-
Notifications
You must be signed in to change notification settings - Fork 2
/
capec_detection_temp.json
1 lines (1 loc) · 29.6 KB
/
capec_detection_temp.json
1
[{"_key":"capec_detection_00016","_id":"capec_detection/capec_detection_00016","_rev":"_dVfOKt----","original_id":"7","name":"Blind SQL Injection","metadata":"The only indicators of successful Blind SQL Injection are the application or database logs that show similar queries with slightly differing logical conditions that increase in complexity over time. However, this requires extensive logging as well as knowledge of the queries that can be used to perform such injection and return meaningful information from the database.","datatype":"capec_detection"},{"_key":"capec_detection_00033","_id":"capec_detection/capec_detection_00033","_rev":"_dVfOKt---_","original_id":"10","name":"Buffer Overflow via Environment Variables","metadata":"If the application does bound checking, it should fail when the data source is larger than the size of the destination buffer. If the application's code is well written, that failure should trigger an alert.","datatype":"capec_detection"},{"_key":"capec_detection_00049","_id":"capec_detection/capec_detection_00049","_rev":"_dVfOKt---A","original_id":"14","name":"Client-side Injection-induced Buffer Overflow","metadata":"An example of indicator is when the client software crashes after executing code downloaded from a hostile server.","datatype":"capec_detection"},{"_key":"capec_detection_00057","_id":"capec_detection/capec_detection_00057","_rev":"_dVfOKt---B","original_id":"16","name":"Dictionary-based Password Attack","metadata":"Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words.","datatype":"capec_detection"},{"_key":"capec_detection_00075","_id":"capec_detection/capec_detection_00075","_rev":"_dVfOKt---C","original_id":"20","name":"Encryption Brute Forcing","metadata":"None. This attack happens offline.","datatype":"capec_detection"},{"_key":"capec_detection_00099","_id":"capec_detection/capec_detection_00099","_rev":"_dVfOKt---D","original_id":"24","name":"Filter Failure through Buffer Overflow","metadata":"Many exceptions are thrown by the application's filter modules in a short period of time. Check the logs. See if the probes are coming from the same IP address.","datatype":"capec_detection"},{"_key":"capec_detection_00113","_id":"capec_detection/capec_detection_00113","_rev":"_dVfOKt---E","original_id":"28","name":"Fuzzing","metadata":"A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP.","datatype":"capec_detection"},{"_key":"capec_detection_00148","_id":"capec_detection/capec_detection_00148","_rev":"_dVfOKt---F","original_id":"33","name":"HTTP Request Smuggling","metadata":"Differences in requests processed by the two agents. This requires careful monitoring or a capable log analysis tool.","datatype":"capec_detection"},{"_key":"capec_detection_00159","_id":"capec_detection/capec_detection_00159","_rev":"_dVfOKt---G","original_id":"34","name":"HTTP Response Splitting","metadata":"Differences in responses processed by the two agents with multiple responses to a single request in the web logs. This requires careful monitoring or a capable log analysis tool.","datatype":"capec_detection"},{"_key":"capec_detection_00185","_id":"capec_detection/capec_detection_00185","_rev":"_dVfOKtC---","original_id":"43","name":"Exploiting Multiple Input Interpretation Layers","metadata":"Control characters are being detected by the filters repeatedly.","datatype":"capec_detection"},{"_key":"capec_detection_00199","_id":"capec_detection/capec_detection_00199","_rev":"_dVfOKtC--_","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"An attacker creating or modifying Symbolic links is a potential signal of attack in progress.","datatype":"capec_detection"},{"_key":"capec_detection_00200","_id":"capec_detection/capec_detection_00200","_rev":"_dVfOKtC--A","original_id":"45","name":"Buffer Overflow via Symbolic Links","metadata":"An attacker deleting temporary files can also be a sign that the attacker is trying to replace legitimate resources with malicious ones.","datatype":"capec_detection"},{"_key":"capec_detection_00216","_id":"capec_detection/capec_detection_00216","_rev":"_dVfOKtC--B","original_id":"49","name":"Password Brute Forcing","metadata":"Many incorrect login attempts are detected by the system.","datatype":"capec_detection"},{"_key":"capec_detection_00220","_id":"capec_detection/capec_detection_00220","_rev":"_dVfOKtC--C","original_id":"50","name":"Password Recovery Exploitation","metadata":"Many