July 30, 2024

Mapping Attack Patterns to your Threat Model

I’m a big fan of the threat modeling process, especially when using STRIDE. I think that stems from the fact that back in the late 90’s I found Bruce Schneier’s approach with attack trees just too cumbersome. When I was introduced to an early version of STRIDE inside of Microsoft, I really got on the bandwagon, especially when used against data flow diagrams (DFD).

It’s one of the reasons I pushed Adam Shostak so hard to release an internal tool Microsoft had that used this approach into a tool for the whole appsec community. That became known as the SDL Threat Modeling Tool, and in my mind has always been the best threat modeling tool Microsoft built. TAM was pretty good too, but was more focused on SDL-IT than SDLC.

As an offensive security engineer though, it’s always been interesting to me to think about STRIDE categories in the context of attack patterns. Especially when using CAPEC to abuse an API.

If that concept is foreign to you, I recommend you read my article on Adversarial Thinking for Bug Hunters.

Anyways, a few years ago I stumbled upon some interesting research by Brett Crawley in which he constructed some detailed mind maps that clearly articulate how mapping STRIDE to CAPEC can be done.

This article is meant to highlight his work, and articulate how to map STRIDE categories to common attack patterns. I’ll break it down by threat category, and list out the matching CAPECs, just in case you aren’t a fan of mind maps.

I will include not only the attack pattern ID, but also the descriptive title so you have an easy way to cross reference the attacks against the threat categories. If anything, just reading the attack pattern titles should provide a unique experience in associated threats to attacks.

Enjoy!

How to use the data in this article

Use this article as a point of exploration on how you can exploit potential threats you see in your threat model. Even if you don’t have an “attacker mindset”, you can map the threat categories directly to attack patterns. MITRE does a great job to make attack pattern titles descriptive, so the attacks should be self evident. When more generic attack patterns can be broken down into more specific attacks, you will find it a “child” of the parent.

If you are a visual learner, click the PNG images. It will expand to a more detailed mind map in an SVG format that is linkable to the MITRE attack database.

If you are a more textual structured learner, the bulleted list breaks down each attack pattern and its children into extended nodes.

Experiment. Think about how data flows through your system, and where the weaknesses may be. Then go to that threat category, and explore the types of attacks that might be possible. Many won’t be relevant. But some may be.

When you find an interesting attack pattern you think may apply, click the CAPEC id. That will take you to the attack database, where it will provide a good description of how you could attack the system. It will also describe how realistic it would be to execute, and the skill required. It may even include example code or patterns that you can use in your attack payload sequence.

Use that as a guide to inspire new ways to test the security of your system.

Good luck!

