What is CAPEC?
The Common Attack Pattern Enumeration and Classification (CAPEC) provides a standardized taxonomy of known attack patterns. It is designed to help cybersecurity professionals understand and defend against various attack techniques. This directory serves as a gateway to explore individual CAPEC entries in detail.
CAPEC Directory
Browse the CAPEC entries below. Click on any CAPEC ID for more detailed analysis.
-
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Cont...
-
CAPEC-2: Inducing Account Lockout
An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a ...
-
CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters
Some APIs will strip certain leading characters from a string of parameters. An adversary can intentionally introduce leading "ghost" characters (e...
-
CAPEC-4: Using Alternative IP Address Encodings
This attack relies on the adversary using unexpected formats for representing IP addresses. Networked applications may expect network location info...
-
CAPEC-5: Blue Boxing
This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to imperso...
-
CAPEC-6: Argument Injection
An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validat...
-
CAPEC-7: Blind SQL Injection
Blind SQL Injection results from an insufficient mitigation for SQL Injection. Although suppressing database error messages are considered best pra...
-
CAPEC-8: Buffer Overflow in an API Call
This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An adversary who has knowledge of known vulne...
-
CAPEC-9: Buffer Overflow in Local Command-Line Utilities
This attack targets command-line utilities available in a number of shells. An adversary can leverage a vulnerability found in a command-line utili...
-
CAPEC-10: Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the adversary finds that they can modify...
-
CAPEC-11: Cause Web Server Misclassification
An attack of this type exploits a Web server's decision to take action based on filename or file extension. Because different file types are handle...
-
CAPEC-12: Choosing Message Identifier
This pattern of attack is defined by the selection of messages distributed via multicast or public information channels that are intended for anoth...
-
CAPEC-13: Subverting Environment Variable Values
The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause th...
-
CAPEC-14: Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built...
-
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with th...
-
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password...
-
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through...
-
CAPEC-18: XSS Targeting Non-Script Elements
This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as ...
-
CAPEC-19: Embedding Scripts within Scripts
An adversary leverages the capability to execute their own script by embedding it within other scripts that the target software is likely to execut...
-
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determin...
-
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized acti...
-
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit...
-
CAPEC-23: File Content Injection
An adversary poisons files with a malicious payload (targeting the file systems accessible by the target software), which may be passed through by ...
-
CAPEC-24: Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input st...
-
CAPEC-25: Forced Deadlock
The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more...
-
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of t...
-
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target ...
-
CAPEC-28: Fuzzing
In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionali...
-
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical exampl...
-
CAPEC-30: Hijacking a Privileged Thread of Execution
An adversary hijacks a privileged thread of execution by injecting malicious code into a running process. By using a privleged thread to do their b...
-
CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. There are several ...
-
CAPEC-32: XSS Through HTTP Query Strings
An adversary embeds malicious script code in the parameters of an HTTP query string and convinces a victim to submit the HTTP request that contains...
-
CAPEC-33: HTTP Request Smuggling
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages using various HTTP he...
-
CAPEC-34: HTTP Response Splitting
An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response...
-
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file...
-
CAPEC-36: Using Unpublished Interfaces or Functionality
An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If inte...
-
CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, su...
-
CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
This pattern of attack sees an adversary load a malicious resource into a program's standard path so that when a known command is executed then the...
-
CAPEC-39: Manipulating Opaque Client-based Data Tokens
In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipul...
-
CAPEC-40: Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target termi...
-
CAPEC-41: Using Meta-characters in E-mail Headers to Inject Malicious Payloads
This type of attack involves an attacker leveraging meta-characters in email headers to inject improper behavior into email programs. Email softwar...
-
CAPEC-42: MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME s...
-
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. T...
-
CAPEC-44: Overflow Binary Resource File
An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like ...
-
CAPEC-45: Buffer Overflow via Symbolic Links
This type of attack leverages the use of symbolic links to cause buffer overflows. An adversary can try to create or manipulate a symbolic link fil...
-
CAPEC-46: Overflow Variables and Tags
This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The adversary crafts a mal...
-
CAPEC-47: Buffer Overflow via Parameter Expansion
In this attack, the target software is given input that the adversary knows will be modified and expanded in size during processing. This attack re...
-
CAPEC-48: Passing Local Filenames to Functions That Expect a URL
This attack relies on client side code to access local files and resources instead of URLs. When the client browser is expecting a URL string, but ...
-
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be succes...
-
CAPEC-50: Password Recovery Exploitation
An attacker may take advantage of the application feature to help users recover their forgotten passwords in order to gain access into the system w...
-
CAPEC-51: Poison Web Service Registry
SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect...
-
CAPEC-52: Embedding NULL Bytes
An adversary embeds one or more null bytes in input to the target software. This attack relies on the usage of a null-valued byte as a string termi...
-
CAPEC-53: Postfix, Null Terminate, and Backslash
If a string is passed through a filter of some kind, then a terminal NULL may not be valid. Using alternate representation of NULL allows an advers...
-
CAPEC-54: Query System for Information
An adversary, aware of an application's location (and possibly authorized to use the application), probes an application's structure and evaluates ...
-
CAPEC-55: Rainbow Table Password Cracking
An attacker gets access to the database table where hashes of passwords are stored. They then use a rainbow table of pre-computed hash chains to at...
-
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive ...
-
CAPEC-58: Restful Privilege Elevation
An adversary identifies a Rest HTTP (Get, Put, Delete) style permission method allowing them to perform various malicious actions upon server data ...
-
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perfor...
-
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen sess...
-
CAPEC-61: Session Fixation
The attacker induces a client to establish a session with the target software using a session identifier provided by the attacker. Once the user su...
-
CAPEC-62: Cross Site Request Forgery
An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to...
-
CAPEC-63: Cross-Site Scripting (XSS)
An adversary embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client...
-
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple ways...
-
CAPEC-65: Sniff Application Code
An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it a...
-
CAPEC-66: SQL Injection
This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target s...
-
CAPEC-67: String Format Overflow in syslog()
This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format strin...
-
CAPEC-68: Subvert Code-signing Facilities
Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subv...
-
CAPEC-69: Target Programs with Elevated Privileges
This attack targets programs running with elevated privileges. The adversary tries to leverage a vulnerability in the running program and get arbit...
-
CAPEC-70: Try Common or Default Usernames and Passwords
An adversary may try certain common or default usernames and passwords to gain access into the system and perform unauthorized actions. An adversar...
-
CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
An attacker may provide a Unicode string to a system component that is not Unicode aware and use that to circumvent the filter or cause the classif...
-
CAPEC-72: URL Encoding
This attack targets the encoding of the URL. An adversary can take advantage of the multiple way of encoding an URL and abuse the interpretation of...
-
CAPEC-73: User-Controlled Filename
An attack of this type involves an adversary inserting malicious characters (such as a XSS redirection) into a filename, directly or indirectly tha...
-
CAPEC-74: Manipulating State
The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, th...
-
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify ...
-
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access t...
-
CAPEC-77: Manipulating User-Controlled Variables
This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, u...
-
CAPEC-78: Using Escaped Slashes in Alternate Encoding
This attack targets the use of the backslash in alternate encoding. An adversary can provide a backslash as a leading character and causes a parser...
-
CAPEC-79: Using Slashes in Alternate Encoding
This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the sla...
-
CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic
This attack is a specific variation on leveraging alternate encodings to bypass validation logic. This attack leverages the possibility to encode p...
-
CAPEC-81: Web Server Logs Tampering
Web Logs Tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes ...
-
CAPEC-83: XPath Injection
An attacker can craft special user-controllable input consisting of XPath expressions to inject the XML database and bypass authentication or glean...
-
CAPEC-84: XQuery Injection
This attack utilizes XQuery to probe and attack server systems; in a similar manner that SQL Injection allows an attacker to exploit SQL calls to R...
-
CAPEC-85: AJAX Footprinting
This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities p...
-
CAPEC-86: XSS Through HTTP Headers
An adversary exploits web applications that generate web content, such as links in a HTML page, based on unvalidated or improperly validated data s...
-
CAPEC-87: Forceful Browsing
An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controlle...
-
CAPEC-88: OS Command Injection
In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted i...
-
CAPEC-89: Pharming
A pharming attack occurs when the victim is fooled into entering sensitive data into supposedly trusted locations, such as an online bank site or a...
-
CAPEC-90: Reflection Attack in Authentication Protocol
An adversary can abuse an authentication protocol susceptible to reflection attack in order to defeat it. Doing so allows the adversary illegitimat...
-
CAPEC-92: Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or sim...
-
CAPEC-93: Log Injection-Tampering-Forging
This attack targets the log files of the target host. The attacker injects, manipulates or forges malicious log entries in the log file, allowing t...
-
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from tra...
-
CAPEC-95: WSDL Scanning
This attack targets the WSDL interface made available by a web service. The attacker may scan the WSDL interface to reveal sensitive information ab...
-
CAPEC-96: Block Access to Libraries
An application typically makes calls to functions that are a part of libraries external to the application. These libraries may be part of the oper...