incorrect attempts to answer the security question.","datatype":"capec_detection"},{"_key":"capec_detection_00227","_id":"capec_detection/capec_detection_00227","_rev":"_dVfOKtC--D","original_id":"53","name":"Postfix, Null Terminate, and Backslash","metadata":"Null characters are observed by the filter. The filter needs to be able to understand various encodings of the Null character, or only canonical data should be passed to it.","datatype":"capec_detection"},{"_key":"capec_detection_00230","_id":"capec_detection/capec_detection_00230","_rev":"_dVfOKtC--E","original_id":"54","name":"Query System for Information","metadata":"Repeated errors generated by the same piece of code are an indication, although it requires careful monitoring of the application and its associated error logs, if any.","datatype":"capec_detection"},{"_key":"capec_detection_00232","_id":"capec_detection/capec_detection_00232","_rev":"_dVfOKtC--F","original_id":"55","name":"Rainbow Table Password Cracking","metadata":"This is a completely offline attack that an attacker can perform at their leisure after the password hashes are obtained.","datatype":"capec_detection"},{"_key":"capec_detection_00253","_id":"capec_detection/capec_detection_00253","_rev":"_dVfOKtC--G","original_id":"61","name":"Session Fixation","metadata":"There are no indicators for the server since a fixated session identifier is similar to an ordinarily generated one. However, too many invalid sessions due to invalid session identifiers is a potential warning.","datatype":"capec_detection"},{"_key":"capec_detection_00254","_id":"capec_detection/capec_detection_00254","_rev":"_dVfOKtC--H","original_id":"61","name":"Session Fixation","metadata":"A client can be suspicious if a received link contains preset session identifiers. However, this depends on the client's knowledge of such an issue. Also, fixation through Cross Site Scripting or hidden form fields is usually difficult to detect.","datatype":"capec_detection"},{"_key":"capec_detection_00274","_id":"capec_detection/capec_detection_00274","_rev":"_dVfOKtC--I","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.","datatype":"capec_detection"},{"_key":"capec_detection_00275","_id":"capec_detection/capec_detection_00275","_rev":"_dVfOKtC--J","original_id":"64","name":"Using Slashes and URL Encoding Combined to Bypass Validation Logic","metadata":"Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.","datatype":"capec_detection"},{"_key":"capec_detection_00282","_id":"capec_detection/capec_detection_00282","_rev":"_dVfOKtC--K","original_id":"66","name":"SQL Injection","metadata":"Too many false or invalid queries to the database, especially those caused by malformed input.","datatype":"capec_detection"},{"_key":"capec_detection_00296","_id":"capec_detection/capec_detection_00296","_rev":"_dVfOKtC--L","original_id":"69","name":"Target Programs with Elevated Privileges","metadata":"The log can have a trace of abnormal activity. Also if abnormal activity is detected on the host target. For instance flooding should be seen as abnormal activity and the target host may decide to take appropriate action in order to mitigate the attack (data filtering or blocking). Resource exhaustion is also a sign of abnormal activity.","datatype":"capec_detection"},{"_key":"capec_detection_00301","_id":"capec_detection/capec_detection_00301","_rev":"_dVfOKtC--M","original_id":"70","name":"Try Common or Default Usernames and Passwords","metadata":"Many incorrect login attempts are detected by the system.","datatype":"capec_detection"},{"_key":"capec_detection_00305","_id":"capec_detection/capec_detection_00305","_rev":"_dVfOKtC--N","original_id":"71","name":"Using Unicode Encoding to Bypass Validation Logic","metadata":"Unicode encoded data is passed to APIs where it is not expected","datatype":"capec_detection"},{"_key":"capec_detection_00313","_id":"capec_detection/capec_detection_00313","_rev":"_dVfOKtC--O","original_id":"72","name":"URL Encoding","metadata":"If the first decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.","datatype":"capec_detection"},{"_key":"capec_detection_00314","_id":"capec_detection/capec_detection_00314","_rev":"_dVfOKtC--P","original_id":"72","name":"URL Encoding","metadata":"Traffic filtering with IDS (or proxy) can detect requests with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.","datatype":"capec_detection"},{"_key":"capec_detection_00340","_id":"capec_detection/capec_detection_00340","_rev":"_dVfOKtC--Q","original_id":"77","name":"Manipulating User-Controlled Variables","metadata":"A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.","datatype":"capec_detection"},{"_key":"capec_detection_00348","_id":"capec_detection/capec_detection_00348","_rev":"_dVfOKtC--R","original_id":"78","name":"Using Escaped Slashes in Alternate Encoding","metadata":"An attacker can use a fuzzer in order to probe for this vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system.","datatype":"capec_detection"},{"_key":"capec_detection_00356","_id":"capec_detection/capec_detection_00356","_rev":"_dVfOKtC--S","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"If the first path decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.","datatype":"capec_detection"},{"_key":"capec_detection_00357","_id":"capec_detection/capec_detection_00357","_rev":"_dVfOKtC--T","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"Traffic filtering with IDS (or proxy) can detect request with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.","datatype":"capec_detection"},{"_key":"capec_detection_00358","_id":"capec_detection/capec_detection_00358","_rev":"_dVfOKtC--U","original_id":"79","name":"Using Slashes in Alternate Encoding","metadata":"An attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity.","datatype":"capec_detection"},{"_key":"capec_detection_00364","_id":"capec_detection/capec_detection_00364","_rev":"_dVfOKtC--V","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"A web page that contains overly long UTF-8 codes constitute a protocol anomaly, and could be an indication that an attacker is attempting to exploit a vulnerability on the target host.","datatype":"capec_detection"},{"_key":"capec_detection_00365","_id":"capec_detection/capec_detection_00365","_rev":"_dVfOKtC--W","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"An attacker can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity noticeable by an intrusion detection system.","datatype":"capec_detection"},{"_key":"capec_detection_00366","_id":"capec_detection/capec_detection_00366","_rev":"_dVfOKtC--X","original_id":"80","name":"Using UTF-8 Encoding to Bypass Validation Logic","metadata":"An IDS filtering network traffic may be able to detect illegal UTF-8 characters.","datatype":"capec_detection"},{"_key":"capec_detection_00372","_id":"capec_detection/capec_detection_00372","_rev":"_dVfOKtC--Y","original_id":"83","name":"XPath Injection","metadata":"Too many exceptions generated by the application as a result of malformed XPath queries","datatype":"capec_detection"},{"_key":"capec_detection_00419","_id":"capec_detection/capec_detection_00419","_rev":"_dVfOKtC--Z","original_id":"98","name":"Phishing","metadata":"You receive an e-mail from an entity that you are not even a customer of prompting you to log into your account.","datatype":"capec_detection"},{"_key":"capec_detection_00420","_id":"capec_detection/capec_detection_00420","_rev":"_dVfOKtC--a","original_id":"98","name":"Phishing","metadata":"You receive any e-mail that provides you with a link which takes you to a website on which you need to enter your log in information.","datatype":"capec_detection"},{"_key":"capec_detection_00427","_id":"capec_detection/capec_detection_00427","_rev":"_dVfOKtC--b","original_id":"100","name":"Overflow Buffers","metadata":"An attack designed to leverage a buffer overflow and redirect execution as per the adversary's bidding is fairly difficult to detect. An attack aimed solely at bringing the system down is usually preceded by a barrage of long inputs that make no sense. In either case, it is likely that the adversary would have resorted to a few hit-or-miss attempts that will be recorded in the system event logs, if they exist.","datatype":"capec_detection"},{"_key":"capec_detection_00451","_id":"capec_detection/capec_detection_00451","_rev":"_dVfOKtC--c","original_id":"105","name":"HTTP Request Splitting","metadata":"Differences in requests processed by the two agents. This requires careful monitoring or a capable log analysis tool.","datatype":"capec_detection"},{"_key":"capec_detection_00469","_id":"capec_detection/capec_detection_00469","_rev":"_dVfOKtC--d","original_id":"112","name":"Brute Force","metadata":"Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys.","datatype":"capec_detection"},{"_key":"capec_detection_00470","_id":"capec_detection/capec_detection_00470","_rev":"_dVfOKtC--e","original_id":"112","name":"Brute Force","metadata":"Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files.","datatype":"capec_detection"},{"_key":"capec_detection_00471","_id":"capec_detection/capec_detection_00471","_rev":"_dVfOKtC--f","original_id":"112","name":"Brute