transparency based verification.

Sign everything, including configuration files, XML files and packages.

Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.

Example Instances

An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (also see parent)

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Execution_Flow, Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-186: Malicious Software Update

Attack Pattern ID: 186

Abstraction: Standard

View customized information:

Description

An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.

Extended Description

Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an adversary to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity.

As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source. Virtually all software requires frequent updates or patches, giving the adversary immense latitude when structuring the attack, as well as many targets of opportunity. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	187	Malicious Automated Software Update via Redirection
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	533	Malicious Manual Software Update
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	614	Rooting SIM Cards
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	657	Malicious Automated Software Update via Spoofing
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	98	Phishing

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Execution Flow

Explore

Identify target: The adversary must first identify what they want their target to be. Because malicious software updates can be carried out in a variety of ways, the adversary will first not only identify a target program, but also what users they wish to target. This attack can be targeted (a particular user or group of users) or untargeted (many different users).

Experiment

Craft a deployment mechanism based on the target: The adversary must craft a deployment mechanism to deploy the malicious software update. This mechanism will differ based on if the attack is targeted or untargeted.

Techniques
Targeted attack: hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update.
Targeted attack: Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update
Untargeted attack: Spam the malicious update to as many users as possible through unsolicited email, instant messages, or social media messages.
Untargeted attack: Send phishing emails to as many users as possible and pretend to be a legitimate source suggesting to download an important software update.
Untargeted attack: Use trojans/botnets to aid in either of the two untargeted attacks.

Exploit

Deploy malicious software update: Using the deployment mechanism from the previous step, the adversary gets a user to install the malicious software update.

Skills Required

[Level: High]

This attack requires advanced cyber capabilities

Resources Required

Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the adversary to host a payload and then trigger the installation of the payload code.

Consequences

Scope	Impact	Likelihood
Access Control Availability Confidentiality	Execute Unauthorized Commands

Mitigations

Validate software updates before installing.

Example Instances

Using an automated process to download and install dangerous code was key part of the NotPeyta attack [REF-697]

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Notes

Other

Other class of attacks focus on firmware, where malicious updates are made to the core system firmware or BIOS. Since this occurs outside the controls of the operating system, the OS detection and prevention mechanisms do not aid, thus allowing an adversary to evade defenses as well as gain persistence on the target's system.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

[REF-697] Microsoft Defender Security Research Team. "New ransomware, old techniques: Petya adds worm capabilities". Microsoft. 2017. <https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>. URL validated: 2022-02-15.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences, Description Summary
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Description, Notes
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)	Updated Description, Execution_Flow, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Description, Example_Instances, Extended_Description, References, Resources_Required
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-439: Manipulation During Distribution

Attack Pattern ID: 439

Abstraction: Meta

View customized information:

Description

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	522	Malicious Hardware Component Replacement
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	523	Malicious Software Implanted
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	524	Rogue Integration Procedures

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Example Instances

A malicious OEM provider, or OEM provider employee or contractor, may install software, or modify existing code, during distribution.

External contractors involved in the packaging or testing of products or components may install software, or modify existing code, during distribution.

Related Weaknesses

CWE-ID	Weakness Name
1269	Product Released in Non-Release Configuration

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195	Supply Chain Compromise

References

[REF-384] SAFECode. "The Software Supply Chain Integrity Framework Defining Risks and Responsibilities for Securing Software in the Global Supply Chain". Safecode.org. 2009.

[REF-382] Marianne Swanson, Nadya Bartol and Rama Moorthy. "Piloting Supply Chain Risk Management Practices for Federal Information Systems". Section 1. Introduction. Draft NISTIR 7622. National Institute of Standards and Technology. 2010.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Weaknesses, Taxonomy_Mappings
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Taxonomy_Mappings
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Integrity Modification During Distribution

CAPEC-690: Metadata Spoofing

Attack Pattern ID: 690

Abstraction: Meta

View customized information:

Description

An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.

Extended Description

One approach to this attack entails the adversary altering a maliciously modified resource's metadata in order to hide their malicious activity. Another approach involves altering the metadata of an adversary-created resource to make the source appear more credible. Adversaries may spoof a variety of metadata across a number of resources, such as the following:

Authors of Version Control System (VCS) repository commits
Open source package statistics
File attributes, such as when a file was last update

The ultimate goal of a Metadata Spoofing attack is to trick victims into believing the malicious resource being provided originates from a reputable source. However, the victim instead leverages the malicious resource, which could result in a number of negative technical impacts.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Identification of a resource whose metadata is to be spoofed

Skills Required

[Level: Medium]

Ability to spoof a variety of metadata to convince victims the source is trusted

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands

Mitigations

Validate metadata of resources such as authors, timestamps, and statistics.

Confirm the pedigree of open source packages and ensure the code being downloaded does not originate from another source.

Even if the metadata is properly checked and a user believes it to be legitimate, there may still be a chance that they've been duped. Therefore, leverage automated testing techniques to determine where malicious areas of the code may exist.

Related Weaknesses

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-538: Open-Source Library Manipulation

Attack Pattern ID: 538

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

Determine the relevant open-source code project to target: The adversary will make the selection based on various criteria:
- The open-source code currently in use on a selected target system.
- The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system.
- The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses.
- The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery.
- The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.

Experiment

Develop a plan for malicious contribution: The adversary develops a plan to contribute malicious code, taking the following into consideration:
- The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover.
- Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary.
- Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.

Exploit

Execute the plan for malicious contribution: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

Prerequisites

Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.

Skills Required

[Level: High]

Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.

Example Instances

An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check
829	Inclusion of Functionality from Untrusted Control Sphere

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Software Dependencies and Development Tools

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Related_Attack_Patterns
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Description, Execution_Flow, Related_Attack_Patterns
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated @Name, Description, Example_Instances, Execution_Flow, Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Execution_Flow, Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2021-06-24 (Version 3.5)	Open Source Libraries Altered

CAPEC-401: Physically Hacking Hardware

Attack Pattern ID: 401

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	440	Hardware Integrity Attack
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	402	Bypassing ATA Password Security

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Example Instances

A malicious subcontractor or subcontractor's employee that is responsible for system maintenance secretly replaces a hard drive with one containing malicious code that will allow for backdoor access once deployed.

Related Weaknesses

CWE-ID	Weakness Name
1263	Improper Physical Access Control

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Severity
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Examples-Instances, Typical_Likelihood_of_Exploit
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Example_Instances
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated @Name, Related_Weaknesses
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Hacking Hardware Devices or Components

2020-07-30 (Version 3.3)	Hacking Hardware

CAPEC-530: Provide Counterfeit Component

Attack Pattern ID: 530

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	531	Hardware Component Substitution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

Advanced knowledge about the target system and sub-components.

Skills Required

[Level: High]

Able to develop and manufacture malicious system components that resemble legitimate name-brand components.

Mitigations

There are various methods to detect if the component is a counterfeit. See section II of [REF-703] for many techniques.

Example Instances

The attacker, aware that the victim has contracted with an integrator for system maintenance and that the integrator uses commercial-off-the-shelf network hubs, develops their own network hubs with a built-in malicious capability for remote access, the malicious network hubs appear to be a well-known brand of network hub but are not. The attacker then advertises to the sub-system integrator that they are a legit supplier of network hubs, and offers them at a reduced price to entice the integrator to purchase these network hubs. The integrator then installs the attacker's hubs at the victim's location, allowing the attacker to remotely compromise the victim's network.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-698] Paul Wagner. "Combating Counterfeit Components in the DoD Supply Chain". Defence Systems Information Analysis Center. 2015. <https://dsiac.org/articles/combating-counterfeit-components-in-the-dod-supply-chain/>. URL validated: 2022-02-15.

[REF-703] Ujjwal Guin, Ke Huang, Daniel DiMase, John M. Carulli, Jr., Mohammad Tehranipoor and Yiorgos Makris. "Counterfeit Integrated Circuits: A Rising Threat in the Global Semiconductor Supply Chain". Proceedings of the IEEE. IEEE. 2014. <https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6856206>. URL validated: 2022-02-15.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Counterfeit Component Supplied

CAPEC-671: Requirements for ASIC Functionality Maliciously Altered

Attack Pattern ID: 671

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	447	Design Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Design

Prerequisites

An adversary would need to have access to a foundry’s or chip maker’s requirements management system that stores customer requirements for ASICs, requirements upon which the design of the ASIC is based.

Skills Required

[Level: High]

An adversary would need experience in designing chips based on functional requirements in order to manipulate requirements in such a way that deviations would not be detected in subsequent stages of ASIC manufacture and where intended malicious functionality would be available to the adversary once integrated into a system and fielded.

Consequences

Scope	Impact	Likelihood
Integrity	Alter Execution Logic

Mitigations

Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.

Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.

Require that provenance of COTS microelectronic components be known whenever procured.

Conduct detailed vendor assessment before acquiring COTS hardware.

Example Instances

An adversary with access to ASIC functionality requirements for various customers, targets a particular customer’s ordered lot of ASICs by altering its functional requirements such that the ASIC design will result in a manufactured chip that does not meet the customer’s capability needs.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-675: Retrieve Data from Decommissioned Devices

Attack Pattern ID: 675

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Medium

Typical Severity

Medium

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	116	Excavation
CanFollow	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	406	Dumpster Diving
CanPrecede	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	37	Retrieve Embedded Sensitive Data

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Collect and Analyze Information
Supply Chain Risks	Disposal

Prerequisites

An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content.