-
CAPEC-97: Cryptanalysis
Cryptanalysis is a process of finding weaknesses in cryptographic algorithms and using these weaknesses to decipher the ciphertext without knowing ...
-
CAPEC-98: Phishing
Phishing is a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to...
-
CAPEC-100: Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an adversary. As ...
-
CAPEC-101: Server Side Include (SSI) Injection
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enabl...
-
CAPEC-102: Session Sidejacking
Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a ne...
-
CAPEC-103: Clickjacking
An adversary tricks a victim into unknowingly initiating some action in one system while interacting with the UI from a seemingly completely differ...
-
CAPEC-104: Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased priv...
-
CAPEC-105: HTTP Request Splitting
An adversary abuses the flexibility and discrepancies in the parsing and interpretation of HTTP Request messages by different intermed...
-
CAPEC-107: Cross Site Tracing
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the...
-
CAPEC-108: Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of d...
-
CAPEC-109: Object Relational Mapping Injection
An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in ...
-
CAPEC-110: SQL Injection through SOAP Parameter Tampering
An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection ...
-
CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web ...
-
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access...
-
CAPEC-113: Interface Manipulation
An adversary manipulates the use or processing of an interface (e.g. Application Programming Interface (API) or System-on-Chip (SoC)) resulting in ...
-
CAPEC-114: Authentication Abuse
An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authenticati...
-
CAPEC-115: Authentication Bypass
An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an ...
-
CAPEC-116: Excavation
An adversary actively probes the target in a manner that is designed to solicit information that could be leveraged for malicious purposes.
-
CAPEC-117: Interception
An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensiti...
-
CAPEC-120: Double Encoding
The adversary utilizes a repeating of the encoding process for a set of characters (that is, character encoding a character encoding of a character...
-
CAPEC-121: Exploit Non-Production Interfaces
An adversary exploits a sample, demonstration, test, or debug interface that is unintentionally enabled on a production system, with t...
-
CAPEC-122: Privilege Abuse
An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by low...
-
CAPEC-123: Buffer Manipulation
An adversary manipulates an application's interaction with a buffer in an attempt to read or modify data they shouldn't have access to. Buffer atta...
-
CAPEC-124: Shared Resource Manipulation
An adversary exploits a resource shared between multiple applications, an application pool or hardware pin multiplexing to affect behavior. Resourc...
-
CAPEC-125: Flooding
An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generall...
-
CAPEC-126: Path Traversal
An adversary uses path manipulation methods to exploit insufficient input validation of a target to obtain access to data that should be not be ret...
-
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of tr...
-
CAPEC-128: Integer Attacks
An attacker takes advantage of the structure of integer variables to cause these variables to assume values that are not expected by an application...
-
CAPEC-129: Pointer Manipulation
This attack pattern involves an adversary manipulating a pointer within a target application resulting in the application accessing an unintended m...
-
CAPEC-130: Excessive Allocation
An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for le...
-
CAPEC-131: Resource Leak Exposure
An adversary utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests.
-
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is acc...
-
CAPEC-133: Try All Common Switches
An attacker attempts to invoke all common switches and options in the target application for the purpose of discovering weaknesses in the target. F...
-
CAPEC-134: Email Injection
An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.
-
CAPEC-135: Format String Injection
An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide sta...
-
CAPEC-136: LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to crea...
-
CAPEC-137: Parameter Injection
An adversary manipulates the content of request parameters for the purpose of undermining the security of the target. Some parameter encodings use ...
-
CAPEC-138: Reflection Injection
An adversary supplies a value to the target application which is then used by reflection methods to identify a class, method, or field. For example...
-
CAPEC-139: Relative Path Traversal
An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for ...
-
CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets
Some web applications require users to submit information through an ordered sequence of web forms. This is often done if there is a very large amo...
-
CAPEC-141: Cache Poisoning
An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describe...
-
CAPEC-142: DNS Cache Poisoning
A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. A...
-
CAPEC-143: Detect Unpublicized Web Pages
An adversary searches a targeted web site for web pages that have not been publicized. In doing this, the adversary may be able to gain access to i...
-
CAPEC-144: Detect Unpublicized Web Services
An adversary searches a targeted web site for web services that have not been publicized. This attack can be especially dangerous since unpublished...
-
CAPEC-145: Checksum Spoofing
An adversary spoofs a checksum message for the purpose of making a payload appear to have a valid corresponding checksum. Checksums are used to ver...
-
CAPEC-146: XML Schema Poisoning
An adversary corrupts or modifies the content of XML schema information passed between a client and server for the purpose of undermining the secur...
-
CAPEC-147: XML Ping of the Death
An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a ...
-
CAPEC-148: Content Spoofing
An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source...
-
CAPEC-149: Explore for Predictable Temporary File Names
An attacker explores a target to identify the names and locations of predictable temporary files for the purpose of launching further attacks again...
-
CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, ...
-
CAPEC-151: Identity Spoofing
Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that ide...
-
CAPEC-153: Input Data Manipulation
An attacker exploits a weakness in input validation by controlling the format, structure, and composition of data to an input-processing interface....
-
CAPEC-154: Resource Location Spoofing
An adversary deceives an application or user and convinces them to request a resource from an unintended location. By spoofing the location, the ad...
-
CAPEC-155: Screen Temporary Files for Sensitive Information
An adversary exploits the temporary, insecure storage of information by monitoring the content of files used to store temp data during an applicati...
-
CAPEC-157: Sniffing Attacks
In this attack pattern, the adversary intercepts information transmitted between two third parties. The adversary must be able to observe, read, an...
-
CAPEC-158: Sniffing Network Traffic
In this attack pattern, the adversary monitors network traffic between nodes of a public or multicast network in an attempt to capture sensitive in...
-
CAPEC-159: Redirect Access to Libraries
An adversary exploits a weakness in the way an application searches for external libraries to manipulate the execution flow to point to an adversar...
-
CAPEC-160: Exploit Script-Based APIs
Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very...
-
CAPEC-161: Infrastructure Manipulation
An attacker exploits characteristics of the infrastructure of a network entity in order to perpetrate attacks or information gathering on network o...
-
CAPEC-162: Manipulating Hidden Fields
An adversary exploits a weakness in the server's trust of client-side processing by modifying data on the client-side, such as price information, a...
-
CAPEC-163: Spear Phishing
An adversary targets a specific user or group with a Phishing (CAPEC-98) attack tailored to a category of users in order to have maximum relevance ...
-
CAPEC-164: Mobile Phishing
An adversary targets mobile phone users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the us...
-
CAPEC-165: File Manipulation
An attacker modifies file contents or attributes (such as extensions or names) of files in a manner to cause incorrect processing by an application...
-
CAPEC-166: Force the System to Reset Values
An attacker forces the target into a previous state in order to leverage potential weaknesses in the target dependent upon a prior configuration or...
-
CAPEC-167: White Box Reverse Engineering
An attacker discovers the structure, function, and composition of a type of computer software through white box analysis techniques. White box tech...
-
CAPEC-168: Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to ...
-
CAPEC-169: Footprinting
An adversary engages in probing and exploration activities to identify constituents and properties of the target.
-
CAPEC-170: Web Application Fingerprinting
An attacker sends a series of probes to a web application in order to elicit version-dependent and type-dependent behavior that assists in identify...
-
CAPEC-173: Action Spoofing
An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate ...
-
CAPEC-174: Flash Parameter Injection
An adversary takes advantage of improper data validation to inject malicious global parameters into a Flash file embedded within an HTML document. ...
-
CAPEC-175: Code Inclusion
An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs...
-
CAPEC-176: Configuration/Environment Manipulation
An attacker manipulates files or settings external to a target application which affect the behavior of that application. For example, many applica...
-
CAPEC-177: Create files with the same name as files protected with a higher classification
An attacker exploits file location algorithms in an operating system or application by creating a file with the same name as a protected or privile...
-
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing th...
-
CAPEC-179: Calling Micro-Services Directly
An attacker is able to discover and query Micro-services at a web location and thereby expose the Micro-services to further exploitation by gatheri...
-
CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard aga...
-
CAPEC-181: Flash File Overlay
An attacker creates a transparent overlay using flash in order to intercept user actions for the purpose of performing a clickjacking attack. In th...
-
CAPEC-182: Flash Injection
An attacker tricks a victim to execute malicious flash content that executes commands or makes flash calls specified by the attacker. One example o...
-
CAPEC-183: IMAP/SMTP Command Injection
An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit be...
-
CAPEC-184: Software Integrity Attack
An attacker initiates a series of events designed to cause a user, program, server, or device to perform actions which undermine the integrity of s...
-
CAPEC-185: Malicious Software Download
An attacker uses deceptive methods to cause a user or an automated process to download and install dangerous code that originates from an attacker ...
-
CAPEC-186: Malicious Software Update
An adversary uses deceptive methods to cause a user or an automated process to download and install dangerous code believed to be a valid update th...
-
CAPEC-187: Malicious Automated Software Update via Redirection
An attacker exploits two layers of weaknesses in server or client software for automated update mechanisms to undermine the integrity of the target...
