CAPEC-536: Data Injected During Configuration
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.
执行流程
步骤 1 Explore
[Determine configuration process] The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.
步骤 2 Explore
[Determine when configuration occurs] The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.
- Look for a weekly update cycle or repeated update schedule.
- Insert a malicious process into the target system that notifies the adversary when configuration is occurring.
步骤 3 Experiment
[Determine malicious data to inject] By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.
- Add false log data
- Change configuration files
- Change data files
步骤 4 Exploit
[Inject malicious data] Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.
前提条件
- The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.
- Advanced knowledge of software and hardware capabilities of a manufacturer's product.
所需技能
缓解措施
Ensure that proper access control is implemented on all systems to prevent unauthorized access to system files and processes.
示例实例
An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system.