New to CAPEC? Start Here
Home > CAPEC List > VIEW SLICE: CAPEC-683: Supply Chain Risks(Version 3.9)  

CAPEC VIEW: Supply Chain Risks

View ID: 683
Structure: Graph
Downloads: Booklet | CSV | XML
+ Objective
This view covers patterns that fall within the CISA Supply Chain Lifecycle
+ Relationships
The following graph shows the tree-like relationships between attack patterns that exist at different levels of abstraction. At the highest level, categories exist to group patterns that share a common characteristic. Within categories, meta level attack patterns are used to present a decidedly abstract characterization of a methodology or technique. Below these are standard and detailed level patterns that are focused on a specific methodology or technique used.
Show Details:
683 - Supply Chain Risks
+CategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Design - (684)
683 (Supply Chain Risks) > 684 (Design)
Attack patterns within this category focus on the exploitation of weaknesses within the Design phase of the CISA Supply Chain Lifecycle.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Design Alteration - (447)
683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration)
An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Documentation Alteration to Circumvent Dial-down - (517)
683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 517 (Documentation Alteration to Circumvent Dial-down)
An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Documentation Alteration to Produce Under-performing Systems - (518)
683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 518 (Documentation Alteration to Produce Under-performing Systems)
An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Documentation Alteration to Cause Errors in System Design - (519)
683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 519 (Documentation Alteration to Cause Errors in System Design)
An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Hardware Design Specifications Are Altered - (521)
683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 521 (Hardware Design Specifications Are Altered)
An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Requirements for ASIC Functionality Maliciously Altered - (671)
683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 671 (Requirements for ASIC Functionality Maliciously Altered)
An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Design for FPGA Maliciously Altered - (674)
683 (Supply Chain Risks) > 684 (Design) > 447 (Design Alteration) > 674 (Design for FPGA Maliciously Altered)
An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.
+CategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Development and Production - (685)
683 (Supply Chain Risks) > 685 (Development and Production)
Attack patterns within this category focus on the exploitation of weaknesses within the Development and Production phase of the CISA Supply Chain Lifecycle.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Development Alteration - (444)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration)
An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Signing Malicious Code - (206)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 206 (Signing Malicious Code)
The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Inserted Into Product by Authorized Developer - (443)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 443 (Malicious Logic Inserted Into Product by Authorized Developer)
An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product Software via Configuration Management Manipulation - (445)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 445 (Malicious Logic Insertion into Product Software via Configuration Management Manipulation)
An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product via Inclusion of Third-Party Component - (446)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 446 (Malicious Logic Insertion into Product via Inclusion of Third-Party Component)
An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Software Development Environment - (511)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 511 (Infiltration of Software Development Environment)
An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Hardware Component Substitution During Baselining - (516)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 516 (Hardware Component Substitution During Baselining)
An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Counterfeit Hardware Component Inserted During Product Assembly - (520)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 520 (Counterfeit Hardware Component Inserted During Product Assembly)
An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Altered Installed BIOS - (532)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 532 (Altered Installed BIOS)
An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Hardware Development Environment - (537)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 537 (Infiltration of Hardware Development Environment)
An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Open-Source Library Manipulation - (538)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 538 (Open-Source Library Manipulation)
Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.ASIC With Malicious Functionality - (539)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 539 (ASIC With Malicious Functionality)
An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Software Development Tools Maliciously Altered - (670)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 670 (Software Development Tools Maliciously Altered)
An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Code Implanted During Chip Programming - (672)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 672 (Malicious Code Implanted During Chip Programming)
During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Developer Signing Maliciously Altered Software - (673)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 673 (Developer Signing Maliciously Altered Software)
Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems. This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.System Build Data Maliciously Altered - (678)
683 (Supply Chain Risks) > 685 (Development and Production) > 444 (Development Alteration) > 678 (System Build Data Maliciously Altered)
During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system.
+Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Metadata Spoofing - (690)
683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing)
An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Spoof Open-Source Software Metadata - (691)
683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata)
An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Spoof Version Control System Commit Metadata - (692)
683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 692 (Spoof Version Control System Commit Metadata)
An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.StarJacking - (693)
683 (Supply Chain Risks) > 685 (Development and Production) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 693 (StarJacking)
An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.
+CategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Distribution - (686)
683 (Supply Chain Risks) > 686 (Distribution)
Attack patterns within this category focus on the exploitation of weaknesses within the Distribution phase of the CISA Supply Chain Lifecycle.
+Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Manipulation During Distribution - (439)
683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution)
An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Malicious Hardware Component Replacement - (522)
683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution) > 522 (Malicious Hardware Component Replacement)
An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Malicious Software Implanted - (523)
683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution) > 523 (Malicious Software Implanted)
An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Rogue Integration Procedures - (524)
683 (Supply Chain Risks) > 686 (Distribution) > 439 (Manipulation During Distribution) > 524 (Rogue Integration Procedures)
An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The attacker would then supply the malicious components. This would allow for malicious disruption or additional compromise when the system is deployed.
+CategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Acquisition and Deployment - (687)
683 (Supply Chain Risks) > 687 (Acquisition and Deployment)
Attack patterns within this category focus on the exploitation of weaknesses within the Acquisition and Deployment phase of the CISA Supply Chain Lifecycle.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Data Injected During Configuration - (536)
683 (Supply Chain Risks) > 687 (Acquisition and Deployment) > 536 (Data Injected During Configuration)
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
+CategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Sustainment - (688)
683 (Supply Chain Risks) > 688 (Sustainment)
Attack patterns within this category focus on the exploitation of weaknesses within the Sustainment phase of the CISA Supply Chain Lifecycle.
+Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Software Integrity Attack - (184)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack)
An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of software code, device data structures, or device firmware, achieving the modification of the target's integrity to achieve an insecure state.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Malicious Software Download - (185)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 185 (Malicious Software Download)
An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Malicious Software Update - (186)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update)
An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Automated Software Update via Redirection - (187)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 187 (Malicious Automated Software Update via Redirection)
An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Manual Software Update - (533)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 533 (Malicious Manual Software Update)
An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Automated Software Update via Spoofing - (657)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 186 (Malicious Software Update) > 657 (Malicious Automated Software Update via Spoofing)
An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Exploitation of Transient Instruction Execution - (663)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution)
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Load Value Injection - (696)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 663 (Exploitation of Transient Instruction Execution) > 696 (Load Value Injection)
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Alteration of a Software Update - (669)
683 (Supply Chain Risks) > 688 (Sustainment) > 184 (Software Integrity Attack) > 669 (Alteration of a Software Update)
An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality.
+Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Hardware Integrity Attack - (440)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack)
An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Physically Hacking Hardware - (401)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware)
An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Bypassing ATA Password Security - (402)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 401 (Physically Hacking Hardware) > 402 (Bypassing ATA Password Security)
An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Malicious Hardware Update - (534)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update)
An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.
+Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Hardware Component Substitution - (531)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution)
An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Provide Counterfeit Component - (530)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution) > 530 (Provide Counterfeit Component)
An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Gray Market Hardware - (535)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 531 (Hardware Component Substitution) > 535 (Malicious Gray Market Hardware)
An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Server Motherboard Compromise - (677)
683 (Supply Chain Risks) > 688 (Sustainment) > 440 (Hardware Integrity Attack) > 534 (Malicious Hardware Update) > 677 (Server Motherboard Compromise)
Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The development environment or hardware/software support activity environment is susceptible to an adversary inserting malicious software into hardware components during development or update.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Development Alteration - (444)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration)
An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Signing Malicious Code - (206)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 206 (Signing Malicious Code)
The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content with the developer's key. Many developers use signing keys to sign code or hashes of code. When users or applications verify the signatures are accurate they are led to believe that the code came from the owner of the signing key and that the code has not been modified since the signature was applied. If the adversary has extracted the signing credentials then they can use those credentials to sign their own code bundles. Users or tools that verify the signatures attached to the code will likely assume the code came from the legitimate developer and install or run the code, effectively allowing the adversary to execute arbitrary code on the victim's computer. This differs from CAPEC-673, because the adversary is performing the code signing.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Inserted Into Product by Authorized Developer - (443)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 443 (Malicious Logic Inserted Into Product by Authorized Developer)
An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product Software via Configuration Management Manipulation - (445)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 445 (Malicious Logic Insertion into Product Software via Configuration Management Manipulation)
An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Malicious Logic Insertion into Product via Inclusion of Third-Party Component - (446)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 446 (Malicious Logic Insertion into Product via Inclusion of Third-Party Component)
An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Software Development Environment - (511)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 511 (Infiltration of Software Development Environment)
An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Altered Installed BIOS - (532)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 532 (Altered Installed BIOS)
An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Infiltration of Hardware Development Environment - (537)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 537 (Infiltration of Hardware Development Environment)
An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Open-Source Library Manipulation - (538)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 538 (Open-Source Library Manipulation)
Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.ASIC With Malicious Functionality - (539)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 539 (ASIC With Malicious Functionality)
An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Software Development Tools Maliciously Altered - (670)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 670 (Software Development Tools Maliciously Altered)
An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Such tools include requirements management and database tools, software design tools, configuration management tools, compilers, system build tools, and software performance testing and load testing tools. The adversary then carries out malicious acts once the software is deployed including malware infection of other systems to support further compromises.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Developer Signing Maliciously Altered Software - (673)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 673 (Developer Signing Maliciously Altered Software)
Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems. This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.System Build Data Maliciously Altered - (678)
683 (Supply Chain Risks) > 688 (Sustainment) > 444 (Development Alteration) > 678 (System Build Data Maliciously Altered)
During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system configuration data files and build processes is susceptible to deliberate misconfiguration of the system.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Data Injected During Configuration - (536)
683 (Supply Chain Risks) > 688 (Sustainment) > 536 (Data Injected During Configuration)
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
+Meta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.Metadata Spoofing - (690)
683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing)
An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.
+Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Spoof Open-Source Software Metadata - (691)
683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata)
An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.Spoof Version Control System Commit Metadata - (692)
683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 692 (Spoof Version Control System Commit Metadata)
An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into believing that the maliciously provided software is frequently maintained and originates from a trusted source.
*Detailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.StarJacking - (693)
683 (Supply Chain Risks) > 688 (Sustainment) > 690 (Metadata Spoofing) > 691 (Spoof Open-Source Software Metadata) > 693 (StarJacking)
An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used and originates from a trusted source.
+CategoryCategory - A category in CAPEC is a collection of attack patterns based on some common characteristic. More specifically, it is an aggregation of attack patterns based on effect/intent (as opposed to actions or mechanisms, such an aggregation would be a meta attack pattern). An aggregation based on effect/intent is not an actionable attack and as such is not a pattern of attack behavior. Rather, it is a grouping of patterns based on some common criteria.Disposal - (689)
683 (Supply Chain Risks) > 689 (Disposal)
Attack patterns within this category focus on the exploitation of weaknesses within the Disposal phase of the CISA Supply Chain Lifecycle.
*Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.Retrieve Data from Decommissioned Devices - (675)
683 (Supply Chain Risks) > 689 (Disposal) > 675 (Retrieve Data from Decommissioned Devices)
An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.
+ References
[REF-718] "Supply Chain Risks for Information and Communication Technology". Cyber and Infrastructure Security Agency (CISA). 2018-12. <https://www.cisa.gov/sites/default/files/publications/19_0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf>. URL validated: 2022-07-26.
+ View Metrics
CAPECs in this viewTotal CAPECs
Attack Patterns51out of 559
Categories6out of 21
Views0out of 13
Total57out of593
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
View Components
View Components
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

CAPEC CATEGORY: Acquisition and Deployment

Category ID: 687
 
+ Summary
Attack patterns within this category focus on the exploitation of weaknesses within the Acquisition and Deployment phase of the CISA Supply Chain Lifecycle.
+ Membership
NatureTypeIDName
MemberOfViewView - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.683Supply Chain Risks
HasMemberStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.536Data Injected During Configuration
+ References
[REF-718] "Supply Chain Risks for Information and Communication Technology". Cyber and Infrastructure Security Agency (CISA). 2018-12. <https://www.cisa.gov/sites/default/files/publications/19_0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf>. URL validated: 2022-07-26.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation

CAPEC-669: Alteration of a Software Update

Attack Pattern ID: 669
Abstraction: Standard
View customized information:
+ Description

An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to fielded systems where a wide range of malicious effects are possible. With the same level of access, the adversary can alter a software update to perform specific malicious acts including granting the adversary control over the software’s normal functionality.