Skills Required

[Level: High]

An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.

[Level: Medium]

An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content.

Consequences

Scope	Impact	Likelihood
Accountability	Bypass Protection Mechanism

Mitigations

Backup device data before erasure to retain intellectual property and inside knowledge.

Overwrite data on device rather than deleting. Deleted data can still be recovered, even if the device trash can is emptied. Rewriting data removes any trace of the old data. Performing multiple overwrites followed by a zeroing of the device (overwriting with all zeros) is good practice.

Use a secure erase software.

Physically destroy the device if it is not intended to be reused. Using a specialized service to disintegrate, burn, melt or pulverize the device can be effective, but if those services are inaccessible, drilling nails or holes, or smashing the device with a hammer can be effective. Do not burn, microwave, or pour acid on a hard drive.

Physically destroy memory and SIM cards for mobile devices not intended to be reused.

Ensure that the user account has been terminated or switched to a new device before destroying.

Example Instances

A company is contracted by an organization to provide data destruction services for solid state and hard disk drives being discarded. Prior to destruction, an adversary within the contracted company copies data from select devices, violating the data confidentiality requirements of the submitting organization.

Related Weaknesses

CWE-ID	Weakness Name
1266	Improper Scrubbing of Sensitive Data from Decommissioned Device

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1052	Exfiltration Over Physical Medium

References

[REF-663] Richard Kissel, Andrew Regenscheid, Matthew Scholl and Kevin Stine. "NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization". National Institute of Standards and Technology. 2014-12. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf>. URL validated: 2021-06-22.

[REF-717] Linda Pesante, Christopher King and George Silowash. "Disposing of Devices Safely". CISA United States Computer Emergency Readiness Team (US-CERT). 2012. <https://www.cisa.gov/uscert/sites/default/files/publications/DisposeDevicesSafely.pdf>. URL validated: 2022-02-21.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Related_Weaknesses

CAPEC-524: Rogue Integration Procedures

Attack Pattern ID: 524

Abstraction: Standard

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	439	Manipulation During Distribution

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Distribution

Prerequisites

Physical access to an integration facility that prepares the system before it is deployed at the victim location.

Skills Required

[Level: High]

Advanced knowledge of the design of the system.

[Level: High]

Hardware creation and manufacture of replacement components.

Mitigations

Deploy strong code integrity policies to allow only authorized apps to run.

Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.

Require SSL for update channels and implement certificate transparency based verification.

Sign everything, including configuration files, XML files and packages.

Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.

Maintain strong physical system access controls and monitor networks and physical facilities for insider threats.

Example Instances

An attacker gains access to a system integrator's documentation for the preparation of purchased systems designated for deployment at the victim's location. As a part of the preparation, the included 100 megabit network card is to be replaced with a 1 gigabit network card. The documentation is altered to reflect the type of 1 gigabit network card to use, and the attacker ensures that this type of network card is provided by the attacker's own supply. The card has additional malicious functionality which will allow for additional compromise by the attacker at the victim location once the system is deployed.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Typical_Likelihood_of_Exploit
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Mitigations, References

CAPEC-614: Rooting SIM Cards

Attack Pattern ID: 614

Abstraction: Detailed

View customized information:

Description

SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with phone numbers, and increasingly store payment credentials, for example in NFC-enabled phones with mobile wallets. This attack leverages over-the-air (OTA) updates deployed via cryptographically-secured SMS messages to deliver executable code to the SIM. By cracking the DES key, an attacker can send properly signed binary SMS messages to a device, which are treated as Java applets and are executed on the SIM. These applets are allowed to send SMS, change voicemail numbers, and query the phone location, among many other predefined functions. These capabilities alone provide plenty of potential for abuse.

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Manipulate System Resources

Prerequisites

A SIM card that relies on the DES cipher.

Skills Required

[Level: Medium]

This is a sophisticated attack, but detailed techniques are published in open literature.

Consequences

Scope	Impact	Likelihood
Confidentiality Integrity	Execute Unauthorized Commands

Mitigations

Upgrade the SIM card to use the state-of-the-art AES or the somewhat outdated 3DES algorithm for OTA.

Related Weaknesses

CWE-ID	Weakness Name
327	Use of a Broken or Risky Cryptographic Algorithm

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-486] Karsten Nohl. "Rooting SIM Cards". Security Research Labs. <https://srlabs.de/rooting-sim-cards/>.

