Standard attack pattern

Draft

CAPEC-636: Hiding Malicious Data or Code within Files

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.

Last updated June 1, 2026

High

Typical severity

Per MITRE

Not rated

Likelihood of attack

Per MITRE

1

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

CAPEC-636 (Hiding Malicious Data or Code within Files) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

What the attacker needs

Prerequisites

The operating system must support a file system that allows for alternate data storage for a file.

How to mitigate it

Defenses that reduce the risk of CAPEC-636.

Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.

CAPEC-35

CAPEC-168: Windows ::DATA Alternate Data Stream

Terminology & mappings

Mapped taxonomies

ATTACK: Data Obfuscation: Steganography (1001.002)
ATTACK: Obfuscated Files or Information: Steganography (1027.003)
ATTACK: Obfuscated Files or Information: Compile After Delivery (1027.004)
ATTACK: Signed Binary Proxy Execution: Compiled HTML File (1218.001)
ATTACK: Template Injection (1221)

Frequently asked questions

Common questions about CAPEC-636.

What is CAPEC-636?

Files on various operating systems can have a complex format which allows for the storage of other data, in addition to its contents. Often this is metadata about the file, such as a cached thumbnail for an image file. Unless utilities are invoked in a particular way, this data is not visible during the normal use of the file. It is possible for an attacker to store malicious data or code using these facilities, which would be difficult to discover.

How do you prevent CAPEC-636?

Many tools are available to search for the hidden data. Scan regularly for such data using one of these tools.

What weaknesses does CAPEC-636 target?

CAPEC-636 exploits 1 CWE weakness, including CWE-506 (Embedded Malicious Code).

How severe is CAPEC-636?

MITRE rates CAPEC-636 as High severity.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-636

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing