DRAWINGSURFACE987eebc4-de2a-403c-b414-2175343b8744Diagram4e99805b-8c4a-4967-a15d-271958f7ba8cName15ccd509-98eb-49ad-b9c2-b4a2926d1778NameDiagram 1DRAWINGSURFACEd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGE.DSd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Stored1fda5a3-28d6-4074-aaaf-c1c2542e2b2eName15ccd509-98eb-49ad-b9c2-b4a2926d1778Generic Data StoreOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Stores Credentials664b360c-7a43-4f05-9575-e26d2351518bstoresCredentialsNoYes0Stores Log Data7b84a3e7-ccad-4d83-b98e-0dd899a25a1bstoresLogDataNoYes0Encrypted9adf7bb0-2c71-4bd3-8f1b-df313953ad7fEncryptedNoYes0Signed5009df74-09e8-49ef-b14b-ccd1c87c535dSignedNoYes0Write Access30d33ac1-6449-406c-9157-468a643da297AccessTypeNoYes0Removable Storagea4e21e99-0cc5-4382-8d44-53cd27008da5RemoveableStorageNoYes0Backupce268371-d5fc-48fe-bb59-88415a453ffcBackupNoYes0Sharedeca3b4b7-f3f5-42ed-bff9-158e0e4b2945sharedNoYes0GE.DS10016234100fd47100f-b03f-456a-93d3-d21abdddf295GE.Pfd47100f-b03f-456a-93d3-d21abdddf295OS Processfd47100f-b03f-456a-93d3-d21abdddf295Name15ccd509-98eb-49ad-b9c2-b4a2926d1778OS ProcessOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19As Generic Processf6e41ad5-b490-4946-97f6-2150bd043701Code Typef451c107-58d6-4475-94c6-c0f6ce620624codeTypeNot SelectedManagedUnmanaged0Running Asa2f058ec-5e1f-4401-9f1e-1be3ca5be4c2runningAsNot SelectedKernelSystemNetwork ServiceLocal ServiceAdministratorStandard User With ElevationStandard User Without ElevationWindows Store App0Isolation Levele28308bf-11be-4431-891d-3ffe104699e9IsolationNot SelectedAppContainerLow Integrity LevelMicrosoft Office Isolated Conversion Environment (MOICE)Sandbox0Accepts Input From4b17d367-705e-4f2f-81f7-fe9b7a62c12bacceptsInputFromNot SelectedAny Remote User or EntityKernel, System, or Local AdminLocal or Network ServiceLocal Standard User With ElevationLocal Standard User Without ElevationWindows Store Apps or App Container ProcessesNothingOther0Implements or Uses an Authentication Mechanismea432f95-eb9b-438c-ae20-2f3203c8ddd2implementsAuthenticationSchemeNoYes0Implements or Uses an Authorization Mechanism539a0dab-5646-445d-8671-cf8e417db90aimplementsCustomAuthorizationMechanismNoYes0Implements or Uses a Communication Protocol4b03794d-0db5-429d-87d9-a1d408920f94implementsCommunicationProtocolNoYes0SE.P.TMCore.OSProcess10021423110011e7f64d-1344-426f-a3f4-95cc67f5d10fGE.P11e7f64d-1344-426f-a3f4-95cc67f5d10fOS Process11e7f64d-1344-426f-a3f4-95cc67f5d10fName15ccd509-98eb-49ad-b9c2-b4a2926d1778OS ProcessOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19As Generic Processf6e41ad5-b490-4946-97f6-2150bd043701Code Typef451c107-58d6-4475-94c6-c0f6ce620624codeTypeNot SelectedManagedUnmanaged0Running Asa2f058ec-5e1f-4401-9f1e-1be3ca5be4c2runningAsNot SelectedKernelSystemNetwork ServiceLocal ServiceAdministratorStandard User With ElevationStandard User Without ElevationWindows Store App0Isolation Levele28308bf-11be-4431-891d-3ffe104699e9IsolationNot SelectedAppContainerLow Integrity LevelMicrosoft Office Isolated Conversion Environment (MOICE)Sandbox0Accepts Input From4b17d367-705e-4f2f-81f7-fe9b7a62c12bacceptsInputFromNot SelectedAny Remote User or EntityKernel, System, or