Content History

Submissions
Submission Date	Submitter	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)
Modifications
Modification Date	Modifier	Organization
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attack_Motivation-Consequences
2019-09-30 (Version 3.2)	CAPEC Content Team	The MITRE Corporation
2019-09-30 (Version 3.2)	Updated Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Related_Attack_Patterns
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Related_Attack_Patterns
Previous Entry Names
Change Date	Previous Entry Name
2017-01-09 (Version 2.9)	Rooting SIM CardS

CAPEC-677: Server Motherboard Compromise

Attack Pattern ID: 677

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	534	Malicious Hardware Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Hardware, Supply Chain, Physical Security
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Prerequisites

An adversary with access to hardware/software processes and tools within the development or hardware/software support environment can insert malicious software into hardware components during development or update/maintenance.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands

Mitigations

Purchase IT systems, components and parts from government approved vendors whenever possible.

Establish diversity among suppliers.

Conduct rigorous threat assessments of suppliers.

Require that Bills of Material (BoM) for critical parts and components be certified.

Utilize contract language requiring contractors and subcontractors to flow down to subcontractors and suppliers SCRM and SCRA (Supply Chain Risk Assessment) requirements.

Establish trusted supplier networks.

Example Instances

Malware is inserted into the Unified Extensible Firmware Interface (UEFI) software that resides on a flash memory chip soldered to a computer’s motherboard. It is the first thing to turn on when a system is booted and is allowed access to almost every part of the operating system. Hence, the malware will have extensive control over operating system functions and persist after system reboots. [REF-685]

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.003	Supply Chain Compromise: Compromise Hardware Supply Chain

References

[REF-685] "Kaspersky Finds Sophisticated UEFI Malware in the Wild". ExtremeTech. 2020-10-05. <https://www.extremetech.com/computing/315860-kaspersky-finds-sophisticated-uefi-malware-in-the-wild>. URL validated: 2021-10-19.

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated @Name
Previous Entry Names
Change Date	Previous Entry Name
2023-01-24 (Version 3.9)	Server Functionality Compromise

CAPEC-206: Signing Malicious Code

Attack Pattern ID: 206

Abstraction: Detailed

View customized information:

Description

Typical Severity

Very High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

The adversary first attempts to obtain a digital certificate in order to sign their malware or tools. This certificate could be stolen, created by the adversary, or acquired normally through a certificate authority.
Based on the type of certificate obtained, the adversary will create a goal for their attack. This is either a broad or targeted attack. If an adversary was able to steal a certificate from a targeted organization, they could target this organization by pretending to have legitimate code signed by them. In other cases, the adversary would simply sign their malware and pose as legitimate software such that any user might trust it. This is the more broad approach

Experiment

The adversary creates their malware and signs it with the obtained digital certificate. The adversary then checks if the code that they signed is valid either through downloading from the targeted source or testing locally.

Exploit

Once the malware has been signed, it is then deployed to the desired location. They wait for a trusting user to run their malware, thinking that it is legitimate software. This malware could do a variety of things based on the motivation of the adversary.

Prerequisites

The targeted developer must use a signing key to sign code bundles. (Note that not doing this is not a defense - it only means that the adversary does not need to steal the signing key before forging code bundles in the developer's name.)

Resources Required

None: No specialized resources are required to execute this type of attack.

Mitigations

Ensure digital certificates are protected and inaccessible by unauthorized uses.

If a digital certificate has been compromised it should be revoked and regenerated.

Even if a piece of software has a valid and trusted digital signature, it should be assessed for any weaknesses and vulnerabilities.

Example Instances

In the famous Stuxnet malware incident, two digital certificates were compromised in order to sign malicious device drivers with legitimate credentials. The signing resulted in the malware appearing as trusted by the system it was running on, which facilitated the installation of the malware in kernel mode. This further resulted in Stuxnet remaining undetected for a significant amount of time. [REF-699]

The cyber espionage group CyberKittens leveraged a stolen certificate from AI Squared that allowed them to leverage a signed executable within Operation Wilted Tulip. This ultimately allowed the executable to run as trusted on the system, allowing a Crowd Strike stager to be loaded within the system's memory. [REF-714]

Related Weaknesses

CWE-ID	Weakness Name
732	Incorrect Permission Assignment for Critical Resource

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1553.002	Subvert Trust Controls:Code Signing

References

[REF-699] Nicolas Falliere, Liam O Murchu and Eric Chien. "W32.Stuxnet Dossier". Symantec. 2010-11. <https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf>. URL validated: 2022-02-17.

[REF-700] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 3: How software becomes compromised". Microsoft. 2020-03-11. <https://www.microsoft.com/security/blog/2020/03/11/guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised/>. URL validated: 2022-02-17.