Spoofing

CAPEC-148: Content Spoofing
- CAPEC-145: Checksum Spoofing
- CAPEC-218: Spoofing of UDDI/ebXML Messages
- CAPEC-502: Intent Spoof
- CAPEC-627: Counterfeit GPS Signals
  - CAPEC-628: Carry-Off GPS Attack
CAPEC-151: Identity Spoofing
- CAPEC-194: Fake the Source of Data
  - CAPEC-275: DNS Rebinding
  - CAPEC-543: Counterfeit Websites
  - CAPEC-544: Counterfeit Organizations
  - CAPEC-598: DNS Spoofing
  - CAPEC-633: Token Impersonation
- CAPEC-195: Principal Spoof
  - CAPEC-587: Cross Frame Scripting (XFS)
  - CAPEC-599: Terrestrial Jamming
- CAPEC-473: Signature Spoof
  - CAPEC-459: Creating a Rogue Certification Authority Certificate
  - CAPEC-474: Signature Spoofing by Key Theft
  - CAPEC-475: Signature Spoofing by Improper Validation
  - CAPEC-476: Signature Spoofing by Misrepresentation
  - CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content
  - CAPEC-479: Malicious Root Certificate
  - CAPEC-485: Signature Spoofing by Key Recreation
- CAPEC-89: Pharming
- CAPEC-98: Phishing
  - CAPEC-163: Spear Phishing
  - CAPEC-164: Mobile Phishing
  - CAPEC-656: Voice Phishing
CAPEC-154: Resource Location Spoofing
- CAPEC-159: Redirect Access to Libraries
  - CAPEC-132: Symlink Attack
  - CAPEC-38: Leveraging/Manipulating Configuration File Search Paths
  - CAPEC-471: Search Order Hijacking
  - CAPEC-641: DLL Side-Loading
- CAPEC-141: Cache Poisoning
  - CAPEC-51: Poison Web Service Registry
  - CAPEC-142: DNS Cache Poisoning
- CAPEC-616: Establish Rogue Location
  - CAPEC-505: Scheme Squatting
  - CAPEC-611: BitSquatting
  - CAPEC-615: Evil Twin Wi-Fi Attack
  - CAPEC-617: Cellular Rogue Base Station
  - CAPEC-630: TypoSquatting
  - CAPEC-631: SoundSquatting
  - CAPEC-632: Homograph Attack via Homoglyphs
  - CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
CAPEC-173: Action Spoofing
- CAPEC-103: Clickjacking
  - CAPEC-181: Flash File Overlay
  - CAPEC-222: iFrame Overlay
- CAPEC-501: Android Activity Hijack
- CAPEC-504: Task Impersonation
  - CAPEC-654: Credential Prompt Impersonation
- CAPEC-506: Tapjacking
CAPEC-389: Content Spoofing via Application API Manipulation
CAPEC-416: Manipulate Human Behavior
- CAPEC-407: Pretexting
  - CAPEC-383: Harvesting Information via API Event Monitoring
  - CAPEC-412: Pretexting via Customer Service
  - CAPEC-413: Pretexting via Tech Support
  - CAPEC-414: Pretexting via Delivery Person
  - CAPEC-415: Pretexting via Phone
- CAPEC-417: Influence Perception
  - CAPEC-418: Influence Perception of Reciprocation
  - CAPEC-420: Influence Perception of Scarcity
  - CAPEC-421: Influence Perception of Authority
  - CAPEC-422: Influence Perception of Commitment and Consistency
  - CAPEC-423: Influence Perception of Liking
  - CAPEC-424: Influence Perception of Consensus or Social Proof
- CAPEC-425: Target Influence via Framing
- CAPEC-426: Influence via Incentives
- CAPEC-427: Influence via Psychological Principles
  - CAPEC-428: Influence via Modes of Thinking
  - CAPEC-429: Target Influence via Eye Cues
  - CAPEC-433: Target Influence via The Human Buffer Overflow
  - CAPEC-434: Target Influence via Interview and Interrogation
  - CAPEC-435: Target Influence via Instant Rapport