Force","metadata":"If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing.","datatype":"capec_detection"},{"_key":"capec_detection_00546","_id":"capec_detection/capec_detection_00546","_rev":"_dVfOKtC--g","original_id":"164","name":"Mobile Phishing","metadata":"You receive a text message from an entity that you are not even a customer of prompting you to log into your account.","datatype":"capec_detection"},{"_key":"capec_detection_00547","_id":"capec_detection/capec_detection_00547","_rev":"_dVfOKtC--h","original_id":"164","name":"Mobile Phishing","metadata":"You receive any text message that provides you with a link that takes you to a website which requires you to enter your credentials.","datatype":"capec_detection"},{"_key":"capec_detection_00635","_id":"capec_detection/capec_detection_00635","_rev":"_dVfOKtC--i","original_id":"230","name":"Serialized Data with Nested Payloads","metadata":"Bad data is passed to the data parser (possibly repeatedly), possibly making it crash or execute arbitrary code.","datatype":"capec_detection"},{"_key":"capec_detection_00640","_id":"capec_detection/capec_detection_00640","_rev":"_dVfOKtC--j","original_id":"231","name":"Oversized Serialized Data Payloads","metadata":"Bad data is passed to the serialized data parser (possibly repeatedly), possibly making it crash or execute arbitrary code.","datatype":"capec_detection"},{"_key":"capec_detection_00674","_id":"capec_detection/capec_detection_00674","_rev":"_dVfOKtC--k","original_id":"250","name":"XML Injection","metadata":"Too many exceptions generated by the application as a result of malformed queries","datatype":"capec_detection"},{"_key":"capec_detection_00697","_id":"capec_detection/capec_detection_00697","_rev":"_dVfOKtC--l","original_id":"273","name":"HTTP Response Smuggling","metadata":"Differences in responses processed by the two agents. This requires careful monitoring or a capable log analysis tool.","datatype":"capec_detection"},{"_key":"capec_detection_00810","_id":"capec_detection/capec_detection_00810","_rev":"_dVfOKtC--m","original_id":"504","name":"Task Impersonation","metadata":"Credential or permission elevation prompts that appear illegitimate or unexpected.","datatype":"capec_detection"},{"_key":"capec_detection_00826","_id":"capec_detection/capec_detection_00826","_rev":"_dVfOKtC--n","original_id":"528","name":"XML Flood","metadata":"A large amount of data is passed to the XML parser possibly making it crash or otherwise unavailable to end users.","datatype":"capec_detection"},{"_key":"capec_detection_00849","_id":"capec_detection/capec_detection_00849","_rev":"_dVfOKtC--o","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Authentication attempts use credentials that have been used previously by the account in question.","datatype":"capec_detection"},{"_key":"capec_detection_00850","_id":"capec_detection/capec_detection_00850","_rev":"_dVfOKtC--p","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.","datatype":"capec_detection"},{"_key":"capec_detection_00851","_id":"capec_detection/capec_detection_00851","_rev":"_dVfOKtC--q","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Data is being transferred and/or removed from systems/applications within the network.","datatype":"capec_detection"},{"_key":"capec_detection_00852","_id":"capec_detection/capec_detection_00852","_rev":"_dVfOKtC--r","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Suspicious or Malicious software is downloaded/installed on systems within the domain.","datatype":"capec_detection"},{"_key":"capec_detection_00853","_id":"capec_detection/capec_detection_00853","_rev":"_dVfOKtC--s","original_id":"560","name":"Use of Known Domain Credentials","metadata":"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.","datatype":"capec_detection"},{"_key":"capec_detection_00857","_id":"capec_detection/capec_detection_00857","_rev":"_dVfOKtC--t","original_id":"561","name":"Windows Admin Shares with Stolen Credentials","metadata":"Data is being transferred and/or removed from administrative network shares.","datatype":"capec_detection"},{"_key":"capec_detection_00858","_id":"capec_detection/capec_detection_00858","_rev":"_dVfOKtC--u","original_id":"561","name":"Windows Admin Shares with Stolen Credentials","metadata":"Suspicious or Malicious software is executed within administrative network shares.","datatype":"capec_detection"},{"_key":"capec_detection_00859","_id":"capec_detection/capec_detection_00859","_rev":"_dVfOKtC--v","original_id":"561","name":"Windows Admin Shares with Stolen