-
CAPEC-188: Reverse Engineering
An adversary discovers the structure, function, and composition of an object, resource, or system by using a variety of analysis techniques to effe...
-
CAPEC-189: Black Box Reverse Engineering
An adversary discovers the structure, function, and composition of a type of computer software through black box analysis techniques. 'Black Box' m...
-
CAPEC-190: Reverse Engineer an Executable to Expose Assumed Hidden Functionality
An attacker analyzes a binary file or executable for the purpose of discovering the structure, function, and possibly source-code of the file by us...
-
CAPEC-191: Read Sensitive Constants Within an Executable
An adversary engages in activities to discover any sensitive constants present within the compiled code of an executable. These consta...
-
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for tran...
-
CAPEC-193: PHP Remote File Inclusion
In this pattern the adversary is able to load and execute arbitrary code remotely available from the application. This is usually accomplished thro...
-
CAPEC-194: Fake the Source of Data
An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified ...
-
CAPEC-195: Principal Spoof
A Principal Spoof is a form of Identity Spoofing where an adversary pretends to be some other person in an interaction. This is often accomplished ...
-
CAPEC-196: Session Credential Falsification through Forging
An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to ide...
-
CAPEC-197: Exponential Data Expansion
An adversary submits data to a target application which contains nested exponential data expansion to produce excessively large output. Many data f...
-
CAPEC-198: XSS Targeting Error Pages
An adversary distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also cont...
-
CAPEC-199: XSS Using Alternate Syntax
An adversary uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters...
-
CAPEC-200: Removal of filters: Input filters, output filters, data masking
An attacker removes or disables filtering mechanisms on the target application. Input filters prevent invalid data from being sent to an applicatio...
-
CAPEC-201: Serialized Data External Linking
An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may ...
-
CAPEC-202: Create Malicious Client
An adversary creates a client application to interface with a target service where the client violates assumptions the service makes about clients....
-
CAPEC-203: Manipulate Registry Information
An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application regi...
-
CAPEC-204: Lifting Sensitive Data Embedded in Cache
An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote e...
-
CAPEC-206: Signing Malicious Code
The adversary extracts credentials used for code signing from a production environment and then uses these credentials to sign malicious content wi...
-
CAPEC-207: Removing Important Client Functionality
An adversary removes or disables functionality on the client that the server assumes to be present and trustworthy.
-
CAPEC-208: Removing/short-circuiting 'Purse' logic: removing/mutating 'cash' decrements
An attacker removes or modifies the logic on a client associated with monetary calculations resulting in incorrect information being sent to the se...
-
CAPEC-209: XSS Using MIME Type Mismatch
An adversary creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. The advers...
-
CAPEC-212: Functionality Misuse
An adversary leverages a legitimate capability of an application in such a way as to achieve a negative technical impact. The system functionality ...
-
CAPEC-215: Fuzzing for application mapping
An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages ...
-
CAPEC-216: Communication Channel Manipulation
An adversary manipulates a setting or parameter on communications channel in order to compromise its security. This can result in information expos...
-
CAPEC-217: Exploiting Incorrectly Configured SSL/TLS
An adversary takes advantage of incorrectly configured SSL/TLS communications that enables access to data intended to be encrypted. The adversary m...
-
CAPEC-218: Spoofing of UDDI/ebXML Messages
An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and simi...
-
CAPEC-219: XML Routing Detour Attacks
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the...
-
CAPEC-220: Client-Server Protocol Manipulation
An adversary takes advantage of weaknesses in the protocol by which a client and server are communicating to perform unexpected actions. Communicat...
-
CAPEC-221: Data Serialization External Entities Blowup
This attack takes advantage of the entity replacement property of certain data serialization languages (e.g., XML, YAML, etc.) where the value of t...
-
CAPEC-222: iFrame Overlay
In an iFrame overlay attack the victim is tricked into unknowingly initiating some action in one system while interacting with the UI from seemingl...
-
CAPEC-224: Fingerprinting
An adversary compares output from a target system to known indicators that uniquely identify specific details about the target. Most commonly, fing...
-
CAPEC-226: Session Credential Falsification through Manipulation
An attacker manipulates an existing credential in order to gain access to a target application. Session credentials allow users to identify themsel...
-
CAPEC-227: Sustained Client Engagement
An adversary attempts to deny legitimate users access to a resource by continually engaging a specific resource in an attempt to keep the resource ...
-
CAPEC-228: DTD Injection
An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how...
-
CAPEC-229: Serialized Data Parameter Blowup
This attack exploits certain serialized data parsers (e.g., XML, YAML, etc.) which manage data in an inefficient manner. The attacker crafts an ser...
-
CAPEC-230: Serialized Data with Nested Payloads
Applications often need to transform data in and out of a data format (e.g., XML and YAML) by using a parser. It may be possible for an adversary t...
-
CAPEC-231: Oversized Serialized Data Payloads
An adversary injects oversized serialized data payloads into a parser during data processing to produce adverse effects upon the parser such as exh...
-
CAPEC-233: Privilege Escalation
An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.
-
CAPEC-234: Hijacking a privileged process
An adversary gains control of a process that is assigned elevated privileges in order to execute arbitrary code with those privileges. Some process...
-
CAPEC-237: Escaping a Sandbox by Calling Code in Another Language
The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus ...
-
CAPEC-240: Resource Injection
An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of ...
-
CAPEC-242: Code Injection
An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from cod...
-
CAPEC-243: XSS Targeting HTML Attributes
An adversary inserts commands to perform cross-site scripting (XSS) actions in HTML attributes. Many filters do not adequately sanitize attributes ...
-
CAPEC-244: XSS Targeting URI Placeholders
An attack of this type exploits the ability of most browsers to interpret "data", "javascript" or other URI schemes as client-side executable conte...
-
CAPEC-245: XSS Using Doubled Characters
The adversary bypasses input validation by using doubled characters in order to perform a cross-site scripting attack. Some filters fail to recogni...
-
CAPEC-247: XSS Using Invalid Characters
An adversary inserts invalid characters in identifiers to bypass application filtering of input. Filters may not scan beyond invalid characters but...
-
CAPEC-248: Command Injection
An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from wha...
-
CAPEC-250: XML Injection
An attacker utilizes crafted XML user-controllable input to probe, attack, and inject data into the XML database, using techniques similar to SQL i...
-
CAPEC-251: Local Code Inclusion
The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of ...
-
CAPEC-252: PHP Local File Inclusion
The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP fil...
-
CAPEC-253: Remote Code Inclusion
The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of ...
-
CAPEC-256: SOAP Array Overflow
An attacker sends a SOAP request with an array whose actual length exceeds the length indicated in the request. If the server processing the transm...
-
CAPEC-261: Fuzzing for garnering other adjacent user/sensitive data
An adversary who is authorized to send queries to a target sends variants of expected queries in the hope that these modified queries might return ...
-
CAPEC-263: Force Use of Corrupted Files
This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service cause...
-
CAPEC-267: Leverage Alternate Encoding
An adversary leverages the possibility to encode potentially harmful input or content used by applications such that the applications are ineffecti...
-
CAPEC-268: Audit Log Manipulation
The attacker injects, manipulates, deletes, or forges malicious log entries into the log file, in an attempt to mislead an audit of the log file or...
-
CAPEC-270: Modification of Registry Run Keys
An adversary adds a new entry to the "run keys" in the Windows registry so that an application of their choosing is executed when a user logs in. I...
-
CAPEC-271: Schema Poisoning
An adversary corrupts or modifies the content of a schema for the purpose of undermining the security of the target. Schemas provide the structure ...
-
CAPEC-272: Protocol Manipulation
An adversary subverts a communications protocol to perform an attack. This type of attack can allow an adversary to impersonate others, discover se...
-
CAPEC-273: HTTP Response Smuggling
An adversary manipulates and injects malicious content in the form of secret unauthorized HTTP responses, into a single HTTP response ...
-
CAPEC-274: HTTP Verb Tampering
An attacker modifies the HTTP Verb (e.g. GET, PUT, TRACE, etc.) in order to bypass access restrictions. Some web environments allow administrators ...
-
CAPEC-275: DNS Rebinding
An adversary serves content whose IP address is resolved by a DNS server that the adversary controls. After initial contact by a web browser (or si...
-
CAPEC-276: Inter-component Protocol Manipulation
Inter-component protocols are used to communicate between different software and hardware modules within a single computer. Common examples are: in...
-
CAPEC-277: Data Interchange Protocol Manipulation
Data Interchange Protocols are used to transmit structured data between entities. These protocols are often specific to a particular domain (B2B: p...
-
CAPEC-278: Web Services Protocol Manipulation
An adversary manipulates a web service related protocol to cause a web application or service to react differently than intended. This can either b...
-
CAPEC-279: SOAP Manipulation
Simple Object Access Protocol (SOAP) is used as a communication protocol between a client and server to invoke web services on the server. It is an...
-
CAPEC-285: ICMP Echo Request Ping
An adversary sends out an ICMP Type 8 Echo Request, commonly known as a 'Ping', in order to determine if a target system is responsive. If the requ...