Tampering

CAPEC-123: Buffer Manipulation
- CAPEC-100: Overflow Buffers
  - CAPEC-10: Buffer Overflow via Environment Variables
  - CAPEC-14: Client-side Injection-induced Buffer Overflow
  - CAPEC-24: Filter Failure through Buffer Overflow
  - CAPEC-256: SOAP Array Overflow
  - CAPEC-42: MIME Conversion
  - CAPEC-44: Overflow Binary Resource File
  - CAPEC-45: Buffer Overflow via Symbolic Links
  - CAPEC-46: Overflow Variables and Tags
  - CAPEC-47: Buffer Overflow via Parameter Expansion
  - CAPEC-67: String Format Overflow in syslog()
  - CAPEC-8: Buffer Overflow in an API Call
  - CAPEC-9: Buffer Overflow in Local Command-Line Utilities
- CAPEC-540: Overread Buffers
CAPEC-124: Shared Resource Manipulation
- CAPEC-26: Leveraging Race Conditions
- CAPEC-27: Leveraging Race Conditions via Symbolic Links
- CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
CAPEC-129: Pointer Manipulation
CAPEC-153: Input Data Manipulation
- CAPEC-126: Path Traversal
  - CAPEC-139: Relative Path Traversal
  - CAPEC-597: Absolute Path Traversal
  - CAPEC-76: Manipulating Web Input to File System Calls
- CAPEC-128: Integer Attacks
  - CAPEC-92: Forced Integer Overflow
- CAPEC-267: Leverage Alternate Encoding
  - CAPEC-120: Double Encoding
  - CAPEC-3: Using Leading ‘Ghost’ Character Sequences to Bypass Input Filters
  - CAPEC-4: Using Alternative IP Address Encodings
  - CAPEC-43: Exploiting Multiple Input Interpretation Layers
  - CAPEC-52: Embedding NULL Bytes
  - CAPEC-53: Postfix, Null Terminate, and Backslash
  - CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
  - CAPEC-71: Using Unicode Encoding to Bypass Validation Logic
  - CAPEC-72: URL Encoding
  - CAPEC-78: Using Escaped Slashes in Alternate Encoding
  - CAPEC-79: Using Slashes in Alternate Encoding
  - CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic
- CAPEC-28: Fuzzing
- CAPEC-33: HTTP Request Smuggling
- CAPEC-34: HTTP Response Splitting
- CAPEC-105: HTTP Request Splitting
- CAPEC-165: File Manipulation
  - CAPEC-73: User-Controlled Filename
  - CAPEC-572: Artificially Inflate File Sizes
    - CAPEC-655: Avoid Security Tool Identification by Adding Data
  - CAPEC-635: Alternative Execution Due to Deceptive Filenames
    - CAPEC-649: Adding a Space to a File Extension
  - CAPEC-636: Hiding Malicious Data or Code within Files
    - CAPEC-168: Windows ::DATA Alternate Data Stream
- CAPEC-74: Manipulating State
  - CAPEC-140: Bypassing of Intermediate Forms in Multiple-Form Sets
  - CAPEC-663: Exploitation of Transient Instruction Execution
- CAPEC-75: Manipulating Writeable Configuration Files
- CAPEC-113: Interface Manipulation
  - CAPEC-133: Try All Common Switches
  - CAPEC-160: Exploit Script-Based APIs
- CAPEC-176: Configuration/Environment Manipulation
  - CAPEC-75: Manipulating Writeable Configuration Files
  - CAPEC-203: Manipulate Registry Information
    - CAPEC-51: Poison Web Service Registry
    - CAPEC-270: Modification of Registry Run Keys
    - CAPEC-478: Modification of Windows Service Configuration
  - CAPEC-271: Schema Poisoning
    - CAPEC-146: XML Schema Poisoning
  - CAPEC-536: Data Injected During Configuration
  - CAPEC-578: Disable Security Software
CAPEC-161: Infrastructure Manipulation
- CAPEC-481: Contradictory Destinations in Traffic Routing Schemes
- CAPEC-166: Force the System to Reset Values
- CAPEC-141: Cache Poisoning
  - CAPEC-51: Poison Web Service Registry
  - CAPEC-142: DNS Cache Poisoning
- CAPEC-268: Audit Log Manipulation
  - CAPEC-93: Log Injection-Tampering-Forging
  - CAPEC-81: Web Server Logs Tampering
- CAPEC-571: Block Logging to Central Repository
CAPEC-184: Software Integrity Attack
- CAPEC-185: Malicious Software Download
- CAPEC-186: Malicious Software Update
  - CAPEC-187: Malicious Automated Software Update via Redirection
  - CAPEC-533: Mobile Device Patterns
  - CAPEC-614: Rooting SIM Cards
  - CAPEC-657: Malicious Automated Software Update via Spoofing
- CAPEC-663: Exploitation of Transient Instruction Execution
- CAPEC-669: Alteration of a Software Update
CAPEC-272: Protocol Manipulation
- CAPEC-90: Reflection Attack in Authentication Protocol
- CAPEC-220: Client-Server Protocol Manipulation
  - CAPEC-5: Blue Boxing
  - CAPEC-33: HTTP Request Smuggling
  - CAPEC-34: HTTP Response Splitting
  - CAPEC-105: HTTP Request Splitting
  - CAPEC-273: HTTP Response Smuggling
  - CAPEC-274: HTTP Verb Tampering
- CAPEC-276: Inter-component Protocol Manipulation
  - CAPEC-665: Exploitation of Thunderbolt Protection Flaws
- CAPEC-277: Data Interchange Protocol Manipulation
- CAPEC-278: Web Services Protocol Manipulation
  - CAPEC-201: Serialized Data External Linking
  - CAPEC-221: Data Serialization External Entities Blowup
  - CAPEC-279: SOAP Manipulation
CAPEC-438: Modification During Manufacture
- CAPEC-444: Development Alteration
  - CAPEC-206: Signing Malicious Code
  - CAPEC-443: Malicious Logic Inserted Into Product by Authorized Developer
  - CAPEC-445: Malicious Logic Insertion into Product Software via Configuration Management Manipulation
  - CAPEC-446: Malicious Logic Insertion into Product via Inclusion of Third-Party Component
  - CAPEC-511: Infiltration of Software Development Environment
  - CAPEC-516: Hardware Component Substitution During Baselining
  - CAPEC-520: Counterfeit Hardware Component Inserted During Product Assembly
  - CAPEC-532: Altered Installed BIOS
  - CAPEC-537: Infiltration of Hardware Development Environment
  - CAPEC-538: Open-Source Library Manipulation
  - CAPEC-539: ASIC With Malicious Functionality
  - CAPEC-670: Software Development Tools Maliciously Altered
  - CAPEC-672: Malicious Code Implanted During Chip Programming
  - CAPEC-673: Developer Signing Maliciously Altered Software
  - CAPEC-678: System Build Data Maliciously Altered
- CAPEC-447: Design Alteration
  - CAPEC-517: Documentation Alteration to Circumvent Dial-down
  - CAPEC-518: Documentation Alteration to Produce Under-performing Systems
  - CAPEC-519: Documentation Alteration to Cause Errors in System Design
  - CAPEC-521: Hardware Design Specifications Are Altered
  - CAPEC-671: Requirements for ASIC Functionality Maliciously Altered
  - CAPEC-674: Design for FPGA Maliciously Altered
CAPEC-440: Hardware Integrity Attack
- CAPEC-401: Physically Hacking Hardware
  - CAPEC-402: Bypassing ATA Password Security
- CAPEC-534: Malicious Hardware Update
  - CAPEC-531: Hardware Component Substitution
    - CAPEC-530: Provide Counterfeit Component
    - CAPEC-535: Malicious Gray Market Hardware
  - CAPEC-677: Server Motherboard Compromise
CAPEC-439: Manipulation During Distribution
- CAPEC-522: Malicious Hardware Component Replacement
- CAPEC-523: Malicious Software Implanted
- CAPEC-524: Rogue Integration Procedures
CAPEC-441: Malicious Logic Insertion
- CAPEC-442: Infected Software
  - CAPEC-448: Embed Virus into DLL
- CAPEC-452: Infected Hardware
  - CAPEC-638: Altered Component Firmware
- CAPEC-456: Infected Memory
  - CAPEC-457: USB Memory Attacks
  - CAPEC-458: Flash Memory Attacks
CAPEC-548: Contaminate Resource
CAPEC-594: Traffic Injection
- CAPEC-595: Connection Reset
  - CAPEC-596: TCP RST Injection
CAPEC-624: Hardware Fault Injection