Credentials","metadata":"Suspicious or Malicious software is downloaded/installed on systems within the domain.","datatype":"capec_detection"},{"_key":"capec_detection_00866","_id":"capec_detection/capec_detection_00866","_rev":"_dVfOKtC--w","original_id":"565","name":"Password Spraying","metadata":"Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.","datatype":"capec_detection"},{"_key":"capec_detection_00867","_id":"capec_detection/capec_detection_00867","_rev":"_dVfOKtC--x","original_id":"565","name":"Password Spraying","metadata":"The login attempts use passwords that have been used previously by the user account in question.","datatype":"capec_detection"},{"_key":"capec_detection_00868","_id":"capec_detection/capec_detection_00868","_rev":"_dVfOKtC--y","original_id":"565","name":"Password Spraying","metadata":"Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.","datatype":"capec_detection"},{"_key":"capec_detection_00930","_id":"capec_detection/capec_detection_00930","_rev":"_dVfOKtC--z","original_id":"600","name":"Credential Stuffing","metadata":"Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.","datatype":"capec_detection"},{"_key":"capec_detection_00931","_id":"capec_detection/capec_detection_00931","_rev":"_dVfOKtC--0","original_id":"600","name":"Credential Stuffing","metadata":"The login attempts use passwords that have been used previously by the user account in question.","datatype":"capec_detection"},{"_key":"capec_detection_00932","_id":"capec_detection/capec_detection_00932","_rev":"_dVfOKtC--1","original_id":"600","name":"Credential Stuffing","metadata":"Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.","datatype":"capec_detection"},{"_key":"capec_detection_00973","_id":"capec_detection/capec_detection_00973","_rev":"_dVfOKtC--2","original_id":"638","name":"Altered Component Firmware","metadata":"Output observed from processes, API calls, or Self-Monitoring, Analysis and Reporting Technology (SMART) may provide insight into malicious modifications of MBRs.","datatype":"capec_detection"},{"_key":"capec_detection_00974","_id":"capec_detection/capec_detection_00974","_rev":"_dVfOKtC--3","original_id":"638","name":"Altered Component Firmware","metadata":"Digital forensics tools may produce output that indicates an attack of this nature has occurred. Examples include unexpected disk partitions and/or unusual strings.","datatype":"capec_detection"},{"_key":"capec_detection_00995","_id":"capec_detection/capec_detection_00995","_rev":"_dVfOKtC--4","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Authentication attempts use credentials that have been used previously by the account in question.","datatype":"capec_detection"},{"_key":"capec_detection_00996","_id":"capec_detection/capec_detection_00996","_rev":"_dVfOKtC--5","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Authentication attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.","datatype":"capec_detection"},{"_key":"capec_detection_00997","_id":"capec_detection/capec_detection_00997","_rev":"_dVfOKtC--6","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Data is being transferred and/or removed from systems/applications within the network.","datatype":"capec_detection"},{"_key":"capec_detection_00998","_id":"capec_detection/capec_detection_00998","_rev":"_dVfOKtC--7","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Suspicious or Malicious software is downloaded/installed on systems within the domain.","datatype":"capec_detection"},{"_key":"capec_detection_00999","_id":"capec_detection/capec_detection_00999","_rev":"_dVfOKtC--8","original_id":"644","name":"Use of Captured Hashes (Pass The Hash)","metadata":"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.","datatype":"capec_detection"},{"_key":"capec_detection_01020","_id":"capec_detection/capec_detection_01020","_rev":"_dVfOKtC--9","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Authentication attempts use expired or invalid credentials.","datatype":"capec_detection"},{"_key":"capec_detection_01021","_id":"capec_detection/capec_detection_01021","_rev":"_dVfOKtC-_-","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Authentication attempts are originating from IP addresses or locations that are inconsistent with an account's normal IP addresses or locations.","datatype":"capec_detection"},{"_key":"capec_detection_01022","_id":"capec_detection/capec_detection_01022","_rev":"_dVfOKtC-__","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Data is being transferred and/or removed from systems/applications within the