CAPEC-150: Collect Data from Common Resource Locations
An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
Last updated
Overview
CAPEC-150 (Collect Data from Common Resource Locations) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The targeted applications must either expect files to be located at a specific location or, if the location of the files can be configured by the user, the user either failed to move the files from the default location or placed them in a conventional location for files of the given type.
Resources required
- None: No specialized resources are required to execute this type of attack. In some cases, the attacker need not even have direct access to the locations on the target computer where the targeted resources reside.
Examples
An adversary can use a technique called Bluesnarfing to retrieve data from Bluetooth enabled devices in which they know where the data is located. This is done by connecting to the device’s Object Exchange (OBEX) Push Profile and making OBEX GET requests for known filenames (contact lists, photos, recent calls). Bluesnarfing was patched shortly after its discovery in 2003 and will only work on devices created before or during this time.
Terminology & mappings
Mapped taxonomies
- ATTACK: OS Credential Dumping (1003)
- ATTACK: Automated Collection (1119)
- ATTACK: Data from Information Repositories (1213)
- ATTACK: Data from Cloud Storage Object (1530)
- ATTACK: Credentials from Password Stores (1555)
- ATTACK: Data from Configuration Repository (1602)
Frequently asked questions
Common questions about CAPEC-150.
- What is CAPEC-150?
- An adversary exploits well-known locations for resources for the purposes of undermining the security of the target. In many, if not most systems, files and resources are organized in a default tree structure. This can be useful for adversaries because they often know where to look for resources or files that are necessary for attacks. Even when the precise location of a targeted resource may not be known, naming conventions may indicate a small area of the target machine's file tree where the resources are typically located. For example, configuration files are normally stored in the /etc director on Unix systems. Adversaries can take advantage of this to commit other types of attacks.
- What weaknesses does CAPEC-150 target?
- CAPEC-150 exploits 7 CWE weaknesses, including CWE-552 (Files or Directories Accessible to External Parties), CWE-1239 (Improper Zeroization of Hardware Register), CWE-1258 (Exposure of Sensitive System Information Due to Uncleared Debug Information), CWE-1266 (Improper Scrubbing of Sensitive Data from Decommissioned Device).
- How severe is CAPEC-150?
- MITRE rates CAPEC-150 as Medium severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-150
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.