CAPEC-647: Collect Data from Registries

Description
An adversary exploits a weakness in authorization to gather system-specific data and sensitive information within a registry (e.g., Windows Registry, Mac plist). These contain information about the system configuration, software, operating system, and security. The adversary can leverage information gathered in order to carry out further attacks.
Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

Severity :

Medium

Possibility :

Medium

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-150: Collect Data from Common Resource Locations Collect Data from Common Resource Locations
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The adversary must have obtained logical access to the system by some means (e.g., via obtained credentials or planting malware on the system).
  • The adversary must have capability to navigate the operating system to peruse the registry.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Once the adversary has logical access (which can potentially require high knowledge and skill level), the adversary needs only the capability and facility to navigate the system through the OS graphical user interface or the command line.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Data from Local System ATTACK | Query Registry ATTACK | Unsecured Credentials: Credentials in Registry
Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-285: Improper Authorization

Visit http://capec.mitre.org/ for more details.