-
CAPEC-287: TCP SYN Scan
An adversary uses a SYN scan to determine the status of ports on the remote target. SYN scanning is the most common type of port scanning that is u...
-
CAPEC-290: Enumerate Mail Exchange (MX) Records
An adversary enumerates the MX records for a given via a DNS query. This type of information gathering returns the names of mail servers on the net...
-
CAPEC-291: DNS Zone Transfers
An attacker exploits a DNS misconfiguration that permits a ZONE transfer. Some external DNS servers will return a list of IP address and valid host...
-
CAPEC-292: Host Discovery
An adversary sends a probe to an IP address to determine if the host is alive. Host discovery is one of the earliest phases of network reconnaissan...
-
CAPEC-293: Traceroute Route Enumeration
An adversary uses a traceroute utility to map out the route which data flows through the network in route to a target destination. Tracerouting can...
-
CAPEC-294: ICMP Address Mask Request
An adversary sends an ICMP Type 17 Address Mask Request to gather information about a target's networking configuration. ICMP Address Mask Requests...
-
CAPEC-295: Timestamp Request
This pattern of attack leverages standard requests to learn the exact time associated with a target system. An adversary may be able to use the tim...
-
CAPEC-296: ICMP Information Request
An adversary sends an ICMP Information Request to a host to determine if it will respond to this deprecated mechanism. ICMP Information Requests ar...
-
CAPEC-297: TCP ACK Ping
An adversary sends a TCP segment with the ACK flag set to a remote host for the purpose of determining if the host is alive. This is one of several...
-
CAPEC-298: UDP Ping
An adversary sends a UDP datagram to the remote host to determine if the host is alive. If a UDP datagram is sent to an open UDP port there is very...
-
CAPEC-299: TCP SYN Ping
An adversary uses TCP SYN packets as a means towards host discovery. Typical RFC 793 behavior specifies that when a TCP port is open, a host must r...
-
CAPEC-300: Port Scanning
An adversary uses a combination of techniques to determine the state of the ports on a remote target. Any service or application available for TCP ...
-
CAPEC-301: TCP Connect Scan
An adversary uses full TCP connection attempts to determine if a port is open on the target system. The scanning process involves completing a 'thr...
-
CAPEC-302: TCP FIN Scan
An adversary uses a TCP FIN scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments wit...
-
CAPEC-303: TCP Xmas Scan
An adversary uses a TCP XMAS scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments wi...
-
CAPEC-304: TCP Null Scan
An adversary uses a TCP NULL scan to determine if ports are closed on the target machine. This scan type is accomplished by sending TCP segments wi...
-
CAPEC-305: TCP ACK Scan
An adversary uses TCP ACK segments to gather information about firewall or ACL configuration. The purpose of this type of scan is to discover infor...
-
CAPEC-306: TCP Window Scan
An adversary engages in TCP Window scanning to analyze port status and operating system type. TCP Window scanning uses the ACK scanning method but ...
-
CAPEC-307: TCP RPC Scan
An adversary scans for RPC services listing on a Unix/Linux host.
-
CAPEC-308: UDP Scan
An adversary engages in UDP scanning to gather information about UDP port status on the target system. UDP scanning methods involve sending a UDP d...
-
CAPEC-309: Network Topology Mapping
An adversary engages in scanning activities to map network nodes, hosts, devices, and routes. Adversaries usually perform this type of network reco...
-
CAPEC-310: Scanning for Vulnerable Software
An attacker engages in scanning activity to find vulnerable software versions or types, such as operating system versions or network services. Vuln...
-
CAPEC-312: Active OS Fingerprinting
An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platfo...
-
CAPEC-313: Passive OS Fingerprinting
An adversary engages in activity to detect the version or type of OS software in a an environment by passively monitoring communication between dev...
-
CAPEC-317: IP ID Sequencing Probe
This OS fingerprinting probe analyzes the IP 'ID' field sequence number generation algorithm of a remote host. Operating systems generate IP 'ID' n...
-
CAPEC-318: IP 'ID' Echoed Byte-Order Probe
This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'ID' value from the probe packet. An attacker sends a UDP dat...
-
CAPEC-319: IP (DF) 'Don't Fragment Bit' Echoing Probe
This OS fingerprinting probe tests to determine if the remote host echoes back the IP 'DF' (Don't Fragment) bit in a response packet. An attacker s...
-
CAPEC-320: TCP Timestamp Probe
This OS fingerprinting probe examines the remote server's implementation of TCP timestamps. Not all operating systems implement timestamps within t...
-
CAPEC-321: TCP Sequence Number Probe
This OS fingerprinting probe tests the target system's assignment of TCP sequence numbers. One common way to test TCP Sequence Number generation is...
-
CAPEC-322: TCP (ISN) Greatest Common Divisor Probe
This OS fingerprinting probe sends a number of TCP SYN packets to an open port of a remote machine. The Initial Sequence Number (ISN) in each of th...
-
CAPEC-323: TCP (ISN) Counter Rate Probe
This OS detection probe measures the average rate of initial sequence number increments during a period of time. Sequence numbers are incremented u...
-
CAPEC-324: TCP (ISN) Sequence Predictability Probe
This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote ...
-
CAPEC-325: TCP Congestion Control Flag (ECN) Probe
This OS fingerprinting probe checks to see if the remote host supports explicit congestion notification (ECN) messaging. ECN messaging was designed...
-
CAPEC-326: TCP Initial Window Size Probe
This OS fingerprinting probe checks the initial TCP Window size. TCP stacks limit the range of sequence numbers allowable within a session to maint...
-
CAPEC-327: TCP Options Probe
This OS fingerprinting probe analyzes the type and order of any TCP header options present within a response segment. Most operating systems use un...
-
CAPEC-328: TCP 'RST' Flag Checksum Probe
This OS fingerprinting probe performs a checksum on any ASCII data contained within the data portion or a RST packet. Some operating systems will r...
-
CAPEC-329: ICMP Error Message Quoting Probe
An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded,...
-
CAPEC-330: ICMP Error Message Echoing Integrity Probe
An adversary uses a technique to generate an ICMP Error message (Port Unreachable, Destination Unreachable, Redirect, Source Quench, Time Exceeded,...
-
CAPEC-331: ICMP IP Total Length Field Probe
An adversary sends a UDP packet to a closed port on the target machine to solicit an IP Header's total length field value within the echoed 'Port U...
-
CAPEC-332: ICMP IP 'ID' Field Error Message Probe
An adversary sends a UDP datagram having an assigned value to its internet identification field (ID) to a closed port on a target to observe the ma...
-
CAPEC-383: Harvesting Information via API Event Monitoring
An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of ...
-
CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Per...
-
CAPEC-385: Transaction or Event Tampering via Application API Manipulation
An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are bei...
-
CAPEC-386: Application API Navigation Remapping
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or conte...
-
CAPEC-387: Navigation Remapping To Propagate Malicious Content
An adversary manipulates either egress or ingress data from a client within an application framework in order to change the content of messages and...
-
CAPEC-388: Application API Button Hijacking
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the destination and/or conte...
-
CAPEC-389: Content Spoofing Via Application API Manipulation
An attacker manipulates either egress or ingress data from a client within an application framework in order to change the content of messages. Per...
-
CAPEC-390: Bypassing Physical Security
Facilities often used layered models for physical security such as traditional locks, Electronic-based card entry systems, coupled with physical al...
-
CAPEC-391: Bypassing Physical Locks
An attacker uses techniques and methods to bypass physical security measures of a building or facility. Physical locks may range from traditional l...
-
CAPEC-392: Lock Bumping
An attacker uses a bump key to force a lock on a building or facility and gain entry. Lock Bumping is the use of a special type of key that can be ...
-
CAPEC-393: Lock Picking
An attacker uses lock picking tools and techniques to bypass the locks on a building or facility. Lock picking is the use of a special set of tools...
-
CAPEC-394: Using a Snap Gun Lock to Force a Lock
An attacker uses a Snap Gun, also known as a Pick Gun, to force the lock on a building or facility. A Pick Gun is a special type of lock picking in...
-
CAPEC-395: Bypassing Electronic Locks and Access Controls
An attacker exploits security assumptions to bypass electronic locks or other forms of access controls. Most attacks against electronic access cont...
-
CAPEC-397: Cloning Magnetic Strip Cards
An attacker duplicates the data on a Magnetic strip card (i.e. 'swipe card' or 'magstripe') to gain unauthorized access to a physical location or a...
-
CAPEC-398: Magnetic Strip Card Brute Force Attacks
An adversary analyzes the data on two or more magnetic strip cards and is able to generate new cards containing valid sequences that allow unauthor...
-
CAPEC-399: Cloning RFID Cards or Chips
An attacker analyzes data returned by an RFID chip and uses this information to duplicate a RFID signal that responds identically to the target chi...
-
CAPEC-400: RFID Chip Deactivation or Destruction
An attacker uses methods to deactivate a passive RFID tag for the purpose of rendering the tag, badge, card, or object containing the tag unrespons...
-
CAPEC-401: Physically Hacking Hardware
An adversary exploits a weakness in access control to gain access to currently installed hardware and precedes to implement changes or secretly rep...