[REF-714] "Operation Wilted Tulip: Exposing a cyber espionage apparatus". ClearSky cyber security and Trend Micro. 2017-07. <https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf>. URL validated: 2022-02-17.

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017-08-04 (Version 2.11)	CAPEC Content Team	The MITRE Corporation
2017-08-04 (Version 2.11)	Updated Resources_Required
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Description Summary, Related_Weaknesses
2019-04-04 (Version 3.1)	CAPEC Content Team	The MITRE Corporation
2019-04-04 (Version 3.1)	Updated Taxonomy_Mappings
2020-07-30 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020-07-30 (Version 3.3)	Updated Related_Attack_Patterns, Taxonomy_Mappings
2020-12-17 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020-12-17 (Version 3.4)	Updated Execution_Flow
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)	Updated Description, Prerequisites, Related_Attack_Patterns
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated Example_Instances, Execution_Flow, Mitigations, References
Previous Entry Names
Change Date	Previous Entry Name
2018-07-31 (Version 2.12)	Lifting signing key and signing malicious code from a production environment

CAPEC-670: Software Development Tools Maliciously Altered

Attack Pattern ID: 670

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	669	Alteration of a Software Update

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

An adversary would need to have access to a targeted developer’s development environment and in particular to tools used to design, create, test and manage software, where the adversary could ensure malicious code is included in software packages built through alteration or substitution of tools in the environment used in the development of software.

Skills Required

[Level: High]

Ability to leverage common delivery mechanisms (e.g., email attachments, removable media) to infiltrate a development environment to gain access to software development tools for the purpose of malware insertion into an existing tool or replacement of an existing tool with a maliciously altered copy.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands
Access Control	Gain Privileges
Confidentiality	Modify Data Read Data

Mitigations

Have a security concept of operations (CONOPS) for the development environment that includes: Maintaining strict security administration and configuration management of requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools.

Avoid giving elevated privileges to developers.

Example Instances

An adversary with access to software build tools inside an Integrated Development Environment IDE alters a script used for downloading dependencies from a dependent code repository where the script has been changed to include malicious code implanted in the repository by the adversary.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1127	Trusted Developer Utilities Proxy Execution
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools

References

[REF-667] "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor". Schneier on Security. 2020-12-13. <https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html>. URL validated: 2021-06-24.

Content History

Submissions
Submission Date	Submitter	Organization
2021-06-24 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021-06-24 (Version 3.5)
Modifications
Modification Date	Modifier	Organization
2022-02-22 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022-02-22 (Version 3.7)	Updated References
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings

CAPEC-184: Software Integrity Attack

Attack Pattern ID: 184

Abstraction: Meta

View customized information:

Description

Typical Severity

Low

Relationships

Nature	Type	ID	Name
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	185	Malicious Software Download
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	186	Malicious Software Update
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	663	Exploitation of Transient Instruction Execution
ParentOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	669	Alteration of a Software Update
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Sustainment

Skills Required

[Level: Medium]

Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the attacker to host a payload and then trigger the installation of the payload code.

Resources Required

Software Integrity Attacks are usually a late stage focus of attack activity which depends upon the success of a chain of prior events. The resources required to perform the attack vary with respect to the overall attack strategy, existing countermeasures which must be bypassed, and the success of early phase attack vectors.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Content History

Submissions
Submission Date	Submitter	Organization
2014-06-23 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014-06-23 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2015-11-09 (Version 2.7)	CAPEC Content Team	The MITRE Corporation
2015-11-09 (Version 2.7)	Updated Activation_Zone, Injection_Vector, Payload, Payload_Activation_Impact, Related_Attack_Patterns
2018-07-31 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018-07-31 (Version 2.12)	Updated Attacker_Skills_or_Knowledge_Required
Previous Entry Names
Change Date	Previous Entry Name
2015-11-09 (Version 2.7)	Software Integrity Attacks

CAPEC-691: Spoof Open-Source Software Metadata

Attack Pattern ID: 691

Abstraction: Standard

View customized information:

Description

An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.

Extended Description

Due to open-source software's popularity, it serves as a desirable attack-vector for adversaries since a single malicious component may result in the exploitation of numerous systems/applications. Adversaries may, therefore, spoof the metadata pertaining to the open-source software in order to trick victims into downloading and using their malicious software. Examples of metadata that may be spoofed include:

Owner of the software (e.g., repository or package owner)
Author(s) of repository commits
Frequency of repository commits
Date/Time of repository commits
Package or Repository "stars"

Once the malicious software component has been integrated into an underlying application or executed on a system, the adversary is ultimately able to achieve numerous negative technical impacts within the system/application. This often occurs without any indication of compromise.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	690	Metadata Spoofing
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	692	Spoof Version Control System Commit Metadata
ParentOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	693	StarJacking
PeerOf	Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.	630	TypoSquatting
CanFollow	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	616	Establish Rogue Location
CanPrecede	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
CanPrecede	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

Identification of a popular open-source component whose metadata is to be spoofed.