+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.184Software Integrity Attack
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.670Software Development Tools Maliciously Altered
CanPrecedeDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.673Developer Signing Maliciously Altered Software
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Identify software with frequent updates: The adversary must first identify a target software that has updates at least with some frequency, enough that there is am update infrastructure.

Experiment
  1. Gain access to udpate infrastructure: The adversary must then gain access to the organization's software update infrastructure. This can either be done by gaining remote access from outside the organization, or by having a malicious actor inside the organization gain access. It is often easier if someone within the organization gains access.

Exploit
  1. Alter the software update: Through access to the software update infrastructure, an adversary will alter the software update by injecting malware into the content of an outgoing update.

+ Prerequisites
An adversary would need to have penetrated an organization’s software update infrastructure including gaining access to components supporting the configuration management of software versions and updates related to the software maintenance of customer systems.
+ Skills Required
[Level: High]
Skills required include the ability to infiltrate the organization’s software update infrastructure either from the Internet or from within the organization, including subcontractors, and be able to change software being delivered to customer/user systems in an undetected manner.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Access Control
Gain Privileges
Authorization
Execute Unauthorized Commands
Integrity
Modify Data
Confidentiality
Read Data
+ Mitigations
Have a Software Assurance Plan that includes maintaining strict configuration management control of source code, object code and software development, build and distribution tools; manual code reviews and static code analysis for developmental software; and tracking of all storage and movement of code.
Require elevated privileges for distribution of software and software updates.
+ Example Instances

A subcontractor to a software developer injects maliciously altered software updates into an automated update process that distributes to government and commercial customers software containing a hidden backdoor.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.002Supply Chain Compromise: Compromise Software Supply Chain
+ References
[REF-658] "Defending Against Software Supply Chain Attacks". Cybersecurity and Infrastructure Security Agency (CISA). 2021-04. <https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf>. URL validated: 2021-06-22.
[REF-659] Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski and Dr. Craig J. Wiener. "Deliver Uncompromised: Securing Critical Software Supply Chains". The MITRE Corporation. 2021-01. <https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains>. URL validated: 2021-06-22.
[REF-660] Melinda Reed, John F. Miller and Paul Popick. "Supply Chain Attack Patterns: Framework and Catalog". Office of the Assistant Secretary of Defense for Research and Engineering. 2014-08. <https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html>. URL validated: 2021-06-22.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-532: Altered Installed BIOS

Attack Pattern ID: 532
Abstraction: Detailed
View customized information:
+ Description
An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which when installed allows for future exploitation.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Advanced knowledge about the installed target system design.
Advanced knowledge about the download and update installation processes.
Access to the download and update system(s) used to deliver BIOS images.
+ Skills Required
[Level: High]
Able to develop a malicious BIOS image with the original functionality as a normal BIOS image, but with added functionality that allows for later compromise and/or disruption.
+ Mitigations
Deploy strong code integrity policies to allow only authorized apps to run.
Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.
Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.
Require SSL for update channels and implement certificate transparency based verification.
Sign update packages and BIOS patches.
Use hardware security modules/trusted platform modules to verify authenticity using hardware-based cryptography.
+ Example Instances
An attacker compromises the download and update portion of a manufacturer's web presence, and develops a malicious BIOS that in addition to the normal functionality will also at a specific time of day disable the remote access subsystem's security checks. The malicious BIOS is put in place on the manufacturer's website, the victim location is sent an official-looking email informing the victim of the availability of a new BIOS with bug fixes and enhanced performance capabilities to entice the victim to install the new BIOS quickly. The malicious BIOS is downloaded and installed on the victim's system, which allows for additional compromise by the attacker.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1495Firmware Corruption
1542.001Pre-OS Boot:System Firmware
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-716] Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany and Beth Woodbury. "Supply chain attacks". Microsoft. 2021-10-28. <https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware>. URL validated: 2022-02-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated References, Related_Attack_Patterns
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Altered BIOS Installed After Installation

CAPEC-539: ASIC With Malicious Functionality

Attack Pattern ID: 539
Abstraction: Detailed
View customized information:
+ Description
An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being developed or maintained after initial deployment can insert malicious functionality into the system for the purpose of disruption or further compromise.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The attacker must have working knowledge of some if not all of the components involved in the target system as well as the infrastructure and development environment of the manufacturer.
Advanced knowledge about the ASIC installed within the target system.
+ Skills Required
[Level: High]
Able to develop and manufacture malicious subroutines for an ASIC environment without degradation of existing functions and processes.
+ Example Instances
A hardware manufacturer periodically updates its ASIC with new features. The attacker, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for ASIC design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent ASIC development system. The attacker is then able to exfiltrate and alter sensitive data on the ASIC system, allowing for future compromise once a new AISC is deployed at the victim location.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-402: Bypassing ATA Password Security

Attack Pattern ID: 402
Abstraction: Detailed
View customized information:
+ Description
An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper credentials. ATA Security is often employed to protect hard disk information from unauthorized access. The mechanism requires the user to type in a password before the BIOS is allowed access to drive contents. Some implementations of ATA security will accept the ATA command to update the password without the user having authenticated with the BIOS. This occurs because the security mechanism assumes the user has first authenticated via the BIOS prior to sending commands to the drive. Various methods exist for exploiting this flaw, the most common being installing the ATA protected drive into a system lacking ATA security features (a.k.a. hot swapping). Once the drive is installed into the new system the BIOS can be used to reset the drive password.
+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.401Physically Hacking Hardware
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to the system containing the ATA Drive so that the drive can be physically removed from the system.
+ Mitigations
Avoid using ATA password security when possible.
Use full disk encryption to protect the entire contents of the drive or sensitive partitions on the drive.
Leverage third-party utilities that interface with self-encrypting drives (SEDs) to provide authentication, while relying on the SED itself for data encryption.
+ Example Instances

The A-FF Repair Station tool is a data recovery utility that can be used for ATA password removal (both High and Maximum level) and firmware area recovery. An adversary with access to this tool could reset the ATA password to bypass this security feature and unlock the hard drive. The adversary could then obtain any data contained within the drive. [REF-702]

An adversary gains physical access to the targeted hard drive and installs it into a system that does not support ATA security features. Once the drive is installed in the feature-lacking system, the adversary is able to reset the hard drive password via the BIOS. As a result, the adversary is able to bypass ATA password security and access content on the drive.

+ References
[REF-33] Stuart McClure, Joel Scambray and George Kurtz. "Hacking Exposed: Network Security Secrets & Solutions". Chapter 9: Hacking Hardware. 6th Edition. McGraw Hill. 2009.
[REF-701] Oliver Tennert. "Using the ATA security features of modern hard disks and SSDs". Admin Magazine. 2014. <https://www.admin-magazine.com/Archive/2014/19/Using-the-ATA-security-features-of-modern-hard-disks-and-SSDs>. URL validated: 2022-02-16.
[REF-702] "Breaking ATA Password Security". The University of Texas at Austin Information Security Office. <https://security.utexas.edu/education-outreach/BreakingATA>. URL validated: 2022-02-16.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Mitigations, References

CAPEC-520: Counterfeit Hardware Component Inserted During Product Assembly

Attack Pattern ID: 520
Abstraction: Detailed
View customized information:
+ Description
An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process introduces counterfeit hardware components into product assembly. The assembly containing the counterfeit components results in a system specifically designed for malicious purposes.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.
+ Skills Required
[Level: High]
Resources to maliciously construct components used by the manufacturer.
[Level: High]
Resources to physically infiltrate manufacturer or manufacturer's supplier.
+ Mitigations
Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.
Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.
+ Example Instances

A manufacturer of a firewall system requires a hardware card which functions as a multi-jack ethernet card with four ethernet ports. The adversary constructs a counterfeit card that functions normally except that packets from the adversary's network are allowed to bypass firewall processing completely. Once deployed at a victim location, this allows the adversary to bypass the firewall unrestricted.

In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-712] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 2: Hardware risks". Microsoft. 2020-02-03. <https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/>. URL validated: 2022-02-17.
[REF-713] Jordan Robertson and Michael Riley. "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies". Bloomberg. 2018-10-04. <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>. URL validated: 2022-02-17.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-536: Data Injected During Configuration

Attack Pattern ID: 536
Abstraction: Standard
View customized information:
+ Description
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.176Configuration/Environment Manipulation
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.

  2. Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.

    Techniques
    Look for a weekly update cycle or repeated update schedule.
    Insert a malicious process into the target system that notifies the adversary when configuration is occurring.
Experiment
  1. Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.

    Techniques
    Add false log data
    Change configuration files
    Change data files
Exploit
  1. Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.

+ Prerequisites
The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.
Advanced knowledge of software and hardware capabilities of a manufacturer's product.
+ Skills Required
[Level: High]
Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system.
+ Mitigations
Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.
+ Example Instances
An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system.
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2017-01-09
(Version 2.9)
CAPEC Content TeamThe MITRE Corporation
Updated Examples-Instances, Typical_Likelihood_of_Exploit
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Examples-Instances, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated @Abstraction
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow

CAPEC CATEGORY: Design

Category ID: 684
 
+ Summary
Attack patterns within this category focus on the exploitation of weaknesses within the Design phase of the CISA Supply Chain Lifecycle.
+ Membership
NatureTypeIDName
MemberOfViewView - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.683Supply Chain Risks
HasMemberStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.447Design Alteration
+ References
[REF-718] "Supply Chain Risks for Information and Communication Technology". Cyber and Infrastructure Security Agency (CISA). 2018-12. <https://www.cisa.gov/sites/default/files/publications/19_0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf>. URL validated: 2022-07-26.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation

CAPEC-447: Design Alteration

Attack Pattern ID: 447
Abstraction: Standard
View customized information:
+ Description
An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of attack, the goal of the adversary is to modify the design of the system, prior to development starting, in such a way that the negative impact can be leveraged when the system is later deployed. Design alteration attacks differ from development alteration attacks in that design alteration attacks take place prior to development and which then may or may not be developed by the adverary. Design alteration attacks include modifying system designs to degrade system performance, cause unexpected states or errors, and general design changes that may lead to additional vulnerabilities. These attacks generally require insider access to modify design documents, but they may also be spoofed via web communications. The product is then developed and delivered to the user where the negative impact can be leveraged at a later time.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.438Modification During Manufacture
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.517Documentation Alteration to Circumvent Dial-down
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.518Documentation Alteration to Produce Under-performing Systems
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.519Documentation Alteration to Cause Errors in System Design
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.521Hardware Design Specifications Are Altered
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.671Requirements for ASIC Functionality Maliciously Altered
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.674Design for FPGA Maliciously Altered
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to system design documentation prior to the development phase. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.
Ability to forge web communications to deliver modified design documentation.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Authorization
Execute Unauthorized Commands
Availability
Unreliable Execution
Integrity
Alter Execution Logic
+ Mitigations
Assess design documentation prior to development to ensure that they function as intended and without any malicious functionality.
Ensure that design documentation is saved in a secure location and has proper access controls set in place to avoid unnecessary modification.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, References, Related_Attack_Patterns
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Malicious Logic Insertion into Product Software during Update

CAPEC-674: Design for FPGA Maliciously Altered

Attack Pattern ID: 674
Abstraction: Detailed
View customized information:
+ Description

An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in order to introduce a malicious function that could result in the FPGA performing or enabling malicious functions on a host system. Prior to the memory chip reload, the adversary alters the program for the FPGA by adding a function to impact system operation.