Repudiation

CAPEC-67: String Format Overflow in syslog()
CAPEC-195: Principal Spoof
- CAPEC-587: Cross Frame Scripting (XFS)
- CAPEC-599: Terrestrial Jamming
CAPEC-268: Audit Log Manipulation
- CAPEC-93: Log Injection-Tampering-Forging
- CAPEC-81: Web Server Logs Tampering
CAPEC-571: Block Logging to Central Repository

Information Disclosure

CAPEC-129: Pointer Manipulation
CAPEC-212: Functionality Misuse
- CAPEC-48: Passing Local Filenames to Functions That Expect a URL
- CAPEC-111: JSON Hijacking (aka JavaScript Hijacking)
- CAPEC-620: Drop Encryption Level
  - CAPEC-606: Weakening of Cellular Encryption
CAPEC-216: Communication Channel Manipulation
- CAPEC-12: Choosing Message Identifier
- CAPEC-217: Exploiting Incorrectly Configured SSL
CAPEC-554: Functionality Bypass
- CAPEC-179: Calling Micro-Services Directly
- CAPEC-464: Evercookie
- CAPEC-465: Transparent Proxy Abuse
CAPEC-117: Interception
- CAPEC-157: Sniffing Attacks
  - CAPEC-57: Utilizing REST’s Trust in the System Resources to Obtain Sensitive Data
  - CAPEC-65: Sniff Application Code
  - CAPEC-158: Sniffing Network Traffic
  - CAPEC-609: Cellular Traffic Intercept
- CAPEC-499: Android Intent Intercept
  - CAPEC-501: Android Activity Hijack
- CAPEC-651: Eavesdropping
  - CAPEC-508: Shoulder Surfing
  - CAPEC-634: Probe Audio and Video Peripherals
CAPEC-116: Excavation
- CAPEC-54: Query System for Information
  - CAPEC-127: Directory Indexing
  - CAPEC-95: WSDL Scanning
  - CAPEC-215: Fuzzing for Application Mapping
  - CAPEC-261: Fuzzing for Garnering Other Adjacent user/sensitive data
  - CAPEC-462: Cross-Domain Search Timing
- CAPEC-150: Collect Data From Common Resource Locations
  - CAPEC-143: Detect Unpublicized Web Pages
  - CAPEC-144: Detect Unpublicized Web Services
  - CAPEC-155: Screen Temporary Files for Sensitive Information
  - CAPEC-406: Dumpster Diving
  - CAPEC-637: Collect Data from Clipboard
  - CAPEC-647: Collect Data from Registries
  - CAPEC-648: Collect Data from Screen Capture
- CAPEC-545: Pull Data From System Resources
  - CAPEC-498: Probe iOS Screenshots
  - CAPEC-546: Incomplete Data Deletion in a Multi-Tenant Environment
  - CAPEC-634: Probe Audio and Video Peripherals
  - CAPEC-639: Probe System Files
- CAPEC-569: Collect Data as Provided by Users
  - CAPEC-568: Capture Credentials via Keylogger
- CAPEC-675: Retrieve Data from Decommissioned Devices
CAPEC-169: Footprinting
- CAPEC-292: Host Discovery
  - CAPEC-285: ICMP Echo Request Ping
  - CAPEC-294: ICMP Address Mask Request
  - CAPEC-295: Timestamp Request
  - CAPEC-296: ICMP Information Request
  - CAPEC-297: TCP ACK Ping
  - CAPEC-298: UDP Ping
  - CAPEC-299: TCP SYN Ping
  - CAPEC-612: WiFi MAC Address Tracking
  - CAPEC-613: WiFi SSID Tracking
  - CAPEC-618: Cellular Broadcast Message Request
  - CAPEC-619: Signal Strength Tracking
- CAPEC-300: Port Scanning
  - CAPEC-287: TCP SYN Scan
  - CAPEC-301: TCP Connect Scan
  - CAPEC-302: TCP FIN Scan
  - CAPEC-303: TCP Xmas Scan
  - CAPEC-304: TCP Null Scan
  - CAPEC-305: TCP ACK Scan
  - CAPEC-306: TCP Window Scan
  - CAPEC-307: TCP RPC Scan
  - CAPEC-308: UDP Scan
- CAPEC-309: Network Topology Mapping
  - CAPEC-290: Enumerate Mail Exchange Records
  - CAPEC-291: DNS Zone Transfers
  - CAPEC-293: Traceroute Route Enumeration
  - CAPEC-643: Identify Shared Files/Directories on System
- CAPEC-497: File Discovery
  - CAPEC-149: Explore for Predictable Temporary File Names
- CAPEC-529: Malware-Directed Internal Reconnaissance
- CAPEC-573: Process Footprinting
- CAPEC-574: Services Footprinting
- CAPEC-575: Account Footprinting
- CAPEC-576: Group Permission Footprinting
- CAPEC-577: Owner Footprinting
- CAPEC-580: System Footprinting
  - CAPEC-85: AJAX Footprinting
  - CAPEC-581: Security Software Footprinting
- CAPEC-646: Peripheral Footprinting
CAPEC-224: Fingerprinting
- CAPEC-312: Active OS Fingerprinting
  - CAPEC-317: IP ID Sequencing Probe
  - CAPEC-318: IP ‘ID’ Echoed Byte-Order Probe
  - CAPEC-319: IP (DF) ‘Don’t Fragment Bit’ Echoing Probe
  - CAPEC-320: TCP Timestamp Probe
  - CAPEC-321: TCP Sequence Number Probe
  - CAPEC-322: TCP (ISN) Greatest Common Divisor Probe
  - CAPEC-323: TCP (ISN) Counter Rate Probe
  - CAPEC-324: TCP (ISN) Sequence Predictability Probe
  - CAPEC-325: TCP Congestion Control Flag (ECN) Probe
  - CAPEC-326: TCP Initial Window Size Probe
  - CAPEC-327: TCP Options Probe
  - CAPEC-328: TCP ‘RST’ Flag Checksum Probe
  - CAPEC-329: ICMP Error Message Quoting Probe
  - CAPEC-330: ICMP Error Message Echoing Integrity Probe
  - CAPEC-331: ICMP IP Total Length Field Probe
  - CAPEC-332: ICMP IP ‘ID’ Field Error Message Probe
- CAPEC-313: Passive OS Fingerprinting
- CAPEC-541: Application Fingerprinting
  - CAPEC-170: Web Application Fingerprinting
  - CAPEC-310: Scanning for Vulnerable Software
  - CAPEC-472: Browser Fingerprinting
CAPEC-11: Cause Web Server Misclassification
CAPEC-192: Protocol Analysis
- CAPEC-97: Cryptanalysis
  - CAPEC-463: Padding Oracle Crypto Attack
  - CAPEC-608: Cryptanalysis of Cellular Encryption
CAPEC-188: Reverse Engineering
- CAPEC-167: White Box Reverse Engineering
  - CAPEC-37: Retrieve Embedded Sensitive Information
  - CAPEC-190: Reverse Engineer an Executable to Expose Assumed Hidden Functionality
  - CAPEC-191: Read Sensitive Constants Within an Executable
  - CAPEC-204: Lifting Sensitive Data Embedded in Cache
- CAPEC-189: Black Box Reverse Engineering
  - CAPEC-621: Analysis of Packet Timing and Sizes
  - CAPEC-622: Electromagnetic Side-Channel Attack
  - CAPEC-623: Compromising Emanations Attack
CAPEC-410: Information Elicitation
- CAPEC-407: Pretexting
  - CAPEC-383: Harvesting Information via API Event Monitoring
  - CAPEC-412: Pretexting via Customer Service
  - CAPEC-413: Pretexting via Tech Support
  - CAPEC-414: Pretexting via Delivery Person
  - CAPEC-415: Pretexting via Phone