-
CAPEC-402: Bypassing ATA Password Security
An adversary exploits a weakness in ATA security on a drive to gain access to the information the drive contains without supplying the proper crede...
-
CAPEC-406: Dumpster Diving
An adversary cases an establishment and searches through trash bins, dumpsters, or areas where company information may have been accidentally disca...
-
CAPEC-407: Pretexting
An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that s...
-
CAPEC-410: Information Elicitation
An adversary engages an individual using any combination of social engineering methods for the purpose of extracting information. Accurate contextu...
-
CAPEC-412: Pretexting via Customer Service
An adversary engages in pretexting behavior, assuming the role of someone who works for Customer Service, to solicit information from target person...
-
CAPEC-413: Pretexting via Tech Support
An adversary engages in pretexting behavior, assuming the role of a tech support worker, to solicit information from target persons, or manipulate ...
-
CAPEC-414: Pretexting via Delivery Person
An adversary engages in pretexting behavior, assuming the role of a delivery person, to solicit information from target persons, or manipulate the ...
-
CAPEC-415: Pretexting via Phone
An adversary engages in pretexting behavior, assuming some sort of trusted role, and contacting the targeted individual or organization via phone t...
-
CAPEC-416: Manipulate Human Behavior
An adversary exploits inherent human psychological predisposition to influence a targeted individual or group to solicit information or manipulate ...
-
CAPEC-417: Influence Perception
The adversary uses social engineering to exploit the target's perception of the relationship between the adversary and themselves. This goal is to ...
-
CAPEC-418: Influence Perception of Reciprocation
An adversary uses a social engineering techniques to produce a sense of obligation in the target to perform a certain action or concede some sensit...
-
CAPEC-420: Influence Perception of Scarcity
The adversary leverages a perception of scarcity to persuade the target to perform an action or divulge information that is advantageous to the adv...
-
CAPEC-421: Influence Perception of Authority
An adversary uses a social engineering technique to convey a sense of authority that motivates the target to reveal specific information or take sp...
-
CAPEC-422: Influence Perception of Commitment and Consistency
An adversary uses social engineering to convince the target to do minor tasks as opposed to larger actions. After complying with a request, individ...
-
CAPEC-423: Influence Perception of Liking
The adversary influences the target's actions by building a relationship where the target has a liking to the adversary. People are more likely to ...
-
CAPEC-424: Influence Perception of Consensus or Social Proof
The adversary influences the target's actions by leveraging the inherent human nature to assume behavior of others is appropriate. In situations of...
-
CAPEC-425: Target Influence via Framing
An adversary uses framing techniques to contextualize a conversation so that the target is more likely to be influenced by the adversary's point of...
-
CAPEC-426: Influence via Incentives
The adversary incites a behavior from the target by manipulating something of influence. This is commonly associated with financial, social, or ide...
-
CAPEC-427: Influence via Psychological Principles
The adversary shapes the target's actions or behavior by focusing on the ways human interact and learn, leveraging such elements as cognitive and s...
-
CAPEC-428: Influence via Modes of Thinking
The adversary tailors their communication to the language and thought patterns of the target thereby weakening barriers or reluctance to communicat...
-
CAPEC-429: Target Influence via Eye Cues
The adversary gains information via non-verbal means from the target through eye movements.
-
CAPEC-433: Target Influence via The Human Buffer Overflow
An attacker utilizes a technique to insinuate commands to the subconscious mind of the target via communication patterns. The human buffer overflow...
- CAPEC-434: Target Influence via Interview and Interrogation
- CAPEC-435: Target Influence via Instant Rapport
-
CAPEC-438: Modification During Manufacture
An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some e...
-
CAPEC-439: Manipulation During Distribution
An attacker undermines the integrity of a product, software, or technology at some stage of the distribution channel. The core threat of modificati...
-
CAPEC-440: Hardware Integrity Attack
An adversary exploits a weakness in the system maintenance process and causes a change to be made to a technology, product, component, or sub-compo...
-
CAPEC-441: Malicious Logic Insertion
An adversary installs or adds malicious logic (also known as malware) into a seemingly benign component of a fielded system. This logic is often hi...
-
CAPEC-442: Infected Software
An adversary adds malicious logic, often in the form of a computer virus, to otherwise benign software. This logic is often hidden from the user of...
-
CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer
An adversary uses their privileged position within an authorized development organization to inject malicious logic into a codebase or product.
-
CAPEC-444: Development Alteration
An adversary modifies a technology, product, or component during its development to acheive a negative impact once the system is deployed. The goal...
-
CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation
An adversary exploits a configuration management system so that malicious logic is inserted into a software products build, update or ...
-
CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component
An adversary conducts supply chain attacks by the inclusion of insecure third-party components into a technology, product, or code-bas...
-
CAPEC-447: Design Alteration
An adversary modifies the design of a technology, product, or component to acheive a negative impact once the system is deployed. In this type of a...
-
CAPEC-448: Embed Virus into DLL
An adversary tampers with a DLL and embeds a computer virus into gaps between legitimate machine instructions. These gaps may be the result of comp...
-
CAPEC-452: Infected Hardware
An adversary inserts malicious logic into hardware, typically in the form of a computer virus or rootkit. This logic is often hidden from the user ...
-
CAPEC-456: Infected Memory
An adversary inserts malicious logic into memory enabling them to achieve a negative impact. This logic is often hidden from the user of the system...
-
CAPEC-457: USB Memory Attacks
An adversary loads malicious code onto a USB memory stick in order to infect any system which the device is plugged in to. USB drives present a sig...
-
CAPEC-458: Flash Memory Attacks
An adversary inserts malicious logic into a product or technology via flashing the on-board memory with a code-base that contains malicious logic. ...
-
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (...
-
CAPEC-460: HTTP Parameter Pollution (HPP)
An adversary adds duplicate HTTP GET/POST parameters by injecting query string delimiters. Via HPP it may be possible to override existing hardcode...
-
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by g...
-
CAPEC-462: Cross-Domain Search Timing
An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information...
-
CAPEC-463: Padding Oracle Crypto Attack
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error...
-
CAPEC-464: Evercookie
An attacker creates a very persistent cookie that stays present even after the user thinks it has been removed. The cookie is stored on the victim'...
-
CAPEC-465: Transparent Proxy Abuse
A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client ...
-
CAPEC-466: Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy
An attacker leverages an adversary in the middle attack (CAPEC-94) in order to bypass the same origin policy protection in the victim's browser. Th...
-
CAPEC-467: Cross Site Identification
An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A vi...
-
CAPEC-468: Generic Cross-Browser Cross-Domain Theft
An attacker makes use of Cascading Style Sheets (CSS) injection to steal data cross domain from the victim's browser. The attack works by abusing t...
-
CAPEC-469: HTTP DoS
An attacker performs flooding at the HTTP level to bring down only a particular web application rather than anything listening on a TCP/IP connecti...
-
CAPEC-470: Expanding Control over the Operating System from the Database
An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tu...
-
CAPEC-471: Search Order Hijacking
An adversary exploits a weakness in an application's specification of external libraries to exploit the functionality of the loader where the proce...
-
CAPEC-472: Browser Fingerprinting
An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based ...
-
CAPEC-473: Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically...
-
CAPEC-474: Signature Spoofing by Key Theft
An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the origi...
-
CAPEC-475: Signature Spoofing by Improper Validation
An adversary exploits a cryptographic weakness in the signature verification algorithm implementation to generate a valid signature without knowing...
-
CAPEC-476: Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid sign...
-
CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be p...
-
CAPEC-478: Modification of Windows Service Configuration
An adversary exploits a weakness in access control to modify the execution parameters of a Windows service. The goal of this attack is to execute a...
-
CAPEC-479: Malicious Root Certificate
An adversary exploits a weakness in authorization and installs a new root certificate on a compromised system. Certificates are commonly used for e...
-
CAPEC-480: Escaping Virtualization
An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of...
-
CAPEC-481: Contradictory Destinations in Traffic Routing Schemes
Adversaries can provide contradictory destinations when sending messages. Traffic is routed in networks using the domain names in various headers a...
-
CAPEC-482: TCP Flood
An adversary may execute a flooding attack using the TCP protocol with the intent to deny legitimate users access to a service. These attacks explo...
-
CAPEC-485: Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm ...
-
CAPEC-486: UDP Flood
An adversary may execute a flooding attack using the UDP protocol with the intent to deny legitimate users access to a service by consuming the ava...
-
CAPEC-487: ICMP Flood
An adversary may execute a flooding attack using the ICMP protocol with the intent to deny legitimate users access to a service by consuming the av...
-
CAPEC-488: HTTP Flood
An adversary may execute a flooding attack using the HTTP protocol with the intent to deny legitimate users access to a service by consuming resour...
-
CAPEC-489: SSL Flood
An adversary may execute a flooding attack using the SSL protocol with the intent to deny legitimate users access to a service by consuming all the...
-
CAPEC-490: Amplification
An adversary may execute an amplification where the size of a response is far greater than that of the request that generates it. The goal of this ...
