CAPEC-646: Peripheral Footprinting
Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.
Last updated
Overview
CAPEC-646 (Peripheral Footprinting) is a standard-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
What the attacker needs
Prerequisites
- The adversary needs either physical or remote access to the victim system.
Skills required
- Medium skill: The adversary needs to be able to infect the victim system in a manner that gives them remote access.
- Medium skill: If analyzing the Windows registry, the adversary must understand the registry structure to know where to look for devices.
How to mitigate it
Defenses that reduce the risk of CAPEC-646.
- Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.
Terminology & mappings
Mapped taxonomies
- ATTACK: Peripheral Device Discovery (1120)
Frequently asked questions
Common questions about CAPEC-646.
- What is CAPEC-646?
- Adversaries may attempt to obtain information about attached peripheral devices and components connected to a computer system. Examples may include discovering the presence of iOS devices by searching for backups, analyzing the Windows registry to determine what USB devices have been connected, or infecting a victim system with malware to report when a USB device has been connected. This may allow the adversary to gain additional insight about the system or network environment, which may be useful in constructing further attacks.
- How do you prevent CAPEC-646?
- Identify programs that may be used to acquire peripheral information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist.
- What weaknesses does CAPEC-646 target?
- CAPEC-646 exploits 1 CWE weakness, including CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
- How severe is CAPEC-646?
- MITRE rates CAPEC-646 as Medium severity with low likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-646
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.