An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
Description
Attack Execution Flow
2
1
Step 1
Explore[Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.
Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.
AI Translation
[Identify Target] L'attacker identifica i componenti del client da cui estrarre informazioni. Questi possono essere eseguibili binari, file di classe, librerie condivise (ad esempio DLL), file di configurazione o altri file di sistema.
Estrazione di file binari. L'attacker estrae file binari da zip, jar, war, PDF o altri formati compositi.
Elenco dei pacchetti. L'attacker utilizza un manifesto dei pacchetti fornito con l'installer del software, o il filesystem stesso, per identificare i file dei componenti idonei all'attacco.
Attack Techniques
-
Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
-
Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.IT: Estrazione di file binari. L'attaccante estrae file binari da zip, jar, war, PDF o altri formati compositi.
2
Step 2
Exploit[Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.
API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.
Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.
AI Translation
[Retrieve Embedded Data] L'attaccante utilizza quindi una varietà di tecniche, come sniffing, reverse-engineering e crittoanalisi, per recuperare le informazioni di interesse.
Profiling API. L'attaccante monitora l'uso da parte del software di chiavi di registro o di altri spazi di archiviazione forniti dal sistema operativo che possono contenere informazioni sensibili.
Esecuzione in simulatore. L'attaccante rimuove fisicamente lo storage di massa dal sistema e lo esplora utilizzando un simulatore, un sistema esterno o altro strumento di debug.
Metodi di decodifica comuni. L'attaccante applica metodi per decodificare tali codifiche e compressioni come Base64, unzip, unrar, decodifica RLE, decompressione gzip e così via.
Tipizzazione dei dati comune. L'attaccante cerca firme di file comuni per tipi di file ben noti (JPEG, TIFF, ASN.1, LDIF, ecc.). Se le firme corrispondono, tenta la decodifica in quel formato.
Attack Techniques
-
Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.
-
Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format.IT: Esecuzione in simulatore. L'attaccante rimuove fisicamente lo storage di massa dal sistema ed esplora i dati utilizzando un simulatore, un sistema esterno o un altro strumento di debug.
-
API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.IT: Esecuzione in simulatore. L'attaccante rimuove fisicamente lo storage di massa dal sistema ed esplora i dati utilizzando un simulatore, un sistema esterno o un altro strumento di debug.
-
Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.IT: Esecuzione in simulatore. L'attaccante rimuove fisicamente lo storage di massa dal sistema ed esplora i dati utilizzando un simulatore, un sistema esterno o un altro strumento di debug.
Consequences
Security Scopes Affected
Access Control
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Read Data
Relationships
Parent CAPECs
Related ATT&CK Techniques
2
T1005
Data from Local System
Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find …
T1552.004
Private Keys
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates …
Resources Required
1
The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as "Strings" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources.