Standard attack pattern

Stable

CAPEC-646: Peripheral Footprinting

Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.

Last updated June 1, 2026

Medium

Typical severity

Per MITRE

Low

Likelihood of attack

Per MITRE

1

Related weaknesses

CWEs this targets

Standard

Abstraction

MITRE classification

Overview

CAPEC-646 (Peripheral Footprinting) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

What the attacker needs

Prerequisites

The adversary needs either physical or remote access to the victim system.

Skills required

Medium skill: The adversary needs to be able to infect the victim system in a manner that gives them remote access.
Medium skill: If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices.

How to mitigate it

Defenses that reduce the risk of CAPEC-646.

Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

Terminology & mappings

Mapped taxonomies

ATTACK: Peripheral Device Discovery (1120)

Frequently asked questions

Common questions about CAPEC-646.

What is CAPEC-646?

Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.

How do you prevent CAPEC-646?

Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.

What weaknesses does CAPEC-646 target?

CAPEC-646 exploits 1 CWE weakness, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

How severe is CAPEC-646?

MITRE rates CAPEC-646 as Medium severity with low likelihood of attack.

References

Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.

Defend against CAPEC-646

Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.

Start free See pricing