{
	"id": "d32dce02-9262-4e9a-a476-33fa9c596c92",
	"created_at": "2026-04-06T01:30:58.643277Z",
	"updated_at": "2026-04-10T03:21:40.62172Z",
	"deleted_at": null,
	"sha1_hash": "b399436070eae7660d4443c442fb41a24327730c",
	"title": "CAPEC-17: Using Malicious Files (Version 3.9)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50634,
	"plain_text": "CAPEC-17: Using Malicious Files (Version 3.9)\r\nArchived: 2026-04-06 00:28:20 UTC\r\nAttack Pattern ID: 17\r\nAbstraction: Standard\r\n Description\r\nAn attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file,\r\nfor example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web\r\nservers, ftp servers, and message oriented middleware systems which have many integration points are particularly\r\nvulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct\r\nprivileges for each interface.\r\n Likelihood Of Attack\r\nHigh\r\n Typical Severity\r\nVery High\r\n Relationships\r\nThis table shows the other attack patterns and high level categories that are related to this attack pattern. These\r\nrelationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels\r\nof abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack\r\npatterns that the user may want to explore.\r\nNature Type\r\nChildOf Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or techn\r\nParentOf Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nParentOf Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nParentOf Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nParentOf Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nParentOf Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nParentOf Detailed Attack Pattern - A detailed level attack pattern in CAPEC provides a low level of detail, typically leveraging a specific techni\r\nCanFollow Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attac\r\nhttps://capec.mitre.org/data/definitions/17.html\r\nPage 1 of 4\n\nCanFollow Standard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attac\r\nCanPrecede Meta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or techn\r\nThis table shows the views that this attack pattern belongs to and top level categories within that view.\r\nView Name Top Level Categories\r\nDomains of Attack Software\r\nMechanisms of Attack Subvert Access Control\r\n Execution Flow\r\nExplore\r\n1. Determine File/Directory Configuration: The adversary looks for misconfigured files or directories on a system\r\nthat might give executable access to an overly broad group of users.\r\nTechniques\r\nThrough shell access to a system, use the command \"ls -l\" to view permissions for files and directories.\r\nExperiment\r\n1. Upload Malicious Files: If the adversary discovers a directory that has executable permissions, they will attempt to\r\nupload a malicious file to execute.\r\nTechniques\r\nUpload a malicious file through a misconfigured FTP server.\r\nExploit\r\n1. Execute Malicious File: The adversary either executes the uploaded malicious file, or executes an existing file that\r\nhas been misconfigured to allow executable access to the adversary.\r\n Prerequisites\r\nSystem's configuration must allow an attacker to directly access executable files or upload files to execute. This means that\r\nany access control system that is supposed to mediate communications between the subject and the object is set incorrectly\r\nor assumes a benign environment.\r\n Skills Required\r\n[Level: Low]\r\nTo identify and execute against an over-privileged system interface\r\n Resources Required\r\nAbility to communicate synchronously or asynchronously with server that publishes an over-privileged directory, program,\r\nor interface. Optionally, ability to capture output directly through synchronous communication or other method such as FTP.\r\n Consequences\r\nThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security\r\nproperty that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in\r\ntheir attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative\r\nhttps://capec.mitre.org/data/definitions/17.html\r\nPage 2 of 4\n\nto the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a\r\ncertain impact, but a low likelihood that it will be exploited to achieve a different impact.\r\nScope Impact Likelihood\r\nConfidentiality\r\nIntegrity\r\nAvailability\r\nExecute Unauthorized Commands\r\nIntegrity Modify Data\r\nConfidentiality Read Data\r\nConfidentiality\r\nAccess Control\r\nAuthorization\r\nGain Privileges\r\n Mitigations\r\nDesign: Enforce principle of least privilege\r\nDesign: Run server interfaces with a non-root account and/or utilize chroot jails or other configuration techniques to\r\nconstrain privileges even if attacker gains some limited access to commands.\r\nImplementation: Perform testing such as pen-testing and vulnerability scanning to identify directories, programs, and\r\ninterfaces that grant direct access to executables.\r\n Example Instances\r\nConsider a directory on a web server with the following permissions\r\ndrwxrwxrwx 5 admin public 170 Nov 17 01:08 webroot\r\nThis could allow an attacker to both execute and upload and execute programs' on the web server. This one vulnerability can\r\nbe exploited by a threat to probe the system and identify additional vulnerabilities to exploit.\r\n Taxonomy Mappings\r\nCAPEC mappings to ATT\u0026CK techniques leverage an inheritance model to streamline and minimize direct\r\nCAPEC/ATT\u0026CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant\r\nATT\u0026CK mappings. Note that the ATT\u0026CK Enterprise Framework does not use an inheritance model as part of the\r\nmapping to CAPEC.\r\nRelevant to the ATT\u0026CK taxonomy mapping (also see parent)\r\nEntry ID Entry Name\r\n1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness\r\n1574.010 Hijack Execution Flow: Services File Permissions Weakness\r\n References\r\n[REF-1] G. Hoglund and G. McGraw. \"Exploiting Software: How to Break Code\". Addison-Wesley. 2004-02.\r\n Content History\r\nSubmissions\r\nSubmission Date Submitter Organization\r\nhttps://capec.mitre.org/data/definitions/17.html\r\nPage 3 of 4\n\n2014-06-23\r\n(Version 2.6)\r\nCAPEC Content Team The MITRE Corporation\r\nModifications\r\nModification Date Modifier Organization\r\n2015-12-07\r\n(Version 2.8)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Related_Attack_Patterns\r\n2017-05-01\r\n(Version 2.10)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated References\r\n2020-07-30\r\n(Version 3.3)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Related_Attack_Patterns, Taxonomy_Mappings\r\n2020-12-17\r\n(Version 3.4)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Related_Attack_Patterns\r\n2021-06-24\r\n(Version 3.5)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Related_Weaknesses\r\n2022-02-22\r\n(Version 3.7)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Description, Execution_Flow\r\n2022-09-29\r\n(Version 3.8)\r\nCAPEC Content Team The MITRE Corporation\r\nUpdated Example_Instances, Related_Attack_Patterns, Taxonomy_Mappings\r\nPrevious Entry Names\r\nChange Date Previous Entry Name\r\n2018-07-31\r\n(Version 2.12)\r\nAccessing, Modifying or Executing Executable Files\r\nMore information is available — Please select a different filter.\r\nSource: https://capec.mitre.org/data/definitions/17.html\r\nhttps://capec.mitre.org/data/definitions/17.html\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://capec.mitre.org/data/definitions/17.html"
	],
	"report_names": [
		"17.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775439058,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b399436070eae7660d4443c442fb41a24327730c.pdf",
		"text": "https://archive.orkl.eu/b399436070eae7660d4443c442fb41a24327730c.txt",
		"img": "https://archive.orkl.eu/b399436070eae7660d4443c442fb41a24327730c.jpg"
	}
}