Dark Mode

Settings

Capec-536 Detail

Data Injected During Configuration

Standard Supply Chain Software Likelihood: Low Typical Severity: High

Parents: 176

Threats: T62 T68 T269 T270 T271 T272 T273 T274 T297 T393

Description

An attacker with access to data files and processes on a victim's system injects malicious data into critical operational data during configuration or recalibration, causing the victim's system to perform in a suboptimal manner that benefits the adversary.

Not present

External ID Source Link Description
CAPEC-536 capec https://capec.mitre.org/data/definitions/536.html
CWE-284 cwe http://cwe.mitre.org/data/definitions/284.html
REF-439 reference_from_CAPEC http://www.mitre.org/sites/default/files/publications/supply-chain-attack-framework-14-0228.pdf John F. Miller, Supply Chain Attack Framework and Attack Patterns, 2013, The MITRE Corporation
Explore

  1. Determine configuration process: The adversary, through a previously compromised system, either remotely or physically, determines what the configuration process is. They look at configuration files, data files, and running processes on the system to identify areas where they could inject malicious data.

  2. Determine when configuration occurs: The adversary needs to then determine when configuration or recalibration of a system occurs so they know when to inject malicious data.

    3. Techniques
    Look for a weekly update cycle or repeated update schedule.
    Insert a malicious process into the target system that notifies the adversary when configuration is occurring.
Experiment

  1. Determine malicious data to inject: By looking at the configuration process, the adversary needs to determine what malicious data they want to insert and where to insert it.

    2. Techniques
    Add false log data
    Change configuration files
    Change data files
Exploit

  1. Inject malicious data: Right before, or during system configuration, the adversary injects the malicious data. This leads to the system behaving in a way that is beneficial to the adversary and is often followed by other attacks.

  1. The attacker must have previously compromised the victim's systems or have physical access to the victim's systems.
  2. Advanced knowledge of software and hardware capabilities of a manufacturer's product.

Not present

High
Ability to generate and inject false data into operational data into a system with the intent of causing the victim to alter the configuration of the system.

Not present

  1. An adversary wishes to bypass a security system to access an additional network segment where critical data is kept. The adversary knows that some configurations of the security system will allow for remote bypass under certain conditions, such as switching a specific parameter to a different value. The adversary knows the bypass will work but also will be detected within the logging data of the security system. The adversary waits until an upgrade is performed to the security system by the victim's system administrators, and the adversary has access to an external logging system. The adversary injects false log entries that cause the administrators to think there are two different error states within the security system - one involving the specific parameter and the other involving the logging entries. The specific parameter is adjusted to a different value, and the logging level is reduced to a lower level that will not cause an adversary bypass to be detected. The adversary stops injecting false log data, and the administrators of the security system believe the issues were caused by the upgrade and are now resolved. The adversary is then able to bypass the security system.

We use cookies to ensure you get the best experience on our website.