+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.447Design Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
An adversary would need to have access to FPGA programming/configuration-related systems in a chip maker’s development environment where FPGAs can be initially configured prior to delivery to a customer or have access to such systems in a customer facility where end-user FPGA configuration/reconfiguration can be performed.
+ Skills Required
[Level: High]
An adversary would need to be skilled in FPGA programming in order to create/manipulate configurations in such a way that when loaded into an FPGA, the end user would be able to observe through testing all user-defined required functions but would be unaware of any additional functions the adversary may have introduced.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Alter Execution Logic
+ Mitigations
Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.
Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for FPGA programming and program uploads to FPGA chips.
Require that provenance of COTS microelectronic components be known whenever procured.
Conduct detailed vendor assessment before acquiring COTS hardware.
+ Example Instances

An adversary with access and the ability to alter the configuration/programming of FPGAs in organizational systems, introduces a trojan backdoor that can be used to alter the behavior of the original system resulting in, for example, compromise of confidentiality of data being processed.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-660] Melinda Reed, John F. Miller and Paul Popick. "Supply Chain Attack Patterns: Framework and Catalog". Office of the Assistant Secretary of Defense for Research and Engineering. 2014-08. <https://docplayer.net/13041016-Supply-chain-attack-patterns-framework-and-catalog.html>. URL validated: 2021-06-22.
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-662] Jeremy Muldavin. "Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC)". Office of the Deputy Assistant Secretary of Defense for Systems Engineering. 2017-11.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-673: Developer Signing Maliciously Altered Software

Attack Pattern ID: 673
Abstraction: Detailed
View customized information:
+ Description

Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems.

This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications.

+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.669Alteration of a Software Update
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
An adversary would need to have access to a targeted developer’s software development environment, including to their software build processes, where the adversary could ensure code maliciously tainted prior to a build process is included in software packages built.
+ Skills Required
[Level: High]
The adversary must have the skills to infiltrate a developer’s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Confidentiality
Read Data
Modify Data
Access Control
Authorization
Gain Privileges
Execute Unauthorized Commands
+ Mitigations
Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.
Employ intrusion detection and malware detection capabilities on IDE systems where feasible.
+ Example Instances

An adversary who has infiltrated an organization’s build environment maliciously alters code intended to be included in a product’s software build via software dependency inclusion, part of the software build process. When the software product has been built, the developer electronically signs the finished product using their signing key. The recipient of the software product, an end user/customer, believes the software to reflect the developer’s intent with respect to functionality unaware of the adversary’s malicious intent harbored within.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.002Supply Chain Compromise: Compromise Software Supply Chain
+ References
[REF-658] "Defending Against Software Supply Chain Attacks". Cybersecurity and Infrastructure Security Agency (CISA). 2021-04. <https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf>. URL validated: 2021-06-22.
[REF-659] Dr. Charles Clancy, Joe Ferraro, Robert A. Martin, Adam G. Pennington, Christopher L. Sledjeski and Dr. Craig J. Wiener. "Deliver Uncompromised: Securing Critical Software Supply Chains". The MITRE Corporation. 2021-01. <https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains>. URL validated: 2021-06-22.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-444: Development Alteration

Attack Pattern ID: 444
Abstraction: Standard
View customized information:
+ Description
An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal of the adversary is to modify the system in such a way that the negative impact can be leveraged when the system is later deployed. Development alteration attacks may include attacks that insert malicious logic into the system's software, modify or replace hardware components, and other attacks which negatively impact the system during development. These attacks generally require insider access to modify source code or to tamper with hardware components. The product is then delivered to the user where the negative impact can be leveraged at a later time.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.438Modification During Manufacture
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.206Signing Malicious Code
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.443Malicious Logic Inserted Into Product by Authorized Developer
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.445Malicious Logic Insertion into Product Software via Configuration Management Manipulation
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.446Malicious Logic Insertion into Product via Inclusion of Third-Party Component
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.511Infiltration of Software Development Environment
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.516Hardware Component Substitution During Baselining
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.520Counterfeit Hardware Component Inserted During Product Assembly
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.532Altered Installed BIOS
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.537Infiltration of Hardware Development Environment
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.538Open-Source Library Manipulation
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.539ASIC With Malicious Functionality
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.670Software Development Tools Maliciously Altered
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.672Malicious Code Implanted During Chip Programming
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.673Developer Signing Maliciously Altered Software
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.678System Build Data Maliciously Altered
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.691Spoof Open-Source Software Metadata
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to the system during the development phase to alter and/or modify software and hardware components. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Authorization
Execute Unauthorized Commands
Availability
Unreliable Execution
Integrity
Alter Execution Logic
+ Mitigations
Assess software and software components during development and prior to deployment to ensure that they function as intended and without any malicious functionality.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, References, Related_Attack_Patterns
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Malicious Logic Insertion into Product Software via Externally Manipulated Component

CAPEC CATEGORY: Development and Production

Category ID: 685
 
+ Summary
Attack patterns within this category focus on the exploitation of weaknesses within the Development and Production phase of the CISA Supply Chain Lifecycle.
+ Membership
NatureTypeIDName
MemberOfViewView - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.683Supply Chain Risks
HasMemberStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
HasMemberMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.690Metadata Spoofing
+ References
[REF-718] "Supply Chain Risks for Information and Communication Technology". Cyber and Infrastructure Security Agency (CISA). 2018-12. <https://www.cisa.gov/sites/default/files/publications/19_0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf>. URL validated: 2022-07-26.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2023-01-24
(Version 3.9)
CAPEC Content TeamThe MITRE Corporation
Updated Relationships

CAPEC CATEGORY: Disposal

Category ID: 689
 
+ Summary
Attack patterns within this category focus on the exploitation of weaknesses within the Disposal phase of the CISA Supply Chain Lifecycle.
+ Membership
NatureTypeIDName
MemberOfViewView - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.683Supply Chain Risks
HasMemberStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.675Retrieve Data from Decommissioned Devices
+ References
[REF-718] "Supply Chain Risks for Information and Communication Technology". Cyber and Infrastructure Security Agency (CISA). 2018-12. <https://www.cisa.gov/sites/default/files/publications/19_0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf>. URL validated: 2022-07-26.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation

CAPEC CATEGORY: Distribution

Category ID: 686
 
+ Summary
Attack patterns within this category focus on the exploitation of weaknesses within the Distribution phase of the CISA Supply Chain Lifecycle.
+ Membership
NatureTypeIDName
MemberOfViewView - A view in CAPEC represents a perspective with which one might look at the collection of attack patterns defined within CAPEC. There are three different types of views: graphs, explicit slices, and implicit slices.683Supply Chain Risks
HasMemberMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.439Manipulation During Distribution
+ References
[REF-718] "Supply Chain Risks for Information and Communication Technology". Cyber and Infrastructure Security Agency (CISA). 2018-12. <https://www.cisa.gov/sites/default/files/publications/19_0424_cisa_nrmc_supply-chain-risks-for-information-and-communication-technology.pdf>. URL validated: 2022-07-26.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation

CAPEC-519: Documentation Alteration to Cause Errors in System Design

Attack Pattern ID: 519
Abstraction: Detailed
View customized information:
+ Description
An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the documentation in order to cause errors in system design. This allows the attacker to take advantage of a weakness in a deployed system of the manufacturer for malicious purposes.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.447Design Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Advanced knowledge of software capabilities of a manufacturer's product.
Access to the manufacturer's documentation.
+ Skills Required
[Level: High]
Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in system design.
[Level: High]
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
+ Mitigations
Digitize documents and cryptographically sign them to verify authenticity.
Password protect documents and make them read-only for unauthorized users.
Avoid emailing important documents and configurations.
Ensure deleted files are actually deleted.
Maintain multiple instances of the document across different privileged users for recovery and verification.
+ Example Instances
During operation, a firewall will restart various subsystems to reload and implement new rules as added by the user. An attacker alters the software design dependencies in the manufacturer's documentation so that under certain predictable conditions the reload will fail to load in rules resulting in a "fail open" state. Once deployed at a victim site, this will allow the attacker to bypass the victim's firewall.
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, References

CAPEC-517: Documentation Alteration to Circumvent Dial-down

Attack Pattern ID: 517
Abstraction: Detailed
View customized information:
+ Description
An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticality, alters the documents to circumvent dial-down functionality requirements. This alteration would change the interpretation of implementation and manufacturing techniques, allowing for advanced technologies to remain in place even though these technologies might be restricted to certain customers, such as nations on the terrorist watch list, giving the attacker on the receiving end of a shipped product access to an advanced technology that might otherwise be restricted.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.447Design Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Advanced knowledge of internal software and hardware components within manufacturer's development environment.
Access to the manufacturer's documentation.
+ Skills Required
[Level: High]
Ability to read, interpret, and subsequently alter manufacturer's documentation to prevent dial-down capabilities.
[Level: High]
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
+ Mitigations
Digitize documents and cryptographically sign them to verify authenticity.
Password protect documents and make them read-only for unauthorized users.
Avoid emailing important documents and configurations.
Ensure deleted files are actually deleted.
Maintain backups of the document for recovery and verification.
+ Example Instances
A product for manufacture exists that contains advanced cryptographic capabilities, including algorithms that are restricted from being shipped to some nations. An attacker from one of the restricted nations alters the documentation to ensure that when the product is manufactured for shipment to a restricted nation, the software compilation steps that normally would prevent the advanced cryptographic capabilities from being included are actually included. When the product is shipped to the attacker's home country, the attacker is able to retrieve and/or use the advanced cryptographic capabilities.
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, References

CAPEC-518: Documentation Alteration to Produce Under-performing Systems

Attack Pattern ID: 518
Abstraction: Detailed
View customized information:
+ Description
An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in derived system requirements, impacting the overall effectiveness and capability of the system, allowing an attacker to take advantage of the introduced system capability flaw once the system is deployed.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.447Design Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Advanced knowledge of software and hardware capabilities of a manufacturer's product.
Access to the manufacturer's documentation.
+ Skills Required
[Level: High]
Ability to read, interpret, and subsequently alter manufacturer's documentation to misrepresent system capabilities.
[Level: High]
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
+ Mitigations
Digitize documents and cryptographically sign them to verify authenticity.
Password protect documents and make them read-only for unauthorized users.
Avoid emailing important documents and configurations.
Ensure deleted files are actually deleted.
Maintain backups of the document for recovery and verification.
Separate need-to-know information from system configuration information depending on the user.
+ Example Instances
A security subsystem involving encryption is a part of a product, but due to the demands of this subsystem during operation, the subsystem only runs when a specific amount of memory and processing is available. An attacker alters the descriptions of the system capabilities so that when deployed with the minimal requirements at the victim location, the encryption subsystem is never operational, leaving the system in a weakened security state.
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, References

CAPEC-663: Exploitation of Transient Instruction Execution

Attack Pattern ID: 663
Abstraction: Standard
View customized information:
+ Description
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert access control over restricted resources. Typically, the adversary conducts a covert channel attack to target non-discarded microarchitectural changes caused by transient executions such as speculative execution, branch prediction, instruction pipelining, and/or out-of-order execution. The transient execution results in a series of instructions (gadgets) which construct covert channel and access/transfer the secret data.
+ Likelihood Of Attack

Low

+ Typical Severity

Very High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.74Manipulating State
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.184Software Integrity Attack
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.696Load Value Injection
PeerOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.124Shared Resource Manipulation
PeerOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.180Exploiting Incorrectly Configured Access Control Security Levels
PeerOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.212Functionality Misuse
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.141Cache Poisoning
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack.

    Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.
  2. Explore cache and identify impacts: Utilize tools to understand the impact of transient instruction execution upon address spaces and CPU operations.

    Techniques
    Run OS or application specific tools that examine the contents of cache.
Experiment
  1. Cause conditions for identified transient instruction set execution: Adversary ensures that specific code/instructions of the target process are executed by CPU, so desired transient instructions are executed.

  2. Cause specific secret data to be cached from restricted address space: Executed instruction sets (gadgets) in target address space, initially executed via adversary-chosen transient instructions sets, establish covert channel and transfer secret data across this channel to cache.

    Techniques
    Prediction-based - adversary trains CPU to incorrectly predict/speculate conditions for instruction execution to be true, hence executing adversary-chosen transient instructions. These prediction-based methods include: Pattern History Table (PHT)/Input Validation Bypass, Branch Target Buffer (BTB)/Branch Target Injection, Return Stack Buffer (RSB)/Return Address Injection, and Store To Load (STL)/Speculative Store Bypass.
    Exception/Fault-based - adversary has CPU execute transient instructions that raise an exception allowing inaccessible memory space to be accessed via out-of-order execution. These exception/fault-based methods include: Supervisor-only Bypass, Virtual Translation Bypass, System Register Bypass, FPU Register Bypass, Read-only Bypass, Protection Key Bypass, and Bounds Check Bypass.
Exploit
  1. Perform covert channel attack to obtain/access secret data: Adversary process code removes instructions/data from shared cache set, waits for target process to reinsert them back into cache, to identify location of secret data via a timing method. Adversary continuously repeat this process to identify and access entirety of targeted secret data.

    Techniques
    Flush+Reload - adversary frequently flushes targeted memory cache line using a dedicated machine flush instruction, and uses another process to measure time taken for CPU to load victim secret data.
    Evict+Time - adversary causes victim to load target set into cache and measures time for victim process to load this data, setting a baseline. Adversary evicts a specified cache line and causes victim process to execute again, and measures any change in execution time, to determine if cache line was accessed.
    Prime+Probe - adversary primes cache by filling cache line(s) or set(s) with data, after some time victim process evicts this adversary data to replace it with secret data. The adversary then probes/accesses all the previously accessed cache lines detecting cache misses, which determine that their attacker data has been evicted and replaced with secret data from victim process.
+ Prerequisites
The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.
+ Skills Required
[Level: High]
Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.
[Level: High]
Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.
+ Resources Required
C2C mechanism or direct access to victim system, capable of dropping malicious program and collecting covert channel attack data.
Malicious program capable of triggering execution of transient instructions or vulnerable instruction sequences of victim program and performing a covert channel attack to gather data from victim process memory space. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources of the victim machine.
+ Indicators
File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Read Data
Access Control
Bypass Protection Mechanism
Authorization
Execute Unauthorized Commands
+ Mitigations
Implementation: DAWG (Dynamically Allocated Way Guard) - processor cache properly divided between different programs/processes that don't share resources
Implementation: KPTI (Kernel Page-Table Isolation) to completely separate user-space and kernel space page tables
Configuration: Architectural Design of Microcode to limit abuse of speculative execution and out-of-order execution
Configuration: Disable SharedArrayBuffer for Web Browsers
Configuration: Disable Copy-on-Write between Cloud VMs
Configuration: Privilege Checks on Cache Flush Instructions
Implementation: Non-inclusive Cache Memories to prevent Flush+Reload Attacks
+ Example Instances

A web browser with user-privileges executes JavaScript code imbedded within a malicious website. The system does not disable shared buffers for the web browser and there is no restriction or check upon user-process execution of flush or evict instructions. The Javascript code executes vulnerable transient instructions upon system to cause microarchitectural changes that establish covert channel and transfer sensitive/secret data into shared cache from address space of either kernel, web browser or another executing process on the system.

+ References
[REF-637] Paul Kocher, Jann Horn, Anders Fogh, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz and Yuval Yarom. "Spectre Attacks: Exploiting Speculative Execution". Graz University of Technology. 2019. <https://spectreattack.com/spectre.pdf>. URL validated: 2021-03-05.
[REF-638] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom and Mike Hamburg. "Meltdown: Reading Kernel Memory from User Space". Graz University of Technology. 2018. <https://meltdownattack.com/meltdown.pdf>. URL validated: 2021-03-05.
[REF-639] Claudio Canella, Jo Van Bulck, Michael Schwarz, Moritz Lipp, Benjamin von Berg, Philipp Ortner, Frank Piessens, Dmitry Evtyushkin and Daniel Gruss. "A Systematic Evaluation of Transient Execution Attacks and Defenses". Graz University of Technology. 2019-05-15. <https://arxiv.org/abs/1811.05441>. URL validated: 2021-03-05.
[REF-640] Qian Ge, Yuval Yarom and Gernot Heiser. "A Survey of Microarchitectural Timing Attacks and Countermeasures on Contemporary Hardware". Journal of Cryptographic Engineering. 2016-12-26. <https://eprint.iacr.org/2016/613.pdf>. URL validated: 2021-03-05.
[REF-641] Nael Abu-Ghazaleh, Dmitry Ponomarev and Dmitry Evtyushkin. "How the Spectre and Meltdown Hacks Really Worked". IEEE Spectrum. 2019-02-28. <https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked>. URL validated: 2021-03-05.
[REF-642] James Sanders. "Spectre and Meltdown explained: A comprehensive guide for professionals". TechRepublic. 2019-05-15. <https://spectrum.ieee.org/computing/hardware/how-the-spectre-and-meltdown-hacks-really-worked>. URL validated: 2021-03-05.
[REF-643] "Alert (TA18-004A) Meltdown and Spectre Side-Channel Vulnerability Guidance". CISA. 2018-01-04. <https://us-cert.cisa.gov/ncas/alerts/TA18-004A>. URL validated: 2021-03-05.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns

CAPEC-531: Hardware Component Substitution

Attack Pattern ID: 531
Abstraction: Detailed
View customized information:
+ Description
An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried out directly on the system, enabling the attacker to then cause disruption or additional compromise.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.534Malicious Hardware Update
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.530Provide Counterfeit Component
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.535Malicious Gray Market Hardware
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Physical access to the system or the integration facility where hardware components are kept.
+ Skills Required
[Level: High]
Able to develop and manufacture malicious system components that perform the same functions and processes as their non-malicious counterparts.
+ Example Instances
An attacker has access to an organization's warehouse of card readers being included as a part of an overall security system. By replacing a critical hardware component in the card reader, the attacker is able to alter the function of the card reader to allow an attacker-supplied card to bypass a security checkpoint. The card reader is placed in the warehouse, and later used in the victim's security system. The attacker is then able to go to the victim and use their own card and bypass a physical security checkpoint and gain access to the victim's location for further malicious activity.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Hardware Component Substitution After Installation

CAPEC-516: Hardware Component Substitution During Baselining

Attack Pattern ID: 516
Abstraction: Detailed
View customized information:
+ Description
An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The adversary will need either physical access or be able to supply malicious hardware components to the product development facility.
+ Skills Required
[Level: Medium]
Intelligence data on victim's purchasing habits.
[Level: High]
Resources to maliciously construct/alter hardware components used for testing by the supplier.
[Level: High]
Resources to physically infiltrate supplier.
+ Mitigations
Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.
Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist.
+ Example Instances

An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-712] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 2: Hardware risks". Microsoft. 2020-02-03. <https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/>. URL validated: 2022-02-17.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-521: Hardware Design Specifications Are Altered

Attack Pattern ID: 521
Abstraction: Detailed
View customized information:
+ Description
An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws advantageous to the attacker once the system is deployed.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.447Design Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Advanced knowledge of hardware capabilities of a manufacturer's product.
Access to the manufacturer's documentation.
+ Skills Required
[Level: High]
Ability to read, interpret, and subsequently alter manufacturer's documentation to cause errors in design specifications.
[Level: High]
Ability to stealthly gain access via remote compromise or physical access to the manufacturer's documentation.
+ Mitigations
Digitize documents and cryptographically sign them to verify authenticity.
Password protect documents and make them read-only for unauthorized users.
Avoid emailing important documents and configurations.
Ensure deleted files are actually deleted.
Maintain backups of the document for recovery and verification.
Separate need-to-know information from system configuration information depending on the user.
+ Example Instances
To operate at full capability, a manufacturer's network intrusion detection device needs to have either a Intel Xeon E7-2820 or AMD FX-8350 which have 8 "cores" available, allowing for advanced threading needed to handle large volumes of network traffic without resorting to dropping packets from the detection process. The attacker alters the documentation to state that the system design must use the Intel Core Duo or the AMD Phenom II X2, which only have 2 cores, causing the system to drop large amounts of packets during deployment at a victim site with large amounts of network traffic.
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-715] Marie Prokopets. "How To Secure Your Documents". Nira. <https://nira.com/how-to-secure-your-documents/>. URL validated: 2022-02-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, References

CAPEC-440: Hardware Integrity Attack

Attack Pattern ID: 440
Abstraction: Meta
View customized information:
+ Description
An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-component or a new one installed during its deployed use at the victim location for the purpose of carrying out an attack.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.401Physically Hacking Hardware
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.534Malicious Hardware Update
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Influence over the deployed system at a victim location.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Execute Unauthorized Commands
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
1200Hardware Additions
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Examples-Instances, References
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Typical_Likelihood_of_Exploit, Typical_Severity
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Taxonomy_Mappings
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Integrity Modification During Deployed Use

CAPEC-537: Infiltration of Hardware Development Environment

Attack Pattern ID: 537
Abstraction: Detailed
View customized information:
+ Description
An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environments, inserts malicious software within the hardware and/or firmware development environment. The infiltration purpose is to alter developed hardware components in a system destined for deployment at the victim's organization, for the purpose of disruption or further compromise.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).
The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.
The adversary must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.
+ Skills Required
[Level: Medium]
Intelligence about the manufacturer's operating environment and infrastructure.
[Level: High]
Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.
[Level: High]
Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)
+ Mitigations
Verify software downloads and updates to ensure they have not been modified be adversaries
Leverage antivirus tools to detect known malware
Do not download software from untrusted sources
Educate designers, developers, engineers, etc. on social engineering attacks to avoid downloading malicious software via attacks such as phishing attacks
+ Example Instances

The adversary, knowing the manufacturer runs email on a system adjacent to the hardware development systems used for hardware and/or firmware design, sends a phishing email with a malicious attachment to the manufacturer. When viewed, the malicious attachment installs a backdoor that allows the adversary to remotely compromise the adjacent hardware development system from the manufacturer's workstation. The adversary is then able to exfiltrate and alter sensitive data on the hardware system, allowing for future compromise once the developed system is deployed at the victim location.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-712] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 2: Hardware risks". Microsoft. 2020-02-03. <https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/>. URL validated: 2022-02-17.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Mitigations, Prerequisites, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-511: Infiltration of Software Development Environment