Skills Required

[Level: Medium]

Ability to spoof a variety of software metadata to convince victims the source is trusted.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Before downloading open-source software, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.

Within package managers, look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.

Reference vulnerability databases to determine if the software contains known vulnerabilities.

Only download open-source software from reputable hosting sites or package managers.

Only download open-source software that has been adequately signed by the developer(s). For repository commits/tags, look for the "Verified" status and for developers leveraging "Vigilant Mode" (GitHub) or similar modes.

After downloading open-source software, ensure integrity values have not changed.

Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Example Instances

An adversary provides a malicious open-source library, claiming to provide extended logging features and functionality, and spoofs the metadata with that of a widely used legitimate library. The adversary then tricks victims into including this library in their underlying application. Once the malicious software is incorporated into the application, the adversary is able to manipulate and exfiltrate log data.

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-692: Spoof Version Control System Commit Metadata

Attack Pattern ID: 692

Abstraction: Detailed

View customized information:

Description

Extended Description

Version Control Systems are widely used by developers to host, track, and manage source code files in an easy and synchronous manner. These systems are often leveraged to host open-source software that other developers can incorporate into their own applications or use as standalone applications. To prevent downloading vulnerable and/or malicious code, developers will often check the metadata of VCS repository commits to determine the repository's overall pedigree. This may include a variety of information, such as the following:

Owner of the repository
Author(s) of commits
Frequency of commits
Date/Time of commits
Repository activity graphs

These precursory checks can assist developers in determining whether a trusted individual/organization is providing the source code, how often the code is updated, and the relative popularity of the software. However, an adversary can spoof this metadata to make a repository containing malicious code appear as originating from a trusted source, being frequently maintained, and being commonly used by other developers. Without performing additional security activities, unassuming developers may be duped by this spoofed metadata and include the malicious code within their systems/applications. The adversary is then ultimately able to achieve numerous negative technical impacts, while the victim remains unaware of any malicious activity.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

Identify target: The adversary must first identify a target repository for them to spoof. Typically, this will be a popular and widely used repository, as to increase the amount of victims a successful attack will exploit.

Experiment

Create malicious repository: The adversary must create a malicious repository that imitates the legitimate repository being spoofed. This may include creating a username that closely matches the legitimate repository owner; creating a repository name that closely matches the legitimate repository name; uploading the legitimate source code; and more.

Spoof commit metadata: Once the malicious repository has been created, the adversary must then spoof the commit metadata to make the repository appear to be frequently maintained and originating from trusted sources.

Techniques
Git Commit Timestamps: The adversary generates numerous fake commits while setting the "GIT_AUTHOR_DATE" and "GIT_COMMITTER_DATE" environment variables to a date which is to be spoofed.
Git Commit Contributors: The adversary obtains a legitimate and trusted user's email address and then sets this information via the "git config" command. The adversary can then commit changes leveraging this username.

Exploit

Exploit victims: The adversary infiltrates software and/or system environments with the goal of conducting additional attacks.

Techniques
Active: The adversary attempts to trick victims into downloading the malicious software by means such as phishing and social engineering.
Passive: The adversary waits for victims to download and leverage malicious software.

Prerequisites

Identification of a popular open-source repository whose metadata is to be spoofed.

Skills Required

[Level: Medium]

Ability to spoof a variety of repository metadata to convince victims the source is trusted.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Reference vulnerability databases to determine if the software contains known vulnerabilities.

Only download open-source software from reputable hosting sites or package managers.

After downloading open-source software, ensure integrity values have not changed.

Before executing or incorporating the software, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Example Instances

In July 2022, Checkmarx reported that GitHub commit metadata could be spoofed if unsigned commits were leveraged by the repository. Adversaries were able to spoof commit contributors, as well as the date/time of the commit. This resulted in commits appearing to originate from trusted developers and a GitHub activity graph that duped users into believing that the repository had been maintained for a significant period of time. The lack of commit metadata validation ultimately allowed adversaries to propagate malware to unsuspecting victims [REF-719] [REF-720].

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-719] Aviad Gershon. "Unverified Commits: Are You Unknowingly Trusting Attackers’ Code?". Checkmarx. 2022-07-15. <https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/>. URL validated: 2022-08-12.