Local AdminLocal or Network ServiceLocal Standard User With ElevationLocal Standard User Without ElevationWindows Store Apps or App Container ProcessesNothingOther0Implements or Uses an Authentication Mechanismea432f95-eb9b-438c-ae20-2f3203c8ddd2implementsAuthenticationSchemeNoYes0Implements or Uses an Authorization Mechanism539a0dab-5646-445d-8671-cf8e417db90aimplementsCustomAuthorizationMechanismNoYes0Implements or Uses a Communication Protocol4b03794d-0db5-429d-87d9-a1d408920f94implementsCommunicationProtocolNoYes0SE.P.TMCore.OSProcess100398237100c605e690-af90-4864-ac93-9ba2ee47ffb4GE.EIc605e690-af90-4864-ac93-9ba2ee47ffb4Generic External Interactorc605e690-af90-4864-ac93-9ba2ee47ffb4Name15ccd509-98eb-49ad-b9c2-b4a2926d1778Generic External InteractorOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Authenticates Itself55e00024-7f89-4716-a093-5ef0ae835703authenticatesItselfNoYes0Type03681e9a-9dbb-4779-8594-15e26b6e9a92typeNot SelectedCodeHuman0GE.EI100593242100baf536bc-97d4-4216-b449-c1f977fad9daGE.TBbaf536bc-97d4-4216-b449-c1f977fad9daGeneric Trust Boundarybaf536bc-97d4-4216-b449-c1f977fad9daName15ccd509-98eb-49ad-b9c2-b4a2926d1778Generic Trust BoundaryConfigurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19As Generic Trust Boundary651b7658-3c32-4abd-8695-1f2725a8d634Trust Boundary Area1aacbc37-45f2-41e4-a759-e709c7504799GE.TB.B305138143376
Diagram 1
4be4f95b-3c66-4621-a027-ab4078f7ce5cGE.DF4be4f95b-3c66-4621-a027-ab4078f7ce5cGeneric Data Flow4be4f95b-3c66-4621-a027-ab4078f7ce5cName15ccd509-98eb-49ad-b9c2-b4a2926d1778Generic Data FlowOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Physical Networke4264757-1138-4e61-b8a3-a1f315144a43channelNot SelectedWireWi-FiBluetooth2G-4G0Source Authenticatedef2297cd-3a79-4411-b336-b74669e38a0aauthenticatesSourceNoYes0Destination Authenticatedc43b282f-a603-4e6c-a008-9d05cbdb466eauthenticatesDestinationNoYes0Provides Confidentialitya240d98e-bf4b-499f-997f-a10e497480f3providesConfidentialityNoYes0Provides Integrity8f54208d-e5ba-4ee9-b521-ee4a300fcdc1providesIntegrityNoYes0Transmits XMLf9f4b41c-65f9-4f1d-9d62-6ca2883f022eXMLencNoYes0GE.DF159230EastWestd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e111284fd47100f-b03f-456a-93d3-d21abdddf295219281572d2c00-cb06-42af-836c-fc804df04d3dGE.DF572d2c00-cb06-42af-836c-fc804df04d3dGeneric Data Flow572d2c00-cb06-42af-836c-fc804df04d3dName15ccd509-98eb-49ad-b9c2-b4a2926d1778Generic Data FlowOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Physical Networke4264757-1138-4e61-b8a3-a1f315144a43channelNot SelectedWireWi-FiBluetooth2G-4G0Source Authenticatedef2297cd-3a79-4411-b336-b74669e38a0aauthenticatesSourceNoYes0Destination Authenticatedc43b282f-a603-4e6c-a008-9d05cbdb466eauthenticatesDestinationNoYes0Provides Confidentialitya240d98e-bf4b-499f-997f-a10e497480f3providesConfidentialityNoYes0Provides Integrity8f54208d-e5ba-4ee9-b521-ee4a300fcdc1providesIntegrityNoYes0Transmits XMLf9f4b41c-65f9-4f1d-9d62-6ca2883f022eXMLencNoYes0GE.DF166328WestEastfd47100f-b03f-456a-93d3-d21abdddf295219281d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e111284f665a52d-f506-454e-be11-965eaef6fd80GE.DFf665a52d-f506-454e-be11-965eaef6fd80Generic Data