CAPEC-37: Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.
Last updated
Overview
CAPEC-37 (Retrieve Embedded Sensitive Data) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.
- Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.
- Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack.
- Step 2Exploit
[Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.
- API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.
- Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.