Denial of Service

CAPEC-125: Flooding
- CAPEC-482: TCP Flood
- CAPEC-486: UDP Flood
- CAPEC-487: ICMP Flood
- CAPEC-488: HTTP Flood
- CAPEC-489: SSL Flood
- CAPEC-490: Amplification
- CAPEC-528: XML Flood
  - CAPEC-147: XML Ping of the Death
- CAPEC-666: BlueSmacking
CAPEC-130: Excessive Allocation
- CAPEC-230: Serialized Data with Nested Payloads
  - CAPEC-197: Exponential Data Expansion
  - CAPEC-491: Quadratic Data Expansion
- CAPEC-231: Oversized Serialized Data Payloads
  - CAPEC-201: Serialized Data External Linking
  - CAPEC-229: Serialized Data Parameter Blowup
- CAPEC-492: Regular Expression Exponential Blowup
- CAPEC-493: SOAP Array Blowup
- CAPEC-494: TCP Fragmentation
- CAPEC-495: UDP Fragmentation
- CAPEC-496: ICMP Fragmentation
CAPEC-131: Resource Leak Exposure
CAPEC-227: Sustained Client Engagement
- CAPEC-469: HTTP DoS
CAPEC-25: Forced Deadlock
CAPEC-607: Obstruction
- CAPEC-547: Physical Destruction of Device or Component
- CAPEC-582: Route Disabling
  - CAPEC-583: Disabling Network Hardware
  - CAPEC-584: BGP Route Disabling
  - CAPEC-585: DNS Domain Seizure
- CAPEC-601: Jamming
  - CAPEC-559: Orbital Jamming
  - CAPEC-604: Wi-Fi Jamming
  - CAPEC-605: Cellular Jamming
- CAPEC-603: Blockage
  - CAPEC-589: DNS Blocking
  - CAPEC-590: IP Address Blocking
  - CAPEC-96: Block Access to Libraries
CAPEC-2: Inducing Account Lockout