Flowf665a52d-f506-454e-be11-965eaef6fd80Name15ccd509-98eb-49ad-b9c2-b4a2926d1778Generic Data FlowOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Physical Networke4264757-1138-4e61-b8a3-a1f315144a43channelNot SelectedWireWi-FiBluetooth2G-4G0Source Authenticatedef2297cd-3a79-4411-b336-b74669e38a0aauthenticatesSourceNoYes0Destination Authenticatedc43b282f-a603-4e6c-a008-9d05cbdb466eauthenticatesDestinationNoYes0Provides Confidentialitya240d98e-bf4b-499f-997f-a10e497480f3providesConfidentialityNoYes0Provides Integrity8f54208d-e5ba-4ee9-b521-ee4a300fcdc1providesIntegrityNoYes0Transmits XMLf9f4b41c-65f9-4f1d-9d62-6ca2883f022eXMLencNoYes0GE.DF359234EastWestfd47100f-b03f-456a-93d3-d21abdddf29530928111e7f64d-1344-426f-a3f4-95cc67f5d10f4032879aa85dfd-8d0f-4803-b6c0-c6d37597d3dcGE.DF9aa85dfd-8d0f-4803-b6c0-c6d37597d3dcGeneric Data Flow9aa85dfd-8d0f-4803-b6c0-c6d37597d3dcName15ccd509-98eb-49ad-b9c2-b4a2926d1778Generic Data FlowOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Physical Networke4264757-1138-4e61-b8a3-a1f315144a43channelNot SelectedWireWi-FiBluetooth2G-4G0Source Authenticatedef2297cd-3a79-4411-b336-b74669e38a0aauthenticatesSourceNoYes0Destination Authenticatedc43b282f-a603-4e6c-a008-9d05cbdb466eauthenticatesDestinationNoYes0Provides Confidentialitya240d98e-bf4b-499f-997f-a10e497480f3providesConfidentialityNoYes0Provides Integrity8f54208d-e5ba-4ee9-b521-ee4a300fcdc1providesIntegrityNoYes0Transmits XMLf9f4b41c-65f9-4f1d-9d62-6ca2883f022eXMLencNoYes0GE.DF354329WestEast11e7f64d-1344-426f-a3f4-95cc67f5d10f403287fd47100f-b03f-456a-93d3-d21abdddf29530928171757af4-a321-47e7-b250-ab70db582c95GE.DF71757af4-a321-47e7-b250-ab70db582c95HTTPS71757af4-a321-47e7-b250-ab70db582c95Name15ccd509-98eb-49ad-b9c2-b4a2926d1778HTTPSOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Predefined Static Attributesdadca515-3eb7-44f8-b138-167ae4d148a1Destination Authenticated46f8986d-0b2b-4f52-bce0-0ff938a98167authenticatesDestinationYes0Provides Confidentialitydb4e20f3-8af5-42e6-b728-f74d267d90f9providesConfidentialityYes0Provides Integrity3ff83b65-0151-47f6-b3ac-5b9d727f1408providesIntegrityYes0Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Contains Cookies79d966a0-9972-4cdd-86db-9e5e6b086612CookiesYesNo0SOAP Payload68aacaa3-54da-45e9-8749-ec49a66790b4SOAPNoYes0REST Payloadb48d6054-94b2-48cd-96e1-b04ab91ce69eRESTNoYes0RSS Payload3afda717-9251-4be4-8861-eb52845b65a3RSSNoYes0JSON Payloade0100ce6-f67c-4db9-afd5-219ead7cae5aJSONNoYes0As Generic Data Flow99af225a-d03e-493d-bdda-b0815394e20fPhysical Networkfb2b2e80-c172-4919-bebc-f59cd7ec9d9cchannelNot SelectedWireWi-FiBluetooth2G-4G0Source Authenticatedf5adab3a-9bda-4232-8cab-f7cc02bf6070authenticatesSourceNoYes0Transmits XMLe2ad9c0e-ed4d-40ea-b2f1-865f0655e9acXMLencNoYes0SE.DF.TMCore.HTTPS531261SouthEastWest11e7f64d-1344-426f-a3f4-95cc67f5d10f479318c605e690-af90-4864-ac93-9ba2ee47ffb459829271c26c7d-51bd-4572-9b19-e56ba302f9faGE.DF71c26c7d-51bd-4572-9b19-e56ba302f9faHTTPS71c26c7d-51bd-4572-9b19-e56ba302f9faName15ccd509-98eb-49ad-b9c2-b4a2926d1778HTTPSOut Of Scope71f3d9aa-b8ef-4e54-8126-607a1d90310371f3d9aa-b8ef-4e54-8126-607a1d903103falseReason For Out Of Scope752473b6-52d4-4776-9a24-202153f7d579752473b6-52d4-4776-9a24-202153f7d579Predefined