The adversary directly or indirectly modifies environment variables used by or controlling the target software. The adversary's goal is to cause the target software to deviate from its expected operation in a manner that benefits the adversary.
Description
Attack Execution Flow
3
1
Step 1
Explore[Probe target application] The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on. Most importantly, the adversary tries to determine what environment variables might be used by the underlying software, or even the application itself.
AI Translation
[Probe target application] L'avversario esegue prima una scansione dell'applicazione target per determinare informazioni importanti sul bersaglio. Queste informazioni potrebbero includere i tipi di software utilizzati, le versioni del software, quali input utente l'applicazione consuma e così via. Più importante ancora, l'avversario cerca di determinare quali variabili di ambiente potrebbero essere utilizzate dal software sottostante, o anche dall'applicazione stessa.
2
Step 2
Experiment[Find user-controlled environment variables] Using the information found by probing the application, the adversary attempts to manipulate any user-controlled environment variables they have found are being used by the application, or suspect are being used by the application, and observe the effects of these changes. If the adversary notices any significant changes to the application, they will know that a certain environment variable is important to the application behavior and indicates a possible attack vector.
Alter known environment variables such as '$PATH', '$HOSTNAME', or 'LD_LIBRARY_PATH' and see if application behavior changes.
AI Translation
[Trova variabili d'ambiente controllate dall'utente] Utilizzando le informazioni ottenute tramite il probing dell'applicazione, l'attore malevolo tenta di manipolare eventuali variabili d'ambiente controllate dall'utente che ha rilevato essere utilizzate dall'applicazione, o che sospetta vengano utilizzate dall'applicazione, e osserva gli effetti di tali modifiche. Se l'attaccante nota cambiamenti significativi nell'applicazione, saprà che una certa variabile d'ambiente è importante per il comportamento dell'applicazione e indica una possibile via di attacco.
Modifica variabili d'ambiente note come "$PATH", "$HOSTNAME" o "LD_LIBRARY_PATH" e verifica se il comportamento dell'applicazione cambia.
Attack Techniques
-
Alter known environment variables such as "$PATH", "$HOSTNAME", or "LD_LIBRARY_PATH" and see if application behavior changes.
3
Step 3
Exploit[Manipulate user-controlled environment variables] The adversary manipulates the found environment variable(s) to abuse the normal flow of processes or to gain access to privileged resources.
AI Translation
[Manipolazione delle variabili di ambiente controllate dall'utente] L'avversario manipola le variabili di ambiente trovate per sfruttare il normale flusso dei processi o per ottenere l'accesso a risorse privilegiate.
Mitigations
4
Apply The Least Privilege Principles. If A Process Has No Legitimate Reason To Read An Environment Variable Do Not Give That Privilege.
Assume All Input Is Malicious. Create An Allowlist That Defines All Valid Input To The Software System Based On The Requirements Specifications. Input That Does Not Match Against The Allowlist Should Not Be Permitted To Enter Into The System.
Protect Environment Variables Against Unauthorized Read And Write Access.
Protect The Configuration Files Which Contain Environment Variables Against Illegitimate Read And Write Access.
Consequences
Security Scopes Affected
Access Control
Accountability
Authorization
Availability
Confidentiality
Integrity
Potential Impacts
Bypass Protection Mechanism
Execute Unauthorized Commands
Hide Activities
Read Data
Unreliable Execution
Relationships
Parent CAPECs
Related CAPECs
Related ATT&CK Techniques
3
T1562.003
Impair Command History Logging
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track …
T1574.006
Dynamic Linker Hijacking
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During …
T1574.007
Path Interception by PATH Environment Variable
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. The PATH environment variable contains …