-
CAPEC-491: Quadratic Data Expansion
An adversary exploits macro-like substitution to cause a denial of service situation due to excessive memory being allocated to fully expand the da...
-
CAPEC-492: Regular Expression Exponential Blowup
An adversary may execute an attack on a program that uses a poor Regular Expression(Regex) implementation by choosing input that results in an extr...
-
CAPEC-493: SOAP Array Blowup
An adversary may execute an attack on a web service that uses SOAP messages in communication. By sending a very large SOAP array declaration to the...
-
CAPEC-494: TCP Fragmentation
An adversary may execute a TCP Fragmentation attack against a target with the intention of avoiding filtering rules of network controls, by attempt...
-
CAPEC-495: UDP Fragmentation
An attacker may execute a UDP Fragmentation attack against a target server in an attempt to consume resources such as bandwidth and CPU. IP fragmen...
-
CAPEC-496: ICMP Fragmentation
An attacker may execute a ICMP Fragmentation attack against a target with the intention of consuming resources or causing a crash. The attacker cra...
-
CAPEC-497: File Discovery
An adversary engages in probing and exploration activities to determine if common key files exists. Such files often contain configuration and secu...
-
CAPEC-498: Probe iOS Screenshots
An adversary examines screenshot images created by iOS in an attempt to obtain sensitive information. This attack targets temporary screenshots cre...
-
CAPEC-499: Android Intent Intercept
An adversary, through a previously installed malicious application, intercepts messages from a trusted Android-based application in an attempt to a...
-
CAPEC-500: WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. T...
-
CAPEC-501: Android Activity Hijack
An adversary intercepts an implicit intent sent to launch a Android-based trusted activity and instead launches a counterfeit activity in its place...
-
CAPEC-502: Intent Spoof
An adversary, through a previously installed malicious application, issues an intent directed toward a specific trusted application's component in ...
-
CAPEC-503: WebView Exposure
An adversary, through a malicious web page, accesses application specific functionality by leveraging interfaces registered through WebView's addJa...
-
CAPEC-504: Task Impersonation
An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive infor...
-
CAPEC-505: Scheme Squatting
An adversary, through a previously installed malicious application, registers for a URL scheme intended for a target application that has not been ...
-
CAPEC-506: Tapjacking
An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an at...
-
CAPEC-507: Physical Theft
An adversary gains physical access to a system or device through theft of the item. Possession of a system or device enables a number of unique att...
-
CAPEC-508: Shoulder Surfing
In a shoulder surfing attack, an adversary observes an unaware individual's keystrokes, screen content, or conversations with the goal of obtaining...
-
CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and su...
-
CAPEC-510: SaaS User Request Forgery
An adversary, through a previously installed malicious application, performs malicious actions against a third-party Software as a Service (SaaS) a...
-
CAPEC-511: Infiltration of Software Development Environment
An attacker uses common delivery mechanisms such as email attachments or removable media to infiltrate the IDE (Integrated Development Environment)...
-
CAPEC-516: Hardware Component Substitution During Baselining
An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a b...
-
CAPEC-517: Documentation Alteration to Circumvent Dial-down
An attacker with access to a manufacturer's documentation, which include descriptions of advanced technology and/or specific components' criticalit...
-
CAPEC-518: Documentation Alteration to Produce Under-performing Systems
An attacker with access to a manufacturer's documentation alters the descriptions of system capabilities with the intent of causing errors in deriv...
-
CAPEC-519: Documentation Alteration to Cause Errors in System Design
An attacker with access to a manufacturer's documentation containing requirements allocation and software design processes maliciously alters the d...
-
CAPEC-520: Counterfeit Hardware Component Inserted During Product Assembly
An adversary with either direct access to the product assembly process or to the supply of subcomponents used in the product assembly process intro...
-
CAPEC-521: Hardware Design Specifications Are Altered
An attacker with access to a manufacturer's hardware manufacturing process documentation alters the design specifications, which introduces flaws a...
-
CAPEC-522: Malicious Hardware Component Replacement
An adversary replaces legitimate hardware in the system with faulty counterfeit or tampered hardware in the supply chain distribution channel, with...
-
CAPEC-523: Malicious Software Implanted
An attacker implants malicious software into the system in the supply chain distribution channel, with purpose of causing malicious disruption or a...
-
CAPEC-524: Rogue Integration Procedures
An attacker alters or establishes rogue processes in an integration facility in order to insert maliciously altered components into the system. The...
-
CAPEC-528: XML Flood
An adversary may execute a flooding attack using XML messages with the intent to deny legitimate users access to a web service. These attacks are a...
-
CAPEC-529: Malware-Directed Internal Reconnaissance
Adversary uses malware or a similarly controlled application installed inside an organizational perimeter to gather information about the compositi...
-
CAPEC-530: Provide Counterfeit Component
An attacker provides a counterfeit component during the procurement process of a lower-tier component supplier to a sub-system developer or integra...
-
CAPEC-531: Hardware Component Substitution
An attacker substitutes out a tested and approved hardware component for a maliciously-altered hardware component. This type of attack is carried o...
-
CAPEC-532: Altered Installed BIOS
An attacker with access to download and update system software sends a maliciously altered BIOS to the victim or victim supplier/integrator, which ...
-
CAPEC-533: Malicious Manual Software Update
An attacker introduces malicious code to the victim's system by altering the payload of a software update, allowing for additional compromise or si...
-
CAPEC-534: Malicious Hardware Update
An adversary introduces malicious hardware during an update or replacement procedure, allowing for additional compromise or site disruption at the ...
-
CAPEC-535: Malicious Gray Market Hardware
An attacker maliciously alters hardware components that will be sold on the gray market, allowing for victim disruption and compromise when the vic...
-
CAPEC-536: Data Injected During Configuration
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration...
-
CAPEC-537: Infiltration of Hardware Development Environment
An adversary, leveraging the ability to manipulate components of primary support systems and tools within the development and production environmen...
-
CAPEC-538: Open-Source Library Manipulation
Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by develope...
-
CAPEC-539: ASIC With Malicious Functionality
An attacker with access to the development environment process of an application-specific integrated circuit (ASIC) for a victim system being devel...
-
CAPEC-540: Overread Buffers
An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs ...
-
CAPEC-541: Application Fingerprinting
An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.
-
CAPEC-542: Targeted Malware
An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The m...
-
CAPEC-543: Counterfeit Websites
Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.
-
CAPEC-544: Counterfeit Organizations
An adversary creates a false front organizations with the appearance of a legitimate supplier in the critical life cycle path that then injects cor...
-
CAPEC-545: Pull Data from System Resources
An adversary who is authorized or has the ability to search known system resources, does so with the intention of gathering useful information. Sys...
-
CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment
An adversary obtains unauthorized information due to insecure or incomplete data deletion in a multi-tenant environment. If a cloud provider fails ...
-
CAPEC-547: Physical Destruction of Device or Component
An adversary conducts a physical attack a device or component, destroying it such that it no longer functions as intended.
-
CAPEC-548: Contaminate Resource
An adversary contaminates organizational information systems (including devices and networks) by causing them to handle information of a classifica...
-
CAPEC-549: Local Execution of Code
An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootki...
-
CAPEC-550: Install New Service
When an operating system starts, it also starts programs called services or daemons. Adversaries may install a new service which will be executed a...
-
CAPEC-551: Modify Existing Service
When an operating system starts, it also starts programs called services or daemons. Modifying existing services may break existing services or may...
-
CAPEC-552: Install Rootkit
An adversary exploits a weakness in authentication to install malware that alters the functionality and information provide by targeted operating s...
-
CAPEC-554: Functionality Bypass
An adversary attacks a system by bypassing some or all functionality intended to protect it. Often, a system user will think that protection is in ...
-
CAPEC-555: Remote Services with Stolen Credentials
This pattern of attack involves an adversary that uses stolen credentials to leverage remote services such as RDP, telnet, SSH, and VNC to log into...
-
CAPEC-556: Replace File Extension Handlers
When a file is opened, its file handler is checked to determine which program opens the file. File handlers are configuration properties of many op...
-
CAPEC-558: Replace Trusted Executable
An adversary exploits weaknesses in privilege management or access control to replace a trusted executable with a malicious version and enable the ...
-
CAPEC-559: Orbital Jamming
In this attack pattern, the adversary sends disruptive signals at a target satellite using a rogue uplink station to disrupt the intended transmiss...
-
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and...
-
CAPEC-561: Windows Admin Shares with Stolen Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Ad...
-
CAPEC-562: Modify Shared File
An adversary manipulates the files in a shared location by adding malicious programs, scripts, or exploit code to valid content. Once a user opens ...
-
CAPEC-563: Add Malicious File to Shared Webroot
An adversaries may add malicious content to a website through the open file share and then browse to that content with a web browser to cause the s...
-
CAPEC-564: Run Software at Logon
Operating system allows logon scripts to be run whenever a specific user or users logon to a system. If adversaries can access these scripts, they ...
-
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's...
-
CAPEC-568: Capture Credentials via Keylogger
An adversary deploys a keylogger in an effort to obtain credentials directly from a system's user. After capturing all the keystrokes made by a use...
