An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.
Description
Attack Execution Flow
4
1
Step 1
Explore[Gain logical access to system] An adversary must first gain logical access to the system it wants to gather registry information from,
Obtain user account credentials and access the system
Plant malware on the system that will give remote logical access to the adversary
AI Translation
[Ottenere accesso logico al sistema] Un avversario deve prima ottenere l'accesso logico al sistema da cui desidera raccogliere informazioni di registro,
Ottenere le credenziali dell'account utente e accedere al sistema
Installare malware sul sistema che fornirà all'avversario un accesso logico remoto
Attack Techniques
-
Plant malware on the system that will give remote logical access to the adversary
-
Obtain user account credentials and access the systemIT: Pianta malware sul sistema che consentirà all'avversario un accesso logico remoto
2
Step 2
Experiment[Determine if the permissions are correct] Once logical access is gained, an adversary will determine if they have the proper permissions, or are authorized, to view registry information. If they do not, they will need to escalate privileges on the system through other means
AI Translation
[Verifica della correttezza delle autorizzazioni] Una volta ottenuto l'accesso logico, un avversario determinerà se dispone delle autorizzazioni corrette o se è autorizzato a visualizzare le informazioni del registro. Se non lo è, dovrà elevare i privilegi sul sistema tramite altri mezzi
3
Step 3
Experiment[Peruse registry for information] Once an adversary has access to a registry, they will gather all system-specific data and sensitive information that they deem useful.
AI Translation
[Esamina il registro per ottenere informazioni] Una volta che un avversario ha accesso a un registro, raccoglierà tutti i dati specifici del sistema e le informazioni sensibili che ritiene utili.
4
Step 4
Exploit[Follow-up attack] Use any information or weaknesses found to carry out a follow-up attack
AI Translation
[Attacco di follow-up] Utilizzare qualsiasi informazione o vulnerabilità riscontrata per effettuare un attacco successivo
Mitigations
2
Employ A Robust And Layered Defensive Posture In Order To Prevent Unauthorized Users On Your System.
Employ Robust Identification And Audit/Blocking Via Using An Allowlist Of Applications On Your System. Unnecessary Applications, Utilities, And Configurations Will Have A Presence In The System Registry That Can Be Leveraged By An Adversary Through This Attack Pattern.
Consequences
Security Scopes Affected
Confidentiality
Potential Impacts
Read Data
Relationships
Parent CAPECs
Related ATT&CK Techniques
3
T1005
Data from Local System
Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find …
T1012
Query Registry
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. The Registry contains …
T1552.002
Credentials in Registry
Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can …
Resources Required
1
None: No specialized resources are required to execute this type of attack.