network.","datatype":"capec_detection"},{"_key":"capec_detection_01023","_id":"capec_detection/capec_detection_01023","_rev":"_dVfOKtC-_A","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Suspicious or Malicious software is downloaded/installed on systems within the domain.","datatype":"capec_detection"},{"_key":"capec_detection_01024","_id":"capec_detection/capec_detection_01024","_rev":"_dVfOKtC-_B","original_id":"652","name":"Use of Known Kerberos Credentials","metadata":"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.","datatype":"capec_detection"},{"_key":"capec_detection_01033","_id":"capec_detection/capec_detection_01033","_rev":"_dVfOKtC-_C","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Authentication attempts use credentials that have been used previously by the account in question.","datatype":"capec_detection"},{"_key":"capec_detection_01034","_id":"capec_detection/capec_detection_01034","_rev":"_dVfOKtC-_D","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Authentication attempts are originating from IP addresses or locations that are inconsistent with a user's normal IP addresses or locations.","datatype":"capec_detection"},{"_key":"capec_detection_01035","_id":"capec_detection/capec_detection_01035","_rev":"_dVfOKtC-_E","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Data is being transferred and/or removed from systems/applications within the network.","datatype":"capec_detection"},{"_key":"capec_detection_01036","_id":"capec_detection/capec_detection_01036","_rev":"_dVfOKtC-_F","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Suspicious or Malicious software is downloaded/installed on systems within the domain.","datatype":"capec_detection"},{"_key":"capec_detection_01037","_id":"capec_detection/capec_detection_01037","_rev":"_dVfOKtC-_G","original_id":"653","name":"Use of Known Windows Credentials","metadata":"Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.","datatype":"capec_detection"},{"_key":"capec_detection_01039","_id":"capec_detection/capec_detection_01039","_rev":"_dVfOKtC-_H","original_id":"654","name":"Credential Prompt Impersonation","metadata":"Credential prompts that appear illegitimate or unexpected.","datatype":"capec_detection"},{"_key":"capec_detection_01041","_id":"capec_detection/capec_detection_01041","_rev":"_dVfOKtC-_I","original_id":"656","name":"Voice Phishing","metadata":"You receive a call from an entity that you are not even a customer of prompting you to log into your account.","datatype":"capec_detection"},{"_key":"capec_detection_01042","_id":"capec_detection/capec_detection_01042","_rev":"_dVfOKtG---","original_id":"656","name":"Voice Phishing","metadata":"You receive any call that requests you provide sensitive information.","datatype":"capec_detection"},{"_key":"capec_detection_01043","_id":"capec_detection/capec_detection_01043","_rev":"_dVfOKtG--_","original_id":"656","name":"Voice Phishing","metadata":"You are redirected to a website that instructs you to call the number on-screen to address the call-to-action.","datatype":"capec_detection"},{"_key":"capec_detection_01062","_id":"capec_detection/capec_detection_01062","_rev":"_dVfOKtG--A","original_id":"663","name":"Exploitation of Transient Instruction Execution","metadata":"File Signatures for Malicious Software capable of abusing Transient Instruction Set Execution","datatype":"capec_detection"},{"_key":"capec_detection_01075","_id":"capec_detection/capec_detection_01075","_rev":"_dVfOKtG--B","original_id":"665","name":"Exploitation of Thunderbolt Protection Flaws","metadata":"Windows Event logs may document the access of Thunderbolt port as a USB 3.0 event as well as any malicious actions taken upon target device as file system and memory events.","datatype":"capec_detection"},{"_key":"capec_detection_01078","_id":"capec_detection/capec_detection_01078","_rev":"_dVfOKtG--C","original_id":"666","name":"BlueSmacking","metadata":"Performance is degraded or halted by incoming L2CAP packets.","datatype":"capec_detection"},{"_key":"capec_detection_01109","_id":"capec_detection/capec_detection_01109","_rev":"_dVfOKtG--D","original_id":"676","name":"NoSQL Injection","metadata":"Too many false or invalid queries to the database, especially those caused by malformed input.","datatype":"capec_detection"},{"_key":"capec_detection_01110","_id":"capec_detection/capec_detection_01110","_rev":"_dVfOKtG--E","original_id":"676","name":"NoSQL Injection","metadata":"Executed queries or commands that appear to malicious in nature or originating from an untrustworthy source.","datatype":"capec_detection"}]