-
CAPEC-569: Collect Data as Provided by Users
An attacker leverages a tool, device, or program to obtain specific information as provided by a user of the target system. This information is oft...
-
CAPEC-571: Block Logging to Central Repository
An adversary prevents host-generated logs being delivered to a central location in an attempt to hide indicators of compromise.
-
CAPEC-572: Artificially Inflate File Sizes
An adversary modifies file contents by adding data to files for several reasons. Many different attacks could “follow” this pattern re...
-
CAPEC-573: Process Footprinting
An adversary exploits functionality meant to identify information about the currently running processes on the target system to an authorized user....
-
CAPEC-574: Services Footprinting
An adversary exploits functionality meant to identify information about the services on the target system to an authorized user. By knowing what se...
-
CAPEC-575: Account Footprinting
An adversary exploits functionality meant to identify information about the domain accounts and their permissions on the target system to an author...
-
CAPEC-576: Group Permission Footprinting
An adversary exploits functionality meant to identify information about user groups and their permissions on the target system to an authorized use...
-
CAPEC-577: Owner Footprinting
An adversary exploits functionality meant to identify information about the primary users on the target system to an authorized user. They may do t...
-
CAPEC-578: Disable Security Software
An adversary exploits a weakness in access control to disable security tools so that detection does not occur. This can take the form of killing pr...
-
CAPEC-579: Replace Winlogon Helper DLL
Winlogon is a part of Windows that performs logon actions. In Windows systems prior to Windows Vista, a registry key can be modified that causes Wi...
-
CAPEC-580: System Footprinting
An adversary engages in active probing and exploration activities to determine security information about a remote target system. Often times adver...
-
CAPEC-581: Security Software Footprinting
Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security rel...
-
CAPEC-582: Route Disabling
An adversary disables the network route between two targets. The goal is to completely sever the communications channel between two entities. This ...
-
CAPEC-583: Disabling Network Hardware
In this attack pattern, an adversary physically disables networking hardware by powering it down or disconnecting critical equipment. Disabling or ...
-
CAPEC-584: BGP Route Disabling
An adversary suppresses the Border Gateway Protocol (BGP) advertisement for a route so as to render the underlying network inaccessible. The BGP pr...
-
CAPEC-585: DNS Domain Seizure
In this attack pattern, an adversary influences a target's web-hosting company to disable a target domain. The goal is to prevent access to the tar...
-
CAPEC-586: Object Injection
An adversary attempts to exploit an application by injecting additional, malicious content during its processing of serialized objects. Developers ...
-
CAPEC-587: Cross Frame Scripting (XFS)
This attack pattern combines malicious Javascript and a legitimate webpage loaded into a concealed iframe. The malicious Javascript is then able to...
-
CAPEC-588: DOM-Based XSS
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is inserted into the client-side HTML being parsed by a web br...
-
CAPEC-589: DNS Blocking
An adversary intercepts traffic and intentionally drops DNS requests based on content in the request. In this way, the adversary can deny the avail...
-
CAPEC-590: IP Address Blocking
An adversary performing this type of attack drops packets destined for a target IP address. The aim is to prevent access to the service hosted at t...
-
CAPEC-591: Reflected XSS
This type of attack is a form of Cross-Site Scripting (XSS) where a malicious script is "reflected" off a vulnerable web application and then execu...
-
CAPEC-592: Stored XSS
An adversary utilizes a form of Cross-site Scripting (XSS) where a malicious script is persistently "stored" within the data storage of a vulnerabl...
-
CAPEC-593: Session Hijacking
This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary ...
-
CAPEC-594: Traffic Injection
An adversary injects traffic into the target's network connection. The adversary is therefore able to degrade or disrupt the connection, and potent...
-
CAPEC-595: Connection Reset
In this attack pattern, an adversary injects a connection reset packet to one or both ends of a target's connection. The attacker is therefore able...
-
CAPEC-596: TCP RST Injection
An adversary injects one or more TCP RST packets to a target after the target has made a HTTP GET request. The goal of this attack is to have the t...
-
CAPEC-597: Absolute Path Traversal
An adversary with access to file system resources, either directly or via application logic, will use various file absolute paths and navigation me...
-
CAPEC-598: DNS Spoofing
An adversary sends a malicious ("NXDOMAIN" ("No such domain") code, or DNS A record) response to a target's route request before a legitimate resol...
-
CAPEC-599: Terrestrial Jamming
In this attack pattern, the adversary transmits disruptive signals in the direction of the target's consumer-level satellite dish (as opposed to th...
-
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authen...
-
CAPEC-601: Jamming
An adversary uses radio noise or signals in an attempt to disrupt communications. By intentionally overwhelming system resources with illegitimate ...
-
CAPEC-603: Blockage
An adversary blocks the delivery of an important system resource causing the system to fail or stop working.
-
CAPEC-604: Wi-Fi Jamming
In this attack scenario, the attacker actively transmits on the Wi-Fi channel to prevent users from transmitting or receiving data from the targete...
-
CAPEC-605: Cellular Jamming
In this attack scenario, the attacker actively transmits signals to overpower and disrupt the communication between a cellular user device and a ce...
-
CAPEC-606: Weakening of Cellular Encryption
An attacker, with control of a Cellular Rogue Base Station or through cooperation with a Malicious Mobile Network Operator can force the mobile dev...
-
CAPEC-607: Obstruction
An attacker obstructs the interactions between system components. By interrupting or disabling these interactions, an adversary can often force the...
-
CAPEC-608: Cryptanalysis of Cellular Encryption
The use of cryptanalytic techniques to derive cryptographic keys or otherwise effectively defeat cellular encryption to reveal traffic content. Som...
-
CAPEC-609: Cellular Traffic Intercept
Cellular traffic for voice and data from mobile devices and retransmission devices can be intercepted via numerous methods. Malicious actors can de...
-
CAPEC-610: Cellular Data Injection
Adversaries inject data into mobile technology traffic (data flows or signaling data) to disrupt communications or conduct additional surveillance ...
-
CAPEC-611: BitSquatting
An adversary registers a domain name one bit different than a trusted domain. A BitSquatting attack leverages random errors in memory to direct Int...
-
CAPEC-612: WiFi MAC Address Tracking
In this attack scenario, the attacker passively listens for WiFi messages and logs the associated Media Access Control (MAC) addresses. These addre...
-
CAPEC-613: WiFi SSID Tracking
In this attack scenario, the attacker passively listens for WiFi management frame messages containing the Service Set Identifier (SSID) for the WiF...
-
CAPEC-614: Rooting SIM Cards
SIM cards are the de facto trust anchor of mobile devices worldwide. The cards protect the mobile identity of subscribers, associate devices with p...
-
CAPEC-615: Evil Twin Wi-Fi Attack
Adversaries install Wi-Fi equipment that acts as a legitimate Wi-Fi network access point. When a device connects to this access point, Wi-Fi data t...
-
CAPEC-616: Establish Rogue Location
An adversary provides a malicious version of a resource at a location that is similar to the expected location of a legitimate resource. After esta...
-
CAPEC-617: Cellular Rogue Base Station
In this attack scenario, the attacker imitates a cellular base station with their own "rogue" base station equipment. Since cellular devices connec...
-
CAPEC-618: Cellular Broadcast Message Request
In this attack scenario, the attacker uses knowledge of the target’s mobile phone number (i.e., the number associated with the SIM used in the retr...
-
CAPEC-619: Signal Strength Tracking
In this attack scenario, the attacker passively monitors the signal strength of the target’s cellular RF signal or WiFi RF signal and uses the stre...
-
CAPEC-620: Drop Encryption Level
An attacker forces the encryption level to be lowered, thus enabling a successful attack against the encrypted data.
-
CAPEC-621: Analysis of Packet Timing and Sizes
An attacker may intercept and log encrypted transmissions for the purpose of analyzing metadata such as packet timing and sizes. Although the actua...
-
CAPEC-622: Electromagnetic Side-Channel Attack
In this attack scenario, the attacker passively monitors electromagnetic emanations that are produced by the targeted electronic device as an unint...
-
CAPEC-623: Compromising Emanations Attack
Compromising Emanations (CE) are defined as unintentional signals which an attacker may intercept and analyze to disclose the information processed...
-
CAPEC-624: Hardware Fault Injection
The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic de...
-
CAPEC-625: Mobile Device Fault Injection
Fault injection attacks against mobile devices use disruptive signals or events (e.g. electromagnetic pulses, laser pulses, clock glitches, etc.) t...
-
CAPEC-626: Smudge Attack
Attacks that reveal the password/passcode pattern on a touchscreen device by detecting oil smudges left behind by the user’s fingers.
-
CAPEC-627: Counterfeit GPS Signals
An adversary attempts to deceive a GPS receiver by broadcasting counterfeit GPS signals, structured to resemble a set of normal GPS signals. These ...
-
CAPEC-628: Carry-Off GPS Attack
A common form of a GPS spoofing attack, commonly termed a carry-off attack begins with an adversary broadcasting signals synchronized with the genu...
-
CAPEC-630: TypoSquatting
An adversary registers a domain name with at least one character different than a trusted domain. A TypoSquatting attack takes advantage of instanc...