Elevation of Privilege

CAPEC-5: Blue Boxing
CAPEC-21: Exploitation of Trusted Identifiers
- CAPEC-196: Session Credential Falsification through Forging
  - CAPEC-226: Session Credential Falsification through Manipulation
  - CAPEC-59: Session Credential Falsification through Prediction
- CAPEC-510: SaaS User Request Forgery
- CAPEC-593: Session Hijacking
  - CAPEC-102: Session Sidejacking
  - CAPEC-107: Cross Site Tracing
  - CAPEC-60: Reusing Session IDs (aka Session Replay)
  - CAPEC-61: Session Fixation
- CAPEC-62: Cross Site Request Forgery
  - CAPEC-467: Cross Site Identification
CAPEC-114: Authentication Abuse
- CAPEC-629: Unauthorized Use of Device Resources
- CAPEC-90: Reflection Attack in Authentication Protocol
CAPEC-115: Authentication Bypass
- CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
- CAPEC-480: Escaping Virtualization
  - CAPEC-237: Escaping a Sandbox by Calling Code in Another Language
- CAPEC-664: Server Side Request Forgery
- CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
- CAPEC-87: Forceful Browsing
CAPEC-22: Exploiting Trust in Client
- CAPEC-202: Create Malicious Client
- CAPEC-207: Removing Important Client Functionality
  - CAPEC-200: Removal of filters: Input filters, output filters, data masking
  - CAPEC-208: Removing/short-circuiting ‘Purse’ logic: removing/mutating ‘cash’ decrements
- CAPEC-39: Manipulating Opaque Client-based Data Tokens
  - CAPEC-31: Accessing/Intercepting/Modifying HTTP Cookies
- CAPEC-77: Manipulating User-Controlled Variables
  - CAPEC-13: Subverting Environment Variable Values
  - CAPEC-162: Manipulating Hidden Fields
CAPEC-94: Adversary in the Middle (AiTM)
- CAPEC-219: XML Routing Detour Attacks
- CAPEC-384: Application API Message Manipulation via Man-in-the-Middle
  - CAPEC-385: Transaction or Event Tampering via Application API Manipulation
  - CAPEC-389: Content Spoofing Via Application API Manipulation
- CAPEC-386: Application API Navigation Remapping
  - CAPEC-387: Navigation Remapping To Propagate Malicious Content
  - CAPEC-388: Application API Button Hijacking
- CAPEC-466: Leveraging Active Adversary in the Middle Attacks to Bypass Same Origin Policy
- CAPEC-662: Adversary in the Browser (AiTB)
CAPEC-122: Privilege Abuse
- CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
  - CAPEC-58: Restful Privilege Elevation
  - CAPEC-679: Exploitation of Improperly Configured or Implemented Memory Protections
  - CAPEC-680: Exploitation of Improperly Controlled Registers
  - CAPEC-681: Exploitation of Improperly Controlled Hardware Security Identifiers
  - CAPEC-36: Using Unpublished Interfaces
  - CAPEC-121: Exploit Non-Production Interfaces
    - CAPEC-661: Root/Jailbreak Detection Evasion via Debugging
- CAPEC-17: Using Malicious Files
  - CAPEC-177: Create files with the same name as files protected with a higher classification
  - CAPEC-263: Force Use of Corrupted Files
  - CAPEC-562: Modify Shared File
  - CAPEC-563: Add Malicious File to Shared Webroot
  - CAPEC-642: Replace Binaries
  - CAPEC-650: Upload a Web Shell to a Web Server
  - CAPEC-35: Leveraging Executable Code in Non-Executable Files
- CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels
- CAPEC-221: Data Serialization External Entities Blowup
- CAPEC-503: WebView Exposure
CAPEC-233: Privilege Escalation
- CAPEC-104: Cross Zone Scripting
- CAPEC-234: Hijacking a privileged process
- CAPEC-30: Hijacking a Privileged Thread of Execution
- CAPEC-68: Subvert Code-signing Facilities
- CAPEC-69: Target Programs with Elevated Privileges
CAPEC-390: Bypassing Physical Security
- CAPEC-391: Bypassing Physical Locks
  - CAPEC-392: Lock Bumping
  - CAPEC-393: Lock Picking
  - CAPEC-394: Using a Snap Gun Lock to Force a Lock
- CAPEC-395: Bypassing Electronic Locks and Access Controls
  - CAPEC-397: Cloning Magnetic Strip Cards
  - CAPEC-398: Magnetic Strip Card Brute Force Attacks
  - CAPEC-399: Cloning RFID Cards or Chips
  - CAPEC-400: RFID Chip Deactivation or Destruction
  - CAPEC-626: Smudge Attack
CAPEC-507: Physical Theft
CAPEC-560: Use of Known Domain Credentials
- CAPEC-555: Remote Services with Stolen Credentials
- CAPEC-600: Credential Stuffing