Static Attributesdadca515-3eb7-44f8-b138-167ae4d148a1Destination Authenticated46f8986d-0b2b-4f52-bce0-0ff938a98167authenticatesDestinationYes0Provides Confidentialitydb4e20f3-8af5-42e6-b728-f74d267d90f9providesConfidentialityYes0Provides Integrity3ff83b65-0151-47f6-b3ac-5b9d727f1408providesIntegrityYes0Configurable Attributeseae978ce-8a73-4dde-973f-2a64935ffb19Contains Cookies79d966a0-9972-4cdd-86db-9e5e6b086612CookiesYesNo0SOAP Payload68aacaa3-54da-45e9-8749-ec49a66790b4SOAPNoYes0REST Payloadb48d6054-94b2-48cd-96e1-b04ab91ce69eRESTNoYes0RSS Payload3afda717-9251-4be4-8861-eb52845b65a3RSSNoYes0JSON Payloade0100ce6-f67c-4db9-afd5-219ead7cae5aJSONNoYes0As Generic Data Flow99af225a-d03e-493d-bdda-b0815394e20fPhysical Networkfb2b2e80-c172-4919-bebc-f59cd7ec9d9cchannelNot SelectedWireWi-FiBluetooth2G-4G0Source Authenticatedf5adab3a-9bda-4232-8cab-f7cc02bf6070authenticatesSourceNoYes0Transmits XMLe2ad9c0e-ed4d-40ea-b2f1-865f0655e9acXMLencNoYes0SE.DF.TMCore.HTTPS543345WestSouthEastc605e690-af90-4864-ac93-9ba2ee47ffb459829211e7f64d-1344-426f-a3f4-95cc67f5d10f4793181
S7d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:11:15.9197107-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Spoofing of Source Data Store Generic Data StoreS7falseSpoofingGeneric Data Store may be spoofed by an attacker and this may lead to incorrect data delivered to OS Process. Consider using a standard authentication mechanism to identify the source data store.Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.falseI23d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:11:15.9353571-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Weak Access Control for a ResourceI23falseInformation DisclosureImproper data protection of Generic Data Store can allow an attacker to read information not intended for disclosure. Review authorization settings.Information disclosure happens when the information can be read by an unauthorized party.falseS7.1fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:11:27.9511789-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eSpoofing of Destination Data Store Generic Data StoreS7.1falseSpoofingGeneric Data Store may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of Generic Data Store. Consider using a standard authentication mechanism to identify the destination data store.Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.falseD2fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:11:27.9511789-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2ePotential Excessive Resource Consumption for OS Process or Generic Data StoreD2falseDenial Of ServiceDoes OS Process or Generic Data Store take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseE5fd47100f-b03f-456a-93d3-d21abdddf295f665a52d-f506-454e-be11-965eaef6fd8011e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b8744f665a52d-f506-454e-be11-965eaef6fd80fd47100f-b03f-456a-93d3-d21abdddf295:f665a52d-f506-454e-be11-965eaef6fd80:11e7f64d-1344-426f-a3f4-95cc67f5d10fGeneric Data Flow2014-08-05T21:11:53.9822764-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fElevation Using ImpersonationE5falseElevation Of PrivilegeOS Process may be able to impersonate the context of