[REF-720] Deeba Ahmed. "Hackers can spoof commit metadata to create false GitHub repositories". HackRead. 2022-07-17. <https://www.hackread.com/hackers-spoof-commit-metadata-false-github-repositories/>. URL validated: 2022-08-12.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC-693: StarJacking

Attack Pattern ID: 693

Abstraction: Detailed

View customized information:

Description

An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.

Extended Description

Many open-source software packages are hosted via third-party package managers (e.g., Node Package Manager, PyPi, Yarn, etc.) that allow for easy integration of software components into existing development environments. A package manager will typically include various metadata about the software and often include a link to the package's source code repository, to assist developers in determining the trustworthiness of the software. One common statistic used in this decision-making process is the popularity of the package. This entails checking the amount of "Stars" the package has received, which the package manager displays based on the provided source code repository URL. However, many package managers do not validate the connection between the package and source code repository being provided. Adversaries can thus spoof the popularity statistic of a malicious package by associating a popular source code repository URL with the package. This can ultimately trick developers into unintentionally incorporating the malicious package into their development environment.

Likelihood Of Attack

Medium

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	691	Spoof Open-Source Software Metadata

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Supply Chain, Social Engineering
Mechanisms of Attack	Engage in Deceptive Interactions
Supply Chain Risks	Development and Production, Sustainment

Execution Flow

Explore

Identify target: The adversary must first identify a target package whose popularity statistics will be leveraged. This will be a popular and widely used package, as to increase the perceived pedigree of the malicious package.

Experiment

Spoof package popularity: The adversary provides their malicious package to a package manager and uses the source code repository URL identified in Step 1 to spoof the popularity of the package. This malicious package may also closely resemble the legitimate package whose statistics are being utilized.

Exploit

Exploit victims: The adversary infiltrates development environments with the goal of conducting additional attacks.

Techniques
Active: The adversary attempts to trick victims into downloading the malicious package by means such as phishing and social engineering.
Passive: The adversary waits for victims to download and leverage the malicious package.

Prerequisites

Identification of a popular open-source package whose popularity metadata is to be used for the malicious package.

Skills Required

[Level: Low]

Ability to provide a package to a package manager and associate a popular package's source code repository URL.

Consequences

Scope	Impact	Likelihood
Integrity	Modify Data
Accountability	Hide Activities
Access Control Authorization	Execute Unauthorized Commands Alter Execution Logic Gain Privileges

Mitigations

Before downloading open-source packages, perform precursory metadata checks to determine the author(s), frequency of updates, when the software was last updated, and if the software is widely leveraged.

Look for conflicting or non-unique repository references to determine if multiple packages share the same repository reference.

Reference vulnerability databases to determine if the software contains known vulnerabilities.

Only download open-source packages from reputable package managers.

After downloading open-source packages, ensure integrity values have not changed.

Before executing or incorporating the package, leverage automated testing techniques (e.g., static and dynamic analysis) to determine if the software behaves maliciously.

Example Instances

In April 2022, Checkmarx reported that packages hosted on NPM, PyPi, and Yarn do not properly validate that the provided GitHub repository URL actually pertains to the package being provided. Combined with additional attacks such as TypoSquatting, this allows adversaries to spoof popularity metadata by associating popular GitHub repository URLs with the malicious package. This can further lead to developers unintentionally including the malicious package within their development environments [REF-721].

Related Weaknesses

CWE-ID	Weakness Name
494	Download of Code Without Integrity Check

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-721] Tzachi Zornstein. "StarJacking – Making Your New Open Source Package Popular in a Snap". Checkmarx. 2022-04-19. <https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/>. URL validated: 2022-08-12.

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)

CAPEC CATEGORY: Sustainment

Category ID: 688

Summary

Attack patterns within this category focus on the exploitation of weaknesses within the Sustainment phase of the CISA Supply Chain Lifecycle.

Membership

Nature	Type	ID	Name
MemberOf	View - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.	683	Supply Chain Risks
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	184	Software Integrity Attack
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	440	Hardware Integrity Attack
HasMember	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration
HasMember	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	536	Data Injected During Configuration
HasMember	Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.	690	Metadata Spoofing

References

Content History

Submissions
Submission Date	Submitter	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)
Modifications
Modification Date	Modifier	Organization
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Relationships

CAPEC-678: System Build Data Maliciously Altered

Attack Pattern ID: 678

Abstraction: Detailed

View customized information:

Description

Likelihood Of Attack

Low

Typical Severity

High

Relationships

Nature	Type	ID	Name
ChildOf	Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	444	Development Alteration

This table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software, Hardware, Supply Chain
Mechanisms of Attack	Manipulate System Resources
Supply Chain Risks	Development and Production, Sustainment

Prerequisites

An adversary has access to the data files and processes used for executing system configuration and performing the build.

