CAPEC-549: Local Execution of Code
An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.
Last updated
Overview
CAPEC-549 (Local Execution of Code) is a meta-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- Knowledge of the target system's vulnerabilities that can be capitalized on with malicious code.The adversary must be able to place the malicious code on the target system.
Resources required
- The means by which the adversary intends to place the malicious code on the system dictates the tools required. For example, suppose the adversary wishes to leverage social engineering and convince a legitimate user to open a malicious file attached to a seemingly legitimate email. In this case, the adversary might require a tool capable of wrapping malicious code into an innocuous filetype (e.g., PDF, .doc, etc.)
Consequences
What a successful CAPEC-549 attack can achieve.
Execute Unauthorized Commands
Affects: Confidentiality, Integrity, Availability
Run Arbitrary Code
Other
Affects: Confidentiality, Integrity, Availability
Depending on the type of code executed by the adversary, the consequences of this attack pattern can vary widely.
How to mitigate it
Defenses that reduce the risk of CAPEC-549.
- Employ robust cybersecurity training for all employees.
- Implement system antivirus software that scans all attachments before opening them.
- Regularly patch all software.
- Execute all suspicious files in a sandbox environment.
Examples
BlueBorne refers to a set of nine vulnerabilities on different platforms (Linux, Windows, Android, iOS) that offer an adversary the ability to install and execute malicious code on a system if they were close in proximity to a Bluetooth enabled device. One vulnerability affecting iOS versions 7 through 9 allowed an attacker to overflow the Low Energy Audio Protocol since commands sent over this protocol are improperly validated and gain the elevated permissions of the Bluetooth stack. These vulnerabilities were a result of poor validation and were patched shortly after their exposure in 2017, but many non-updated devices remain vulnerable.
Frequently asked questions
Common questions about CAPEC-549.
- What is CAPEC-549?
- An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.
- How do you prevent CAPEC-549?
- Employ robust cybersecurity training for all employees.
- What weaknesses does CAPEC-549 target?
- CAPEC-549 exploits 1 CWE weakness, including CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).
- How severe is CAPEC-549?
- MITRE rates CAPEC-549 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-549
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.