OS Process in order to gain additional privilege.A user subject gains increased capability or privilege by taking advantage of an implementation bug.falseE511e7f64d-1344-426f-a3f4-95cc67f5d10f9aa85dfd-8d0f-4803-b6c0-c6d37597d3dcfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87449aa85dfd-8d0f-4803-b6c0-c6d37597d3dc11e7f64d-1344-426f-a3f4-95cc67f5d10f:9aa85dfd-8d0f-4803-b6c0-c6d37597d3dc:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:12:04.9979071-04:00011e7f64d-1344-426f-a3f4-95cc67f5d10fAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Elevation Using ImpersonationE5falseElevation Of PrivilegeOS Process may be able to impersonate the context of OS Process in order to gain additional privilege.A user subject gains increased capability or privilege by taking advantage of an implementation bug.falseS3c605e690-af90-4864-ac93-9ba2ee47ffb471c26c7d-51bd-4572-9b19-e56ba302f9fa11e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b874471c26c7d-51bd-4572-9b19-e56ba302f9fac605e690-af90-4864-ac93-9ba2ee47ffb4:71c26c7d-51bd-4572-9b19-e56ba302f9fa:11e7f64d-1344-426f-a3f4-95cc67f5d10fHTTPS2014-08-05T21:13:22.7391635-04:000c605e690-af90-4864-ac93-9ba2ee47ffb4AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fSpoofing the Generic External Interactor External EntityS3falseSpoofingGeneric External Interactor may be spoofed by an attacker and this may lead to unauthorized access to OS Process. Consider using a standard authentication mechanism to identify the external entity.Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.falseE5c605e690-af90-4864-ac93-9ba2ee47ffb471c26c7d-51bd-4572-9b19-e56ba302f9fa11e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b874471c26c7d-51bd-4572-9b19-e56ba302f9fac605e690-af90-4864-ac93-9ba2ee47ffb4:71c26c7d-51bd-4572-9b19-e56ba302f9fa:11e7f64d-1344-426f-a3f4-95cc67f5d10fHTTPS2014-08-05T21:13:22.7391635-04:000c605e690-af90-4864-ac93-9ba2ee47ffb4AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fElevation Using ImpersonationE5falseElevation Of PrivilegeOS Process may be able to impersonate the context of Generic External Interactor in order to gain additional privilege.A user subject gains increased capability or privilege by taking advantage of an implementation bug.falseE7c605e690-af90-4864-ac93-9ba2ee47ffb471c26c7d-51bd-4572-9b19-e56ba302f9fa11e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b874471c26c7d-51bd-4572-9b19-e56ba302f9fac605e690-af90-4864-ac93-9ba2ee47ffb4:71c26c7d-51bd-4572-9b19-e56ba302f9fa:11e7f64d-1344-426f-a3f4-95cc67f5d10fHTTPS2014-08-05T21:14:23.6339844-04:000c605e690-af90-4864-ac93-9ba2ee47ffb4AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fElevation by Changing the Execution Flow in OS ProcessE7falseElevation Of PrivilegeAn attacker may pass data into OS Process in order to change the flow of program execution within OS Process to the attacker's choosing.A user subject gains increased capability or privilege by taking advantage of an implementation bug.falseE6c605e690-af90-4864-ac93-9ba2ee47ffb471c26c7d-51bd-4572-9b19-e56ba302f9fa11e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b874471c26c7d-51bd-4572-9b19-e56ba302f9fac605e690-af90-4864-ac93-9ba2ee47ffb4:71c26c7d-51bd-4572-9b19-e56ba302f9fa:11e7f64d-1344-426f-a3f4-95cc67f5d10fHTTPS2014-08-05T21:14:23.6339844-04:000c605e690-af90-4864-ac93-9ba2ee47ffb4AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fOS