Attack Pattern ID: 511
Abstraction: Detailed
View customized information:
+ Description
An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment) of a victim manufacturer with the intent of implanting malware allowing for attack control of the victim IDE environment. The attack then uses this access to exfiltrate sensitive data or information, manipulate said data or information, and conceal these actions. This will allow and aid the attack to meet the goal of future compromise of a recipient of the victim's manufactured product further down in the supply chain.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
The victim must use email or removable media from systems running the IDE (or systems adjacent to the IDE systems).
The victim must have a system running exploitable applications and/or a vulnerable configuration to allow for initial infiltration.
The attacker must have working knowledge of some if not all of the components involved in the IDE system as well as the infrastructure.
+ Skills Required
[Level: Medium]
Intelligence about the manufacturer's operating environment and infrastructure.
[Level: High]
Ability to develop, deploy, and maintain a stealth malicious backdoor program remotely in what is essentially a hostile environment.
[Level: High]
Development skills to construct malicious attachments that can be used to exploit vulnerabilities in typical desktop applications or system configurations. The malicious attachments should be crafted well enough to bypass typical defensive systems (IDS, anti-virus, etc)
+ Mitigations
Avoid the common delivery mechanisms of adversaries, such as email attachments, which could introduce the malware.
+ Example Instances
The attacker, knowing the victim runs email on a system adjacent to the IDE system, sends a phishing email with a malicious attachment to the victim. When viewed, the malicious attachment installs a backdoor that allows the attacker to remotely compromise the adjacent IDE system from the victim's workstation. The attacker is then able to exfiltrate sensitive data about the software being developed on the IDE system.
Using rogue versions of Xcode (Apple's app development tool) downloaded from third-party websites, it was possible for the adversary to insert malicious code into legitimate apps during the development process.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances, Mitigations
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-696: Load Value Injection

Attack Pattern ID: 696
Abstraction: Detailed
View customized information:
+ Description
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instruction transiently forwards adversary-controlled data from microarchitectural buffers. By inducing a page fault or microcode assist during victim execution, an adversary can force legitimate victim execution to operate on the adversary-controlled data which is stored in the microarchitectural buffers. The adversary can then use existing code gadgets and side channel analysis to discover victim secrets that have not yet been flushed from microarchitectural state or hijack the system control flow.
+ Extended Description
This attack is a mix of techniques used in traditional Meltdown and Spectre attacks. It uses microarchitectural data leakage combined with code gadget abuse. Intel has identified that this attack is not applicable in scenarios where the OS and the VMM (Virtual Memory Manager) are both trusted. Because of this, Intel SGX is a prime target for this attack because it assumes that the OS or VMM may be malicious.
+ Likelihood Of Attack

Low

+ Typical Severity

Very High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.663Exploitation of Transient Instruction Execution
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Survey target application and relevant OS shared code libraries: Adversary identifies vulnerable transient instruction sets and the code/function calls to trigger them as well as instruction sets or code fragments (gadgets) to perform attack. The adversary looks for code gadgets which will allow them to load an adversary-controlled value into trusted memory. They also look for code gadgets which might operate on this controlled value.

    Techniques
    Utilize Disassembler and Debugger tools to examine and trace instruction set execution of source code and shared code libraries on a system.
Experiment
  1. Fill microarchitectural buffer with controlled value: The adversary will utilize the found code gadget from the previous step to load a value into a microarchitectural buffer.

    Techniques
    The adversary may choose the controlled value to be memory address of sensitive information that they want the system to access
    The adversary may choose the controlled value to be the memory address of other code gadgets that they wish to execute by hijacking the control flow of the system
  2. Set up instruction to page fault or microcode assist: The adversary must manipulate the system such that a page fault or microcode assist occurs when a valid instruction is run. If the instruction that fails is near where the adversary-controlled value was loaded, the system may forward this value from the microarchitectural buffer incorrectly.

    Techniques
    When targeting Intel SGX enclaves, adversaries that have privileges can manipulate PTEs to provoke page-fault exceptions or microcode assists.
    When targeting Intel SGX enclaves, adversaries can indirectly revoke permissions for enclave code through the “mprotect” system call
    An adversary can evict selected virtual memory pages using legacy interfaces or by increasing physical memory utilization
    When attacking a Windows machine, wait until the OS clears the PTE accessed bit. When the page is next accessed, the CPU will always issue a microcode assist for re-setting this bit
Exploit
  1. Operate on adversary-controlled data: Once the attack has been set up and the page fault or microcode assist occurs, the system operates on the adversary-controlled data.

    Techniques
    Influence the system to load sensitive information into microarchitectural state which can be read by the adversary using a code gadget.
    Hijack execution by jumping to second stage gadgets found in the address space. By utilizing return-oriented programming, this can chain gadgets together and allow the adversary to execute a sequence of gadgets.
+ Prerequisites
The adversary needs at least user execution access to a system and a maliciously crafted program/application/process with unprivileged code to misuse transient instruction set execution of the CPU.
The CPU incorrectly transiently forwards values from microarchitectural buffers after faulting or assisted loads
The adversary needs the ability to induce page faults or microcode assists on the target system.
Code gadgets exist that allow the adversary to hijack transient execution and encode secrets into the microarchitectural state.
+ Skills Required
[Level: High]
Detailed knowledge on how various CPU architectures and microcode perform transient execution for various low-level assembly language code instructions/operations.
[Level: High]
Detailed knowledge on compiled binaries and operating system shared libraries of instruction sequences, and layout of application and OS/Kernel address spaces for data leakage.
[Level: High]
The ability to provoke faulting or assisted loads in legitimate execution.
+ Indicators
File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Read Data
Access Control
Bypass Protection Mechanism
Authorization
Execute Unauthorized Commands
+ Mitigations
Do not allow the forwarding of data resulting from a faulting or assisted instruction. Some current mitigations claim to zero out the forwarded data, but this mitigation still does not suffice.
Insert explicit “lfence” speculation barriers in software before potentially faulting or assisted loads. This halts transient execution until all previous instructions have been executed and ensures that the architecturally correct value is forwarded.
+ References
[REF-735] Jo Van Bulck, Daniel Moghimi, Michael Schwarz, Moritz Lipp, Marina Minkin, Daniel Genkin, Yuval Yarom, Berk Sunar, Daniel Gruss and Frank Piessens. "LVI - Hijacking Transient Execution with Load Value Injection". <https://lviattack.eu/>. URL validated: 2022-09-23.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation

CAPEC-187: Malicious Automated Software Update via Redirection

Attack Pattern ID: 187
Abstraction: Detailed
View customized information:
+ Description
An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target code-base. The first weakness involves a failure to properly authenticate a server as a source of update or patch content. This type of weakness typically results from authentication mechanisms which can be defeated, allowing a hostile server to satisfy the criteria that establish a trust relationship. The second weakness is a systemic failure to validate the identity and integrity of code downloaded from a remote location, hence the inability to distinguish malicious code from a legitimate update.
+ Extended Description

One predominate type of redirection attack requires DNS spoofing or hijacking of a domain name corresponding to an update server. The target software initiates an update request and the DNS request resolves the domain name of the update server to the IP address of the attacker, at which point the software accepts updates either transmitted by or pulled from the attackers' server. Attacks against DNS mechanisms comprise an initial phase of a chain of attacks that facilitate automated update hijacking attack, and such attacks have a precedent in targeted activities that have been as complex as DNS/BIND attacks of corporate infrastructures, to untargeted attacks aimed at compromising home broadband routers, as well as attacks involving the compromise of wireless access points, as well as 'evil twin' attacks coupled with DNS redirection. Due to the plethora of options open to the attacker in forcing name resolution to arbitrary servers the Automated Update Hijacking attack strategies are the tip of the spear for many multi-stage attack chains.

The second weakness that is exploited by the attacker is the lack of integrity checking by the software in validating the update. Software which relies only upon domain name resolution to establish the identity of update code is particularly vulnerable, because this signals an absence of other security countermeasures that could be applied to invalidate the attackers' payload on basis of code identity, hashing, signing, encryption, and other integrity checking mechanisms. Redirection-based attack patterns work equally well against client-side software as well as local servers or daemons that provide software update functionality.

+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.186Malicious Software Update
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Access Control
Availability
Confidentiality
Execute Unauthorized Commands
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1072Software Deployment Tools
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Architectural_Paradigms, Injection_Vector, Payload, Payload_Activation_Impact, References, Technical_Context
2017-08-04
(Version 2.11)
CAPEC Content TeamThe MITRE Corporation
Updated Resources_Required
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Consequences, Description, Likelihood_Of_Attack, Taxonomy_Mappings
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Extended_Description
Previous Entry Names
Change DatePrevious Entry Name
2020-12-17
(Version 3.4)
Malicious Automated Software Update

CAPEC-657: Malicious Automated Software Update via Spoofing

Attack Pattern ID: 657
Abstraction: Detailed
View customized information:
+ Description
An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious automated software update that leverages spoofing can include content or identity spoofing as well as protocol spoofing. Content or identity spoofing attacks can trigger updates in software by embedding scripted mechanisms within a malicious web page, which masquerades as a legitimate update source. Scripting mechanisms communicate with software components and trigger updates from locations specified by the attackers' server. The result is the client believing there is a legitimate software update available but instead downloading a malicious update from the attacker.
+ Likelihood Of Attack

High

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.186Malicious Software Update
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.194Fake the Source of Data
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Access Control
Availability
Confidentiality
Execute Unauthorized Commands
+ Example Instances
An example of the spoofing strategy would be the eTrust Antivirus Webscan Automated Update Remote Code Execution vulnerability (CVE-2006-3976) and (CVE-2006-3977) whereby an ActiveX control could be remotely manipulated by an attacker controlled web page to download and execute the attackers' code without integrity checking.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1072Software Deployment Tools
+ Content History
Submissions
Submission DateSubmitterOrganization
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-672: Malicious Code Implanted During Chip Programming

Attack Pattern ID: 672
Abstraction: Detailed
View customized information:
+ Description

During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s intended program logic to produce an effect intended by the adversary when the fully manufactured chip is deployed and in operational use. Intended effects can include the ability of the adversary to remotely control a host system to carry out malicious acts.

+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
An adversary would need to have access to a foundry’s or chip maker’s development/production environment where programs for specific chips are developed, managed and uploaded into targeted chips prior to distribution or sale.
+ Skills Required
[Level: Medium]
An adversary needs to be skilled in microprogramming, manipulation of configuration management systems, and in the operation of tools used for the uploading of programs into chips during manufacture. Uploading can be for individual chips or performed on a large scale basis.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Alter Execution Logic
+ Mitigations
Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.
Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management of microcode and microcode generating tools and software.
Require that provenance of COTS microelectronic components be known whenever procured.
Conduct detailed vendor assessment before acquiring COTS hardware.
+ Example Instances

Following a chip’s production process steps of test and verification and validation of chip circuitry, an adversary involved in the generation of microcode defining the chip’s function(s) inserts a malicious instruction that will become part of the chip’s program. When integrated into a system, the chip will produce an effect intended by the adversary.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-662] Jeremy Muldavin. "Assuring Microelectronics Innovation for National Security & Economic Competitiveness (MINSEC)". Office of the Deputy Assistant Secretary of Defense for Systems Engineering. 2017-11.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-535: Malicious Gray Market Hardware

Attack Pattern ID: 535
Abstraction: Detailed
View customized information:
+ Description
An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the victim needs replacement hardware components for systems where the parts are no longer in regular supply from original suppliers, or where the hardware components from the attacker seems to be a great benefit from a cost perspective.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.531Hardware Component Substitution
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Physical access to a gray market reseller's hardware components supply, or the ability to appear as a gray market reseller to the victim's buyer.
+ Skills Required
[Level: High]
Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.
+ Mitigations
Purchase only from authorized resellers.
Validate serial numbers from multiple sources
+ Example Instances
An attacker develops co-processor boards with malicious capabilities that are technically the same as a manufacturer's expensive upgrade to their flagship system. The victim has installed the manufacturer's base system without the expensive upgrade. The attacker contacts the victim and states they have the co-processor boards at a drastically-reduced price, falsely stating they were acquired from a bankruptcy liquidation of a company that had purchased them from the manufacturer. The victim after hearing the drastically reduced price decides to take advantage of the situation and purchases the upgrades from the attacker, and installs them. This allows the attacker to further compromise the victim.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations

CAPEC-522: Malicious Hardware Component Replacement

Attack Pattern ID: 522
Abstraction: Standard
View customized information:
+ Description
An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.439Manipulation During Distribution
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Determine Target Hardware: The adversary must first identify a system that they wish to target, and a specific hardware component that they can swap out with a malicious replacement.