- CAPEC-652: Use of Known Kerberos Credentials
  - CAPEC-509: Kerberoasting
  - CAPEC-645: Use of Captured Tickets (Pass The Ticket)
- CAPEC-653: Use of Known Windows Credentials
  - CAPEC-561: Windows Admin Shares with Stolen Credentials
  - CAPEC-644: Use of Captured Hashes (Pass The Hash)
Password Abuse
- CAPEC-50: Password Recovery Exploitation
- CAPEC-16: Dictionary Based Password Attack
- CAPEC-49: Password Brute Forcing
  - CAPEC-565: Password Spraying
- CAPEC-70: Try Common or Default Usernames and Passwords
- CAPEC-55: Rainbow Table Password Cracking
Encryption Abuse
- CAPEC-112: Brute Force
- CAPEC-20: Encryption Brute Forcing
CAPEC-549: Local Code Execution
- CAPEC-542: Targeted Malware
  - CAPEC-550: Install New Service
  - CAPEC-551: Modify Existing Service
  - CAPEC-552: Install Rootkit
  - CAPEC-556: Replace File Extension Handlers
  - CAPEC-558: Replace Trusted Executable
  - CAPEC-564: Run Software at Login
  - CAPEC-579: Replace Winlogon Helper DLL
CAPEC-248: Command Injection
- CAPEC-136: LDAP Injection
- CAPEC-66: SQL Injection
  - CAPEC-7: Blind SQL Injection
  - CAPEC-109: Object Relational Mapping Injection
  - CAPEC-110: SQL Injection through SOAP Parameter Tampering
  - CAPEC-108: Command Line Execution through SQL Injection
  - CAPEC-470: Expanding Control over the Operating System from the Database
- CAPEC-88: OS Command Injection
- CAPEC-183: IMAP/SMTP Command Injection
- CAPEC-250: XML Injection
  - CAPEC-83: XPath Injection
  - CAPEC-84: XQuery Injection
  - CAPEC-228: DTD Injection
- CAPEC-676: NoSQL Injection
- CAPEC-40: Manipulating Writeable Terminal Devices
- CAPEC-137: Parameter Injection
  - CAPEC-6: Argument Injection
  - CAPEC-15: Command Delimiters
    - CAPEC-460: HTTP Parameter Pollution (HPP)
  - CAPEC-134: Email Injection
  - CAPEC-135: Format String Injection
  - CAPEC-138: Reflection Injection
  - CAPEC-182: Flash Injection
    - CAPEC-174: Flash Parameter Injection
    - CAPEC-178: Cross-Site Flashing
- CAPEC-175: Code Inclusion
  - CAPEC-251: Local Code Inclusion
    - CAPEC-252: PHP Local File Inclusion
    - CAPEC-640: Inclusion of Code in Existing Process
    - CAPEC-660: Root/Jailbreak Detection Evasion via Hooking
  - CAPEC-253: Remote Code Inclusion
    - CAPEC-101: Server Side Include (SSI) Injection
    - CAPEC-193: PHP Remote File Inclusion
    - CAPEC-500: WebView Injection
CAPEC-242: Code Injection
- CAPEC-19: Embedding Scripts within Scripts
- CAPEC-23: File Content Injection
  - CAPEC-44: Overflow Binary Resource File
- CAPEC-41: Using Meta-Characters in E-mail Headers to Inject Malicious Payloads
- CAPEC-63: Cross-site Scripting (XSS)
  - CAPEC-588: DOM-Based XSS
    - CAPEC-18: XSS Through Non-Script Elements
    - CAPEC-32: XSS Through HTTP Query String
    - CAPEC-86: XSS Through HTTP Headers
    - CAPEC-198: XSS Targeting Error Pages
    - CAPEC-199: XSS Using Alternate Syntax
    - CAPEC-243: XSS Targeting HTML Attributes
    - CAPEC-244: XSS Targeting URI Placeholders
    - CAPEC-245: XSS Using Doubled Characters
    - CAPEC-247: XSS Using Invalid Characters
  - CAPEC-591: Reflected XSS
    - CAPEC-18: XSS Through Non-Script Elements
    - CAPEC-32: XSS Through HTTP Query String
    - CAPEC-86: XSS Through HTTP Headers
    - CAPEC-198: XSS Targeting Error Pages
    - CAPEC-199: XSS Using Alternate Syntax
    - CAPEC-243: XSS Targeting HTML Attributes
    - CAPEC-244: XSS Targeting URI Placeholders
    - CAPEC-245: XSS Using Doubled Characters
    - CAPEC-247: XSS Using Invalid Characters
  - CAPEC-592: Stored XSS
    - CAPEC-18: XSS Through Non-Script Elements
    - CAPEC-32: XSS Through HTTP Query String
    - CAPEC-86: XSS Through HTTP Headers
    - CAPEC-198: XSS Targeting Error Pages
    - CAPEC-199: XSS Using Alternate Syntax
    - CAPEC-243: XSS Targeting HTML Attributes
    - CAPEC-244: XSS Targeting URI Placeholders
    - CAPEC-245: XSS Using Doubled Characters
    - CAPEC-247: XSS Using Invalid Characters
    - CAPEC-209: XSS Using MIME Type Mismatch
- CAPEC-468: Generic Cross-Browser Cross-Domain Theft
CAPEC-240: Resource Injection
- CAPEC-610: Cellular Data Injection
CAPEC-586: Object Injection

