CAPEC-647: Collect Data from Registries

Detailed Draft 严重程度: Medium 攻击可能性: Medium

CAPEC版本: 3.9

更新日期: 2023-01-24

攻击模式描述

An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.

执行流程

步骤 1 Explore

[Gain logical access to system] An adversary must first gain logical access to the system it wants to gather registry information from,

技术:
  • Obtain user account credentials and access the system
  • Plant malware on the system that will give remote logical access to the adversary
步骤 2 Experiment

[Determine if the permissions are correct] Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means

步骤 3 Experiment

[Peruse registry for information] Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.

步骤 4 Exploit

[Follow-up attack] Use any information or weaknesses found to carry out a follow-up attack

前提条件

  • The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).
  • The adversary must have capability to navigate the operating system to peruse the registry.

所需技能

Low Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line.

所需资源

  • None: No specialized resources are required to execute this type of attack.

后果影响

影响范围: Confidentiality

技术影响: Read Data

说明: The adversary is able to read sensitive information about the system in the registry.

缓解措施

Employ a robust and layered defensive posture in order to prevent unauthorized users on your system.

Employ robust identification and audit/blocking via using an allowlist of applications on your system. Unnecessary applications, utilities, and configurations will have a presence in the system registry that can be leveraged by an adversary through this attack pattern.

分类映射

分类名称 条目ID 条目名称
ATTACK 1005 Data from Local System
ATTACK 1012 Query Registry
ATTACK 1552.002 Unsecured Credentials: Credentials in Registry
关键信息

CAPEC ID: CAPEC-647

抽象级别: Detailed

状态: Draft

典型严重程度: Medium

攻击可能性: Medium

相关攻击模式
ChildOf CAPEC-150

Collect Data from Common Resource Locations

Standard
相关CWE弱点
CWE-285
返回列表