    Techniques
    Look for datasheets containing the system schematics that can help identify possible target hardware.
    Procure a system and inspect it manually, looking for possible hardware component targets. Search for manufacturer IDs on hardware chips or FCC IDs on wireless chips to determine their functionality.
  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.
Experiment
  1. Test a Malicious Component Replacement: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    Techniques
    Design a malicious hardware component that will perform the same functionality as the target component, but also contains additional functionality.
    Obtain already designed malicious components that just need to be placed into the system.
Exploit
  1. Substitute Components in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary substitutes the malicious component for the targeted component. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

+ Prerequisites
Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.
+ Skills Required
[Level: High]
Advanced knowledge of the design of the system.
[Level: High]
Hardware creation and manufacture of replacement components.
+ Mitigations
Ensure that all contractors and sub-suppliers use trusted means of shipping (e.g., bonded/cleared/vetted and insured couriers) to ensure that components, once purchased, are not subject to compromise during their delivery.
Prevent or detect tampering with critical hardware or firmware components while in transit through use of state-of-the-art anti-tamper devices.
Use tamper-resistant and tamper-evident packaging when shipping critical components (e.g., plastic coating for circuit boards, tamper tape, paint, sensors, and/or seals for cases and containers) and inspect received system components for evidence of tampering.
+ Example Instances
During shipment the adversary is able to intercept a system that has been purchased by the victim, and replaces a math processor card that functions just like the original, but contains advanced malicious capability. Once deployed, the system functions as normal, but allows for the adversary to remotely communicate with the system and use it as a conduit for additional compromise within the victim's environment.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-712] Cristin Goodwin and Joram Borenstein. "Guarding against supply chain attacks—Part 2: Hardware risks". Microsoft. 2020-02-03. <https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/>. URL validated: 2022-02-17.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Typical_Likelihood_of_Exploit
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Execution_Flow, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-534: Malicious Hardware Update

Attack Pattern ID: 534
Abstraction: Standard
View customized information:
+ Description
An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the victim location. After deployment, it is not uncommon for upgrades and replacements to occur involving hardware and various replaceable parts. These upgrades and replacements are intended to correct defects, provide additional features, and to replace broken or worn-out parts. However, by forcing or tricking the replacement of a good component with a defective or corrupted component, an adversary can leverage known defects to obtain a desired malicious impact.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.440Hardware Integrity Attack
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.531Hardware Component Substitution
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.677Server Motherboard Compromise
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Skills Required
[Level: High]
Able to develop and manufacture malicious hardware components that perform the same functions and processes as their non-malicious counterparts.
+ Example Instances
An adversary develops a malicious networking card that allows for normal function plus the addition of malicious functionality that is of benefit to the adversary. The adversary sends the victim an email stating that the existing networking card is faulty, and that the victim can order a replacement card free of charge. The victim orders the card, and the adversary sends the malicious networking card. The malicious networking card replaces the perfectly-functioning original networking card, and the adversary is able to take advantage of the additional malicious functionality to further compromise the victim's network.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-711] Omer Shwartz, Amir Cohen, Asaf Shabtai and Yossi Oren. "Shattered Trust: When Replacement Smartphone Components Attack". 11th USENIX Workshop on Offensive Technologies. USENIX. 2017. <https://www.usenix.org/system/files/conference/woot17/woot17-paper-shwartz.pdf>. URL validated: 2022-02-16.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Prerequisites, Description Summary, Typical_Likelihood_of_Exploit
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Examples-Instances
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated References

CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer

Attack Pattern ID: 443
Abstraction: Detailed
View customized information:
+ Description
An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.
+ Extended Description

Supply chain attacks from approved or trusted developers are extremely difficult to detect as it is generally assumed the quality control and internal security measures of these organizations conform to best practices. In some cases the malicious logic is intentional, embedded by a disgruntled employee, programmer, or individual with an otherwise hidden agenda. In other cases, the integrity of the product is compromised by accident (e.g. by lapse in the internal security of the organization that results in a product becoming contaminated). In further cases, the developer embeds a backdoor into a product to serve some purpose, such as product support, but discovery of the backdoor results in its malicious use by adversaries. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to the product during the initial or continuous development.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Authorization
Execute Unauthorized Commands
+ Mitigations
Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.
+ Example Instances

In January 2022 the author of popular JavaScript packages "Faker" and "colors", used for generating mock data and including colored text within NodeJS consoles respectively, introduced malicious code that resulted in a Denial of Service (DoS) via an infinite loop. When applications that leveraged these packages updated to the malicious version, their applications executed the infinite loop and output gibberish ASCI characters endlessly. This resulted in the application being unusable until a stable version of the package was obtained. [REF-705]

During initial development, an authorized hardware developer implants a malicious microcontroller within an Internet of Things (IOT) device and programs the microcontroller to communicate with the vulnerable device. Each time the device initializes, the malicious microcontroller's code is executed, which ultimately provides the adversary with backdoor access to the vulnerable device. This can further allow the adversary to sniff network traffic, exfiltrate date, execute unauthorized commands, and/or pivot to other vulnerable devices.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.002Supply Chain Compromise: Compromise Software Supply Chain
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-379] Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook and Matthew Fallon. "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)". National Institute of Standards and Technology (NIST). 2021-10-28. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf>. URL validated: 2022-02-16.
[REF-704] Ax Sharma. "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps". BleepingComputer. 2022-01-09. <https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/>. URL validated: 2022-02-16.
[REF-705] Alberto Pellitteri. "Malicious modifications to open source projects affecting thousands". SysDig. 2022-01-12. <https://sysdig.com/blog/malicious-modifications-detection-sysdig/>. URL validated: 2022-02-16.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances, Mitigations, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2022-09-29
(Version 3.8)
Malicious Logic Inserted Into Product Software by Authorized Developer

CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation

Attack Pattern ID: 445
Abstraction: Detailed
View customized information:
+ Description

An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or deployed environment. If an adversary can control the elements included in a product's configuration management for build they can potentially replace, modify or insert code files containing malicious logic. If an adversary can control elements of a product's ongoing operational configuration management baseline they can potentially force clients receiving updates from the system to install insecure software when receiving updates from the server.

+ Extended Description

Configuration management servers operate on the basis of a client pool, instructing each client on which software to install. In some cases the configuration management server will automate the software installation process. A malicious insider or an adversary who has compromised the server can alter the software baseline that clients must install, allowing the adversary to compromise a large number of satellite machines using the configuration management system. If an adversary can control elements of a product's configuration management for its deployed environment they can potentially alter fundamental security properties of the system based on assumptions that secure configurations are in place. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to the configuration management system during deployment or currently deployed at a victim location. This access is often obtained via insider access or by leveraging another attack pattern to gain permissions that the adversary wouldn't normally have.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Authorization
Execute Unauthorized Commands
+ Mitigations
Assess software during development and prior to deployment to ensure that it functions as intended and without any malicious functionality.
Leverage anti-virus products to detect and quarantine software with known virus.
+ Example Instances

In 2016, the policy-based configuration management system Chef was shown to be vulnerable to remote code execution attacks based on its Chef Manage add-on improperly deserializing user-driven cookie data. This allowed unauthenticated users the ability to craft cookie data that executed arbitrary code with the web server's privileges. [REF-706]

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools
+ References
[REF-379] Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook and Matthew Fallon. "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)". National Institute of Standards and Technology (NIST). 2021-10-28. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf>. URL validated: 2022-02-16.
[REF-706] "Chef Manage deserializes cookie data insecurely". Carnegie Mellon University. 2016-05-17. <https://www.kb.cert.org/vuls/id/586503>. URL validated: 2022-02-16.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Extended_Description, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Extended_Description, Related_Attack_Patterns, Taxonomy_Mappings

CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component

Attack Pattern ID: 446
Abstraction: Detailed
View customized information:
+ Description

An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-base, possibly packaging a malicious driver or component along with the product before shipping it to the consumer or acquirer.

+ Extended Description

The result is a window of opportunity for exploiting the product until the insecure component is discovered. This supply chain threat can result in the installation of malicious software or hardware that introduces widespread security vulnerabilities within an organization. Additionally, because software often depends upon a large number of interdependent libraries and components to be present, security holes can be introduced merely by installing Commercial off the Shelf (COTS) or Open Source Software (OSS) software that comes pre-packaged with the components required for it to operate. It is also worth noting that this attack can occur during initial product development or throughout a product's sustainment.

+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Access to the product during the initial or continuous development. This access is often obtained via insider access to include the third-party component after deployment.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Authorization
Execute Unauthorized Commands
+ Mitigations
Assess software and hardware during development and prior to deployment to ensure that it functions as intended and without any malicious functionality. This includes both initial development, as well as updates propagated to the product after deployment.
Don't assume popular third-party components are free from malware or vulnerabilities. For software, assess for malicious functionality via update/commit reviews or automated static/dynamic analysis prior to including the component within the application and deploying in a production environment.
+ Example Instances

From mid-2014 to early 2015, Lenovo computers were shipped with the Superfish Visual Search software that ultimately functioned as adware on the system. The Visual Search installation included a self-signed root HTTPS certificate that was able to intercept encrypted traffic for any site visited by the user. Of more concern was the fact that the certificate's corresponding private key was the same for every Lenovo machine. Once the private key was discovered [REF-709], an adversary could then conduct an Adversary-in-the-Middle (AitM) attack that would go undetected by machines that had this certificate installed on it. Adversaries could then masquerade as legitimate entities such as financial institutions, popular corporations, or other secure destinations on the Internet. [REF-708]

In 2018 it was discovered that Chinese spies infiltrated several U.S. government agencies and corporations as far back as 2015 by including a malicious microchip within the motherboard of servers sold by Elemental Technologies to the victims. Although these servers were assembled via a U.S. based company, the motherboards used within the servers were manufactured and maliciously altered via a Chinese subcontractor. Elemental Technologies then sold these malicious servers to various U.S. government agencies, such as the DoD and CIA, and corporations like Amazon and Apple. The malicious microchip provided adversaries with a backdoor into the system, which further allowed them to access any network that contained the exploited systems, to exfiltrate data to be sent to the Chinese government.[REF-713]