Consequences

Scope	Impact	Likelihood
Integrity	Execute Unauthorized Commands
Access Control	Gain Privileges
Confidentiality	Modify Data Read Data

Mitigations

Implement configuration management security practices that protect the integrity of software and associated data.

Monitor and control access to the configuration management system.

Harden centralized repositories against attack.

Establish acceptance criteria for configuration management check-in to assure integrity.

Plan for and audit the security of configuration management administration processes.

Maintain configuration control over operational systems.

Example Instances

‘Make’ is a program used for building executable programs and libraries from source code by executing commands and following rules in a ‘makefile’. It can create a malicious executable if commands or dependency paths in the makefile are maliciously altered to execute an unwanted command or reference as a dependency maliciously altered code.

Related Weaknesses

Supply Chain: CWE does not currently cover Supply Chain in the way it is presented by CAPEC. Therefore, no mapping between the two corpuses can be made at this time.

Taxonomy Mappings

Relevant to the ATT&CK taxonomy mapping

Entry ID	Entry Name
1195.002	Supply Chain Compromise: Compromise Software Supply Chain

References

Content History

Submissions
Submission Date	Submitter	Organization
2021-10-21 (Version 3.6)	CAPEC Content Team	The MITRE Corporation
2021-10-21 (Version 3.6)
Modifications
Modification Date	Modifier	Organization
2022-09-29 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022-09-29 (Version 3.8)	Updated Taxonomy_Mappings
2023-01-24 (Version 3.9)	CAPEC Content Team	The MITRE Corporation
2023-01-24 (Version 3.9)	Updated Description

More information is available — Please select a different filter.

Page Last Updated or Reviewed: January 24, 2023


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.

Common Attack Pattern Enumeration and Classification

CAPEC VIEW: Supply Chain Risks

CAPEC CATEGORY: Acquisition and Deployment

CAPEC-669: Alteration of a Software Update

CAPEC-532: Altered Installed BIOS

CAPEC-539: ASIC With Malicious Functionality

CAPEC-402: Bypassing ATA Password Security

CAPEC-520: Counterfeit Hardware Component Inserted During Product Assembly

CAPEC-536: Data Injected During Configuration

CAPEC CATEGORY: Design

CAPEC-447: Design Alteration

CAPEC-674: Design for FPGA Maliciously Altered

CAPEC-673: Developer Signing Maliciously Altered Software

CAPEC-444: Development Alteration

CAPEC CATEGORY: Development and Production

CAPEC CATEGORY: Disposal

CAPEC CATEGORY: Distribution

CAPEC-519: Documentation Alteration to Cause Errors in System Design

CAPEC-517: Documentation Alteration to Circumvent Dial-down

CAPEC-518: Documentation Alteration to Produce Under-performing Systems

CAPEC-663: Exploitation of Transient Instruction Execution

CAPEC-531: Hardware Component Substitution

CAPEC-516: Hardware Component Substitution During Baselining

CAPEC-521: Hardware Design Specifications Are Altered

CAPEC-440: Hardware Integrity Attack

CAPEC-537: Infiltration of Hardware Development Environment

CAPEC-511: Infiltration of Software Development Environment

CAPEC-696: Load Value Injection

CAPEC-187: Malicious Automated Software Update via Redirection

CAPEC-657: Malicious Automated Software Update via Spoofing

CAPEC-672: Malicious Code Implanted During Chip Programming

CAPEC-535: Malicious Gray Market Hardware

CAPEC-522: Malicious Hardware Component Replacement

CAPEC-534: Malicious Hardware Update

CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer

CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation

CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component

CAPEC-533: Malicious Manual Software Update

CAPEC-185: Malicious Software Download

CAPEC-523: Malicious Software Implanted

CAPEC-186: Malicious Software Update

CAPEC-439: Manipulation During Distribution

CAPEC-690: Metadata Spoofing

CAPEC-538: Open-Source Library Manipulation

CAPEC-401: Physically Hacking Hardware

CAPEC-530: Provide Counterfeit Component

CAPEC-671: Requirements for ASIC Functionality Maliciously Altered

CAPEC-675: Retrieve Data from Decommissioned Devices

CAPEC-524: Rogue Integration Procedures

CAPEC-614: Rooting SIM Cards

CAPEC-677: Server Motherboard Compromise

CAPEC-206: Signing Malicious Code

CAPEC-670: Software Development Tools Maliciously Altered

CAPEC-184: Software Integrity Attack

CAPEC-691: Spoof Open-Source Software Metadata

CAPEC-692: Spoof Version Control System Commit Metadata

CAPEC-693: StarJacking

CAPEC CATEGORY: Sustainment

CAPEC-678: System Build Data Maliciously Altered