CAPEC-203: Manipulate Registry Information

Description

An adversary exploits a weakness in authorization in order to modify content within a registry (e.g., Windows Registry, Mac plist, application registry). Editing registry information can permit the adversary to hide configuration information or remove indicators of compromise to cover up activity. Many applications utilize registries to store configuration and service information. As such, modification of registry information can affect individual services (affecting billing, authorization, or even allowing for identity spoofing) or the overall configuration of a targeted application. For example, both Java RMI and SOAP use registries to track available services. Changing registry values is sometimes a preliminary step towards completing another attack pattern, but given the long term usage of many registry values, manipulation of registry information could be its own end.

Extended Description

For example, servers may assume that clients will accurately compute values (such as prices), will send correctly structured messages, and will attempt to ensure efficient interactions with the server. By reverse-engineering a client and creating their own version, an adversary can take advantage of these assumptions to abuse service functionality.

For example, a purchasing service might send a unit price to its client and expect the client to correctly compute the total cost of a purchase. If the adversary uses a malicious client, however, the adversary could ignore the server input and declare any total price. Likewise, an adversary could configure the client to retain network or other server resources for longer than legitimately necessary in order to degrade server performance. Even services with general clients can be susceptible to this attack if they assume certain client behaviors. However, such services generally can make fewer assumptions about the behavior of their clients in the first place and, as such, are less likely to make assumptions that an adversary can exploit.

Severity :

Medium

Possibility :

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-51: Poison Web Service Registry Poison Web Service Registry CAPEC-176: Configuration/Environment Manipulation Configuration/Environment Manipulation CAPEC-270: Modification of Registry Run Keys Modification of Registry Run Keys CAPEC-478: Modification of Windows Service Configuration Modification of Windows Service Configuration

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The targeted application must rely on values stored in a registry.
The adversary must have a means of elevating permissions in order to access and modify registry content through either administrator privileges (e.g., credentialed access), or a remote access tool capable of editing a registry through an API.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

High The adversary requires privileged credentials or the development/acquiring of a tailored remote access tool.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Modify Registry ATTACK | Plist Modification

Resources required

None: No specialized resources are required to execute this type of attack.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-15: External Control of System or Configuration Setting

Visit http://capec.mitre.org/ for more details.