CAPEC-646: Peripheral Footprinting

Description
Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.
Extended Description

When authenticating via LM or NTLM, an authenticating account's plaintext credentials are not required by the protocols for successful authentication. Instead, the hashed credentials are used to determine if an authentication attempt is valid. If an adversary can obtain an account's hashed credentials, the hash values can then be passed to a system or service to authenticate, without needing to brute-force the hashes to obtain their cleartext values. Successful Pass The Hash attacks result in the adversary fully authenticating as the targeted account, which can further allow the adversary to laterally move within the network, impersonate a legitimate user, and/or download/install malware to systems within the domain. This technique can be performed against any operating system that leverages the LM or NTLM protocols even if the operating system is not Windows-based, since these systems/accounts may still authenticate to a Windows domain.

Severity :

Medium

Possibility :

Low

Type :

Standard
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-169: Footprinting Footprinting CAPEC-270: Modification of Registry Run Keys Modification of Registry Run Keys
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The adversary needs either physical or remote access to the victim system.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Medium The adversary needs to be able to infect the victim system in a manner that gives them remote access.
  • Medium If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Peripheral Device Discovery
Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Visit http://capec.mitre.org/ for more details.