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195Supply Chain Compromise
+ References
[REF-379] Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook and Matthew Fallon. "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)". National Institute of Standards and Technology (NIST). 2021-10-28. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf>. URL validated: 2022-02-16.
[REF-707] Thomas Brewster. "How Lenovo's Superfish 'Malware' Works And What You Can Do To Kill It". Forbes. 2015-02-19. <https://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/?sh=991ab8c38776>. URL validated: 2022-02-16.
[REF-708] Dan Goodin. "Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections". Ars Technica. 2015-02-19. <https://arstechnica.com/information-technology/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/>. URL validated: 2022-02-16.
[REF-709] Rob Graham. "Extracting the SuperFish certificate". Errata Security. 2015-02-19. <https://blog.erratasec.com/2015/02/extracting-superfish-certificate.html#.VOX5Ky57RqE>. URL validated: 2022-02-16.
[REF-713] Jordan Robertson and Michael Riley. "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies". Bloomberg. 2018-10-04. <https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies>. URL validated: 2022-02-17.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Description, Example_Instances, Extended_Description, Mitigations, Prerequisites, References, Related_Attack_Patterns, Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2022-09-29
(Version 3.8)
Malicious Logic Insertion into Product Software via Inclusion of 3rd Party Component Dependency

CAPEC-533: Malicious Manual Software Update

Attack Pattern ID: 533
Abstraction: Detailed
View customized information:
+ Description
An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or site disruption at the victim location. These manual, or user-assisted attacks, vary from requiring the user to download and run an executable, to as streamlined as tricking the user to click a URL. Attacks which aim at penetrating a specific network infrastructure often rely upon secondary attack methods to achieve the desired impact. Spamming, for example, is a common method employed as an secondary attack vector. Thus the attacker has in their arsenal a choice of initial attack vectors ranging from traditional SMTP/POP/IMAP spamming and its varieties, to web-application mechanisms which commonly implement both chat and rich HTML messaging within the user interface.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.186Malicious Software Update
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Advanced knowledge about the download and update installation processes.
Advanced knowledge about the deployed system and its various software subcomponents and processes.
+ Skills Required
[Level: High]
Able to develop malicious code that can be used on the victim's system while maintaining normal functionality.
+ Mitigations
Only accept software updates from an official source.
+ Example Instances
An email campaign was initiated, targetting victims of a ransomware attack. The email claimed to be a patch to address the ransomware attack, but was instead an attachment that caused the Cobalt Strike tools to be installed, which enabled further attacks.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ References
[REF-710] Sean Endicott. "Fake Microsoft update used in malicious email attack campaign". Microsoft News. 2021-07. <https://www.msn.com/en-us/news/technology/fake-microsoft-update-used-in-malicious-email-attack-campaign/ar-AALTcVs>. URL validated: 2022-02-16.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Description
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances, Mitigations, References
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Malicious Software Update

CAPEC-185: Malicious Software Download

Attack Pattern ID: 185
Abstraction: Standard
View customized information:
+ Description
An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.
+ Typical Severity

Very High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.184Software Integrity Attack
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.159Redirect Access to Libraries
CanPrecedeStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.662Adversary in the Browser (AiTB)
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Taxonomy_Mappings
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-523: Malicious Software Implanted

Attack Pattern ID: 523
Abstraction: Standard
View customized information:
+ Description
An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.439Manipulation During Distribution
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Determine Entry Point: The adversary must first identify a system that they wish to target and search for an entry point they can use to install the malicious software. This could be a system which they have prior knowledge of, giving them insight into the software and environment.

    Techniques
    Use a JTAGulator to identify exposed JTAG and UART interfaces in smaller embedded systems.
    Identify exposed USB connectors that could be used to load software.
  2. Discover Vulnerability in Supply Chain: The adversary maps out the supply chain for the targeted system. They look for ooportunities to gain physical access to the system after it has left the manufacturer, but before it is deployed to the victim.

    Techniques
    Procure a system and observe the steps it takes in the shipment process.
    Identify possible warehouses that systems are stored after manufacturing.
Experiment
  1. Test Malicious Software: Before performing the attack in the wild, an adversary will test the attack on a system they have procured to ensure that the desired outcome will be achieved.

    Techniques
    Design malicious software that will give an adversary a backdoor into the system once it is deployed to the victim.
    Obtain already designed malicious software that just need to be placed into the system.
Exploit
  1. Implant Software in the Supply Chain: Using the vulnerability in the supply chain of the system discovered in the explore phase, the adversary implants the malicious software into the system. This results in the adversary gaining unintended access to systems once they reach the victim and can lead to a variety of follow up attacks.

+ Prerequisites
Physical access to the system after it has left the manufacturer but before it is deployed at the victim location.
+ Skills Required
[Level: High]
Advanced knowledge of the design of the system and it's operating system components and subcomponents.
[Level: High]
Malicious software creation.
+ Mitigations
Deploy strong code integrity policies to allow only authorized apps to run.
Use endpoint detection and response solutions that can automaticalkly detect and remediate suspicious activities.
Maintain a highly secure build and update infrastructure by immediately applying security patches for OS and software, implementing mandatory integrity controls to ensure only trusted tools run, and requiring multi-factor authentication for admins.
Require SSL for update channels and implement certificate transparency based verification.
Sign everything, including configuration files, XML files and packages.
Develop an incident response process, disclose supply chain incidents and notify customers with accurate and timely information.
+ Example Instances
An attacker has created a piece of malicious software designed to function as a backdoor in a system that is to be deployed at the victim location. During shipment of the system, the attacker has physical access to the system at a loading dock of an integrator for a short time. The attacker unpacks and powers up the system and installs the malicious piece of software, and configures it to run upon system boot. The system is repackaged and returned to its place on the loading dock, and is shipped and installed at the victim location with the malicious software in place, allowing the attacker to bypass firewalls and remotely gain access to the victim's network for further malicious activities.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1195.002Supply Chain Compromise: Compromise Software Supply Chain
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-716] Daniel Simpson, Dani Halfin, Andrews Mariano Gorzelany and Beth Woodbury. "Supply chain attacks". Microsoft. 2021-10-28. <https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/supply-chain-malware>. URL validated: 2022-02-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Typical_Likelihood_of_Exploit
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Mitigations, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-186: Malicious Software Update

Attack Pattern ID: 186
Abstraction: Standard
View customized information:
+ Description
An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update that originates from an adversary controlled source.
+ Extended Description

Although there are several variations to this strategy of attack, the attack methods are united in that all rely on the ability of an adversary to position and disguise malicious content such that it masquerades as a legitimate software update which is then processed by a program, undermining application integrity.

As such the attack employs 'spoofing' techniques augmented by psychological or technological mechanisms to disguise the update and/or its source. Virtually all software requires frequent updates or patches, giving the adversary immense latitude when structuring the attack, as well as many targets of opportunity. Automated attacks involving malicious software updates require little to no user-directed activity and are therefore advantageous because they avoid the complex preliminary setup stages of manual attacks, which must effectively 'hook' users while avoiding countermeasures such as spam filters or web security filters.

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.184Software Integrity Attack
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.187Malicious Automated Software Update via Redirection
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.533Malicious Manual Software Update
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.614Rooting SIM Cards
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.657Malicious Automated Software Update via Spoofing
CanFollowStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.98Phishing
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Identify target: The adversary must first identify what they want their target to be. Because malicious software updates can be carried out in a variety of ways, the adversary will first not only identify a target program, but also what users they wish to target. This attack can be targeted (a particular user or group of users) or untargeted (many different users).

Experiment
  1. Craft a deployment mechanism based on the target: The adversary must craft a deployment mechanism to deploy the malicious software update. This mechanism will differ based on if the attack is targeted or untargeted.

    Techniques
    Targeted attack: hosting what appears to be a software update, then harvesting actual email addresses for an organization, or generating commonly used email addresses, and then sending spam, phishing, or spear-phishing emails to the organization's users requesting that they manually download and install the malicious software update.
    Targeted attack: Instant Messaging virus payload, which harvests the names from a user's contact list and sends instant messages to those users to download and apply the update
    Untargeted attack: Spam the malicious update to as many users as possible through unsolicited email, instant messages, or social media messages.
    Untargeted attack: Send phishing emails to as many users as possible and pretend to be a legitimate source suggesting to download an important software update.
    Untargeted attack: Use trojans/botnets to aid in either of the two untargeted attacks.
Exploit
  1. Deploy malicious software update: Using the deployment mechanism from the previous step, the adversary gets a user to install the malicious software update.

+ Skills Required
[Level: High]
This attack requires advanced cyber capabilities
+ Resources Required
Manual or user-assisted attacks require deceptive mechanisms to trick the user into clicking a link or downloading and installing software. Automated update attacks require the adversary to host a payload and then trigger the installation of the payload code.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Access Control
Availability
Confidentiality
Execute Unauthorized Commands
+ Mitigations
Validate software updates before installing.
+ Example Instances
Using an automated process to download and install dangerous code was key part of the NotPeyta attack [REF-697]
+ Notes

Other

Other class of attacks focus on firmware, where malicious updates are made to the core system firmware or BIOS. Since this occurs outside the controls of the operating system, the OS detection and prevention mechanisms do not aid, thus allowing an adversary to evade defenses as well as gain persistence on the target's system.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.002Supply Chain Compromise: Compromise Software Supply Chain
+ References
[REF-697] Microsoft Defender Security Research Team. "New ransomware, old techniques: Petya adds worm capabilities". Microsoft. 2017. <https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/>. URL validated: 2022-02-15.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Activation_Zone, Attack_Motivation-Consequences, Attacker_Skills_or_Knowledge_Required, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Solutions_and_Mitigations, Typical_Severity
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Motivation-Consequences, Description Summary
2020-12-17
(Version 3.4)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Notes
2021-10-21
(Version 3.6)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow, Related_Attack_Patterns
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Example_Instances, Extended_Description, References, Resources_Required
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-439: Manipulation During Distribution

Attack Pattern ID: 439
Abstraction: Meta
View customized information:
+ Description
An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modification or manipulation during distribution arise from the many stages of distribution, as a product may traverse multiple suppliers and integrators as the final asset is delivered. Components and services provided from a manufacturer to a supplier may be tampered with during integration or packaging.
+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.522Malicious Hardware Component Replacement
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.523Malicious Software Implanted
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.524Rogue Integration Procedures
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Example Instances
A malicious OEM provider, or OEM provider employee or contractor, may install software, or modify existing code, during distribution.
External contractors involved in the packaging or testing of products or components may install software, or modify existing code, during distribution.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195Supply Chain Compromise
+ References
[REF-379] Jon Boyens, Angela Smith, Nadya Bartol, Kris Winkler, Alex Holbrook and Matthew Fallon. "Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (2nd Draft)". National Institute of Standards and Technology (NIST). 2021-10-28. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1-draft2.pdf>. URL validated: 2022-02-16.
[REF-384] SAFECode. "The Software Supply Chain Integrity Framework Defining Risks and Responsibilities for Securing Software in the Global Supply Chain". Safecode.org. 2009.
[REF-382] Marianne Swanson, Nadya Bartol and Rama Moorthy. "Piloting Supply Chain Risk Management Practices for Federal Information Systems". Section 1. Introduction. Draft NISTIR 7622. National Institute of Standards and Technology. 2010.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses, Taxonomy_Mappings
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Integrity Modification During Distribution

CAPEC-690: Metadata Spoofing

Attack Pattern ID: 690
Abstraction: Meta
View customized information:
+ Description

An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate/credible.

+ Extended Description

One approach to this attack entails the adversary altering a maliciously modified resource's metadata in order to hide their malicious activity. Another approach involves altering the metadata of an adversary-created resource to make the source appear more credible. Adversaries may spoof a variety of metadata across a number of resources, such as the following:

  • Authors of Version Control System (VCS) repository commits
  • Open source package statistics
  • File attributes, such as when a file was last update

The ultimate goal of a Metadata Spoofing attack is to trick victims into believing the malicious resource being provided originates from a reputable source. However, the victim instead leverages the malicious resource, which could result in a number of negative technical impacts.