-
CAPEC-631: SoundSquatting
An adversary registers a domain name that sounds the same as a trusted domain, but has a different spelling. A SoundSquatting attack takes advantag...
-
CAPEC-632: Homograph Attack via Homoglyphs
An adversary registers a domain name containing a homoglyph, leading the registered domain to appear the same as a trusted domain. A homograph atta...
-
CAPEC-633: Token Impersonation
An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associa...
-
CAPEC-634: Probe Audio and Video Peripherals
The adversary exploits the target system's audio and video functionalities through malware or scheduled tasks. The goal is to capture sensitive inf...
-
CAPEC-635: Alternative Execution Due to Deceptive Filenames
The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cau...
-
CAPEC-636: Hiding Malicious Data or Code within Files
Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is...
-
CAPEC-637: Collect Data from Clipboard
The adversary exploits an application that allows for the copying of sensitive data or information by collecting information copied to the clipboar...
-
CAPEC-638: Altered Component Firmware
An adversary exploits systems features and/or improperly protected firmware of hardware components, such as Hard Disk Drives (HDD), with the goal o...
-
CAPEC-639: Probe System Files
An adversary obtains unauthorized information due to improperly protected files. If an application stores sensitive information in a file that is n...
-
CAPEC-640: Inclusion of Code in Existing Process
The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the ad...
-
CAPEC-641: DLL Side-Loading
An adversary places a malicious version of a Dynamic-Link Library (DLL) in the Windows Side-by-Side (WinSxS) directory to trick the operating syste...
-
CAPEC-642: Replace Binaries
Adversaries know that certain binaries will be regularly executed as part of normal processing. If these binaries are not protected with the approp...
-
CAPEC-643: Identify Shared Files/Directories on System
An adversary discovers connections between systems by exploiting the target system's standard practice of revealing them in searchable, common area...
-
CAPEC-644: Use of Captured Hashes (Pass The Hash)
An adversary obtains (i.e. steals or purchases) legitimate Windows domain credential hash values to access systems within the domain that leverage ...
-
CAPEC-645: Use of Captured Tickets (Pass The Ticket)
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authenticati...
-
CAPEC-646: Peripheral Footprinting
Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include...
-
CAPEC-647: Collect Data from Registries
An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registr...
-
CAPEC-648: Collect Data from Screen Capture
An adversary gathers sensitive information by exploiting the system's screen capture functionality. Through screenshots, the adversary aims to see ...
-
CAPEC-649: Adding a Space to a File Extension
An adversary adds a space character to the end of a file extension and takes advantage of an application that does not properly neutralize trailing...
-
CAPEC-650: Upload a Web Shell to a Web Server
By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This s...
-
CAPEC-651: Eavesdropping
An adversary intercepts a form of communication (e.g. text, audio, video) by way of software (e.g., microphone and audio recording application), ha...
-
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets)...
-
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication...
-
CAPEC-654: Credential Prompt Impersonation
An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.
-
CAPEC-655: Avoid Security Tool Identification by Adding Data
An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask th...
-
CAPEC-656: Voice Phishing
An adversary targets users with a phishing attack for the purpose of soliciting account passwords or sensitive information from the user. Voice Phi...
-
CAPEC-657: Malicious Automated Software Update via Spoofing
An attackers uses identify or content spoofing to trick a client into performing an automated software update from a malicious source. A malicious ...
-
CAPEC-660: Root/Jailbreak Detection Evasion via Hooking
An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak ...
-
CAPEC-661: Root/Jailbreak Detection Evasion via Debugging
An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Roo...
-
CAPEC-662: Adversary in the Browser (AiTB)
An adversary exploits security vulnerabilities or inherent functionalities of a web browser, in order to manipulate traffic between tw...
-
CAPEC-663: Exploitation of Transient Instruction Execution
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution to expose sensitive data and bypass/subvert...
-
CAPEC-664: Server Side Request Forgery
An adversary exploits improper input validation by submitting maliciously crafted input to a target application running on a server, w...
-
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller...
-
CAPEC-666: BlueSmacking
An adversary uses Bluetooth flooding to transfer large packets to Bluetooth enabled devices over the L2CAP protocol with the goal of creating a DoS...
-
CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authent...
-
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Blueto...
-
CAPEC-669: Alteration of a Software Update
An adversary with access to an organization’s software update infrastructure inserts malware into the content of an outgoing update to...
-
CAPEC-670: Software Development Tools Maliciously Altered
An adversary with the ability to alter tools used in a development environment causes software to be developed with maliciously modified tools. Suc...
-
CAPEC-671: Requirements for ASIC Functionality Maliciously Altered
An adversary with access to functional requirements for an application specific integrated circuit (ASIC), a chip designed/customized for a singula...
-
CAPEC-672: Malicious Code Implanted During Chip Programming
During the programming step of chip manufacture, an adversary with access and necessary technical skills maliciously alters a chip’s i...
-
CAPEC-673: Developer Signing Maliciously Altered Software
Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting...
-
CAPEC-674: Design for FPGA Maliciously Altered
An adversary alters the functionality of a field-programmable gate array (FPGA) by causing an FPGA configuration memory chip reload in...
-
CAPEC-675: Retrieve Data from Decommissioned Devices
An adversary obtains decommissioned, recycled, or discarded systems and devices that can include an organization’s intellectual proper...
-
CAPEC-676: NoSQL Injection
An adversary targets software that constructs NoSQL statements based on user input or with parameters vulnerable to operator replaceme...
-
CAPEC-677: Server Motherboard Compromise
Malware is inserted in a server motherboard (e.g., in the flash memory) in order to alter server functionality from that intended. The...
-
CAPEC-678: System Build Data Maliciously Altered
During the system build process, the system is deliberately misconfigured by the alteration of the build data. Access to system config...
-
CAPEC-679: Exploitation of Improperly Configured or Implemented Memory Protections
An adversary takes advantage of missing or incorrectly configured access control within memory to read/write data or inject malicious ...
-
CAPEC-680: Exploitation of Improperly Controlled Registers
An adversary exploits missing or incorrectly configured access control within registers to read/write data that is not meant to be obt...
-
CAPEC-681: Exploitation of Improperly Controlled Hardware Security Identifiers
An adversary takes advantage of missing or incorrectly configured security identifiers (e.g., tokens), which are used for access contr...
-
CAPEC-682: Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities
An adversary may exploit vulnerable code (i.e., firmware or ROM) that is unpatchable. Unpatchable devices exist due to manufacturers intentionally ...
-
CAPEC-690: Metadata Spoofing
An adversary alters the metadata of a resource (e.g., file, directory, repository, etc.) to present a malicious resource as legitimate...
-
CAPEC-691: Spoof Open-Source Software Metadata
An adversary spoofs open-source software metadata in an attempt to masquerade malicious software as popular, maintained, and trusted.
-
CAPEC-692: Spoof Version Control System Commit Metadata
An adversary spoofs metadata pertaining to a Version Control System (VCS) (e.g., Git) repository's commits to deceive users into belie...
-
CAPEC-693: StarJacking
An adversary spoofs software popularity metadata to deceive users into believing that a maliciously provided package is widely used an...
-
CAPEC-694: System Location Discovery
An adversary collects information about the target system in an attempt to identify the system's geographical location. In...
-
CAPEC-695: Repo Jacking
An adversary takes advantage of the redirect property of directly linked Version Control System (VCS) repositories to trick users into...
-
CAPEC-696: Load Value Injection
An adversary exploits a hardware design flaw in a CPU implementation of transient instruction execution in which a faulting or assisted load instru...
-
CAPEC-697: DHCP Spoofing
An adversary masquerades as a legitimate Dynamic Host Configuration Protocol (DHCP) server by spoofing DHCP traffic, with the goal of ...
-
CAPEC-698: Install Malicious Extension
An adversary directly installs or tricks a user into installing a malicious extension into existing trusted software, with the goal of...
-
CAPEC-699: Eavesdropping on a Monitor
An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing...
-
CAPEC-700: Network Boundary Bridging
An adversary which has gained elevated access to network boundary devices may use these devices to create a channel to bridge trusted and untrusted...
-
CAPEC-701: Browser in the Middle (BiTM)
An adversary exploits the inherent functionalities of a web browser, in order to establish an unnoticed remote desktop connection in the victim's b...
-
CAPEC-702: Exploiting Incorrect Chaining or Granularity of Hardware Debug Components
An adversary exploits incorrect chaining or granularity of hardware debug components in order to gain unauthorized access to debug fun...
Additional Resources
For further reading on CAPEC and cybersecurity best practices, explore these resources:
CAPEC Attack Patterns Directory: Comprehensive Overview
The CAPEC Attack Patterns Directory is a curated resource of known attack techniques that pose significant threats to information security. By exploring CAPEC entries, security professionals gain valuable insights into attack methodologies and can implement effective countermeasures.
Our directory covers a wide range of attack patterns—from injection flaws to buffer overflows—providing detailed descriptions, recommended mitigation strategies, and additional references. Stay informed about the latest security trends and improve your defensive measures by understanding these critical attack patterns.