An adversary adds data to a file to increase the file size beyond what security tools are capable of handling in an attempt to mask their actions. In addition to this, adding data to a file also changes the file's hash, frustrating security tools that look for known bad files by their hash.

How severe is CAPEC-655?

MITRE rates CAPEC-655 as High severity with high likelihood of attack.

CAPEC-655: Avoid Security Tool Identification by Adding Data

Overview

CAPEC-655 (Avoid Security Tool Identification by Adding Data) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.

Consequences

What a successful CAPEC-655 attack can achieve.

Hide Activities, Bypass Protection Mechanism

Affects: Accountability

Modify Data

Affects: Integrity

Examples

Adding data to change the checksum of a file and can be used to avoid hash-based denylists and static anti-virus signatures.

How this attack relates to others in the CAPEC hierarchy.

Parent

CAPEC-572: Artificially Inflate File Sizes

Terminology & mappings

Mapped taxonomies

ATTACK: Obfuscated Files or Information:Binary padding (1027.001)

CAPEC-655: Avoid Security Tool Identification by Adding Data

Overview

Consequences

Examples

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-655?

How severe is CAPEC-655?

References

Defend against CAPEC-655

Overview

Consequences

Examples

Related attack patterns

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CAPEC-655?

How severe is CAPEC-655?

References

Defend against CAPEC-655