+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ParentOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.691Spoof Open-Source Software Metadata
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Identification of a resource whose metadata is to be spoofed
+ Skills Required
[Level: Medium]
Ability to spoof a variety of metadata to convince victims the source is trusted
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Modify Data
Accountability
Hide Activities
Access Control
Authorization
Execute Unauthorized Commands
+ Mitigations
Validate metadata of resources such as authors, timestamps, and statistics.
Confirm the pedigree of open source packages and ensure the code being downloaded does not originate from another source.
Even if the metadata is properly checked and a user believes it to be legitimate, there may still be a chance that they've been duped. Therefore, leverage automated testing techniques to determine where malicious areas of the code may exist.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation

CAPEC-538: Open-Source Library Manipulation

Attack Pattern ID: 538
Abstraction: Detailed
View customized information:
+ Description
Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.444Development Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. Determine the relevant open-source code project to target: The adversary will make the selection based on various criteria:

    • The open-source code currently in use on a selected target system.
    • The depth in the dependency graph of the open source code in relationship to other code bases in use on the target system. Choosing an OSS lower in the graph decreases the probability of discovery, but also decreases the scope of its use within the target system.
    • The programming language in which the open source code is implemented. Different languages present different opportunities for using known software weaknesses.
    • The quality of processes in place to make a contribution. For instance, some contribution sites use static and dynamic analysis tools, which could increase the probability of discovery.
    • The security requirements necessary to make a contribution. For instance, is the ownership lax allowing unsigned commits or anonymous users.
Experiment
  1. Develop a plan for malicious contribution: The adversary develops a plan to contribute malicious code, taking the following into consideration:

    • The adversary will probably avoid easy-to-find software weaknesses, especially ones that static and dynamic analysis tools are likely to discover.
    • Common coding errors or missing edge cases of the algorithm, which can be explained away as being accidental, if discovered, will be preferred by the adversary.
    • Sometimes no identity is required to make a contribution. Other options are to steal an existing identity or create one. When creating a new identity, strike a balance between too little or too much detail. Using an stolen identity could cause a notification to be sent to the actual user.
Exploit
  1. Execute the plan for malicious contribution: Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.

+ Prerequisites
Access to the open source code base being used by the manufacturer in a system being developed or currently deployed at a victim location.
+ Skills Required
[Level: High]
Advanced knowledge about the inclusion and specific usage of an open source code project within system being targeted for infiltration.
+ Example Instances
An adversary with access to an open source code project introduces a hard-to-find bug in the software that allows under very specific conditions for encryption to be disabled on data streams. The adversary commits the change to the code which is picked up by a manufacturer who develops VPN software. It is eventually deployed at the victim's location where the very specific conditions are met giving the adversary the ability to sniff plaintext traffic thought to be encrypted. This can provide to the adversary access to sensitive data of the victim.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.001Supply Chain Compromise: Software Dependencies and Development Tools
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns
2019-09-30
(Version 3.2)
CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow, Related_Attack_Patterns
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Description, Example_Instances, Execution_Flow, Related_Attack_Patterns
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Execution_Flow, Taxonomy_Mappings
2023-01-24
(Version 3.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses
Previous Entry Names
Change DatePrevious Entry Name
2021-06-24
(Version 3.5)
Open Source Libraries Altered

CAPEC-401: Physically Hacking Hardware

Attack Pattern ID: 401
Abstraction: Standard
View customized information:
+ Description
An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly replace a hardware component which undermines the system's integrity for the purpose of carrying out an attack.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.440Hardware Integrity Attack
ParentOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.402Bypassing ATA Password Security
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Example Instances
A malicious subcontractor or subcontractor's employee that is responsible for system maintenance secretly replaces a hard drive with one containing malicious code that will allow for backdoor access once deployed.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Attack_Prerequisites, Description Summary, Examples-Instances, References, Related_Attack_Patterns, Typical_Severity
2018-07-31
(Version 2.12)
CAPEC Content TeamThe MITRE Corporation
Updated Description Summary, Examples-Instances, Typical_Likelihood_of_Exploit
2019-04-04
(Version 3.1)
CAPEC Content TeamThe MITRE Corporation
Updated Example_Instances
2020-07-30
(Version 3.3)
CAPEC Content TeamThe MITRE Corporation
Updated @Name, Related_Weaknesses
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Hacking Hardware Devices or Components
2020-07-30
(Version 3.3)
Hacking Hardware

CAPEC-530: Provide Counterfeit Component

Attack Pattern ID: 530
Abstraction: Detailed
View customized information:
+ Description
An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integrator, which is then built into the system being upgraded or repaired by the victim, allowing the attacker to cause disruption or additional compromise.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.531Hardware Component Substitution
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
Advanced knowledge about the target system and sub-components.
+ Skills Required
[Level: High]
Able to develop and manufacture malicious system components that resemble legitimate name-brand components.
+ Mitigations
There are various methods to detect if the component is a counterfeit. See section II of [REF-703] for many techniques.
+ Example Instances
The attacker, aware that the victim has contracted with an integrator for system maintenance and that the integrator uses commercial-off-the-shelf network hubs, develops their own network hubs with a built-in malicious capability for remote access, the malicious network hubs appear to be a well-known brand of network hub but are not. The attacker then advertises to the sub-system integrator that they are a legit supplier of network hubs, and offers them at a reduced price to entice the integrator to purchase these network hubs. The integrator then installs the attacker's hubs at the victim's location, allowing the attacker to remotely compromise the victim's network.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping (see parent )
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
[REF-698] Paul Wagner. "Combating Counterfeit Components in the DoD Supply Chain". Defence Systems Information Analysis Center. 2015. <https://dsiac.org/articles/combating-counterfeit-components-in-the-dod-supply-chain/>. URL validated: 2022-02-15.
[REF-703] Ujjwal Guin, Ke Huang, Daniel DiMase, John M. Carulli, Jr., Mohammad Tehranipoor and Yiorgos Makris. "Counterfeit Integrated Circuits: A Rising Threat in the Global Semiconductor Supply Chain". Proceedings of the IEEE. IEEE. 2014. <https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6856206>. URL validated: 2022-02-15.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23
(Version 2.6)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2015-11-09
(Version 2.7)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Attack_Patterns, Typical_Likelihood_of_Exploit
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, References
Previous Entry Names
Change DatePrevious Entry Name
2015-11-09
(Version 2.7)
Counterfeit Component Supplied

CAPEC-671: Requirements for ASIC Functionality Maliciously Altered

Attack Pattern ID: 671
Abstraction: Detailed
View customized information:
+ Description
An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singular particular use, maliciously alters requirements derived from originating capability needs. In the chip manufacturing process, requirements drive the chip design which, when the chip is fully manufactured, could result in an ASIC which may not meet the user’s needs, contain malicious functionality, or exhibit other anomalous behaviors thereby affecting the intended use of the ASIC.
+ Likelihood Of Attack

Low

+ Typical Severity

High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.447Design Alteration
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
An adversary would need to have access to a foundry’s or chip maker’s requirements management system that stores customer requirements for ASICs, requirements upon which the design of the ASIC is based.
+ Skills Required
[Level: High]
An adversary would need experience in designing chips based on functional requirements in order to manipulate requirements in such a way that deviations would not be detected in subsequent stages of ASIC manufacture and where intended malicious functionality would be available to the adversary once integrated into a system and fielded.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Integrity
Alter Execution Logic
+ Mitigations
Utilize DMEA’s (Defense Microelectronics Activity) Trusted Foundry Program members for acquisition of microelectronic components.
Ensure that each supplier performing hardware development implements comprehensive, security-focused configuration management including for hardware requirements and design.
Require that provenance of COTS microelectronic components be known whenever procured.
Conduct detailed vendor assessment before acquiring COTS hardware.
+ Example Instances
An adversary with access to ASIC functionality requirements for various customers, targets a particular customer’s ordered lot of ASICs by altering its functional requirements such that the ASIC design will result in a manufactured chip that does not meet the customer’s capability needs.
+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1195.003Supply Chain Compromise: Compromise Hardware Supply Chain
+ References
[REF-439] John F. Miller. "Supply Chain Attack Framework and Attack Patterns". The MITRE Corporation. 2013. <http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings

CAPEC-675: Retrieve Data from Decommissioned Devices

Attack Pattern ID: 675
Abstraction: Standard
View customized information:
+ Description

An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual property, employee data, and other types of controlled information. Systems and devices that have reached the end of their lifecycles may be subject to recycle or disposal where they can be exposed to adversarial attempts to retrieve information from internal memory chips and storage devices that are part of the system.

+ Likelihood Of Attack

Medium

+ Typical Severity

Medium

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.116Excavation
CanFollowDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.406Dumpster Diving
CanPrecedeDetailed Attack PatternDetailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific technique and targeting a specific technology, and expresses a complete execution flow. Detailed attack patterns are more specific than meta attack patterns and standard attack patterns and often require a specific protection mechanism to mitigate actual attacks. A detailed level attack pattern often will leverage a number of different standard level attack patterns chained together to accomplish a goal.37Retrieve Embedded Sensitive Data
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Prerequisites
An adversary needs to have access to electronic data processing equipment being recycled or disposed of (e.g., laptops, servers) at a collection location and the ability to take control of it for the purpose of exploiting its content.
+ Skills Required
[Level: High]
An adversary may need the ability to mount printed circuit boards and target individual chips for exploitation.
[Level: Medium]
An adversary needs the technical skills required to extract solid state drives, hard disk drives, and other storage media to host on a compatible system or harness to gain access to digital content.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Accountability
Bypass Protection Mechanism
+ Mitigations
Backup device data before erasure to retain intellectual property and inside knowledge.
Overwrite data on device rather than deleting. Deleted data can still be recovered, even if the device trash can is emptied. Rewriting data removes any trace of the old data. Performing multiple overwrites followed by a zeroing of the device (overwriting with all zeros) is good practice.
Use a secure erase software.
Physically destroy the device if it is not intended to be reused. Using a specialized service to disintegrate, burn, melt or pulverize the device can be effective, but if those services are inaccessible, drilling nails or holes, or smashing the device with a hammer can be effective. Do not burn, microwave, or pour acid on a hard drive.
Physically destroy memory and SIM cards for mobile devices not intended to be reused.
Ensure that the user account has been terminated or switched to a new device before destroying.
+ Example Instances

A company is contracted by an organization to provide data destruction services for solid state and hard disk drives being discarded. Prior to destruction, an adversary within the contracted company copies data from select devices, violating the data confidentiality requirements of the submitting organization.

+ Taxonomy Mappings
Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1052Exfiltration Over Physical Medium
+ References
[REF-663] Richard Kissel, Andrew Regenscheid, Matthew Scholl and Kevin Stine. "NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization". National Institute of Standards and Technology. 2014-12. <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf>. URL validated: 2021-06-22.
[REF-717] Linda Pesante, Christopher King and George Silowash. "Disposing of Devices Safely". CISA United States Computer Emergency Readiness Team (US-CERT). 2012. <https://www.cisa.gov/uscert/sites/default/files/publications/DisposeDevicesSafely.pdf>. URL validated: 2022-02-21.
+ Content History
Submissions
Submission DateSubmitterOrganization
2021-06-24
(Version 3.5)
CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2022-02-22
(Version 3.7)
CAPEC Content TeamThe MITRE Corporation
Updated Mitigations, References
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
2023-01-24
(Version 3.9)
CAPEC Content TeamThe MITRE Corporation
Updated Related_Weaknesses

CAPEC-524: Rogue Integration Procedures