Conclusion

By aligning STRIDE categories with CAPEC attack patterns, you can identify and mitigate potential threats more precisely. This method leverages the strengths of both frameworks, offering a structured approach to threat identification and response.

Brett Crawley’s mind maps provide a visual representation of these mappings, making it easier for you to comprehend and implement. However, for those who prefer a textual approach, the detailed breakdown of threat categories and their corresponding CAPEC attack patterns in this article serves as a valuable reference.

By utilizing this article, you can explore how different attack patterns may exploit the threats identified in your threat model. This dual approach—visual and textual—caters to different learning styles and ensures comprehensive coverage. It encourages experimentation and thorough analysis of data flows within your systems to identify and address weaknesses.

Remember, the key to effective threat modeling and security testing is continuous learning and adaptation. By staying informed about new attack patterns and regularly updating your threat model, you can better protect your systems from evolving threats.

Good luck and stay vigilant!

One last thing…

Have you joined The API Hacker Inner Circle yet? It’s my FREE weekly newsletter where I share articles like this, along with pro tips, industry insights, and community news that I don’t tend to share publicly. If you haven’t, subscribe today at https://apihacker.blog.

Dana Epp

Hey, I’m Dana, aka SilverStr. I build and break software for a living, and am a Microsoft Regional Director and Developer Security MVP. I’ve spent decades as a security architect that focuses on helping secure software, data, and infrastructure on both blue and red teams. As of late, I have been focusing more on my offensive tradecraft to help developers and IT administrators see the impact of exploitation on vulnerabilities in their work. This blog is my chance to give back to the community by sharing my experiences and war wounds from the trenches.