Process May be Subject to Elevation of Privilege Using Remote Code ExecutionE6falseElevation Of PrivilegeGeneric External Interactor may be able to remotely execute code for OS Process.A user subject gains increased capability or privilege by taking advantage of an implementation bug.falseD4c605e690-af90-4864-ac93-9ba2ee47ffb471c26c7d-51bd-4572-9b19-e56ba302f9fa11e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b874471c26c7d-51bd-4572-9b19-e56ba302f9fac605e690-af90-4864-ac93-9ba2ee47ffb4:71c26c7d-51bd-4572-9b19-e56ba302f9fa:11e7f64d-1344-426f-a3f4-95cc67f5d10fHTTPS2014-08-05T21:14:23.6339844-04:000c605e690-af90-4864-ac93-9ba2ee47ffb4AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fData Flow HTTPS Is Potentially InterruptedD4falseDenial Of ServiceAn external agent interrupts data flowing across a trust boundary in either direction.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseD3c605e690-af90-4864-ac93-9ba2ee47ffb471c26c7d-51bd-4572-9b19-e56ba302f9fa11e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b874471c26c7d-51bd-4572-9b19-e56ba302f9fac605e690-af90-4864-ac93-9ba2ee47ffb4:71c26c7d-51bd-4572-9b19-e56ba302f9fa:11e7f64d-1344-426f-a3f4-95cc67f5d10fHTTPS2014-08-05T21:14:23.6339844-04:000c605e690-af90-4864-ac93-9ba2ee47ffb4AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fPotential Process Crash or Stop for OS ProcessD3falseDenial Of ServiceOS Process crashes, halts, stops or runs slowly; in all cases violating an availability metric.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseR6c605e690-af90-4864-ac93-9ba2ee47ffb471c26c7d-51bd-4572-9b19-e56ba302f9fa11e7f64d-1344-426f-a3f4-95cc67f5d10f987eebc4-de2a-403c-b414-2175343b874471c26c7d-51bd-4572-9b19-e56ba302f9fac605e690-af90-4864-ac93-9ba2ee47ffb4:71c26c7d-51bd-4572-9b19-e56ba302f9fa:11e7f64d-1344-426f-a3f4-95cc67f5d10fHTTPS2014-08-05T21:14:23.6339844-04:000c605e690-af90-4864-ac93-9ba2ee47ffb4AutoGenerated11e7f64d-1344-426f-a3f4-95cc67f5d10fPotential Data Repudiation by OS ProcessR6falseRepudiationOS Process claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Repudiation threats involve an adversary denying that something happened.falseD411e7f64d-1344-426f-a3f4-95cc67f5d10f71757af4-a321-47e7-b250-ab70db582c95c605e690-af90-4864-ac93-9ba2ee47ffb4987eebc4-de2a-403c-b414-2175343b874471757af4-a321-47e7-b250-ab70db582c9511e7f64d-1344-426f-a3f4-95cc67f5d10f:71757af4-a321-47e7-b250-ab70db582c95:c605e690-af90-4864-ac93-9ba2ee47ffb4HTTPS2014-08-05T21:14:23.6339844-04:00011e7f64d-1344-426f-a3f4-95cc67f5d10fAutoGeneratedc605e690-af90-4864-ac93-9ba2ee47ffb4Data Flow HTTPS Is Potentially InterruptedD4falseDenial Of ServiceAn external agent interrupts data flowing across a trust boundary in either direction.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseR711e7f64d-1344-426f-a3f4-95cc67f5d10f71757af4-a321-47e7-b250-ab70db582c95c605e690-af90-4864-ac93-9ba2ee47ffb4987eebc4-de2a-403c-b414-2175343b874471757af4-a321-47e7-b250-ab70db582c9511e7f64d-1344-426f-a3f4-95cc67f5d10f:71757af4-a321-47e7-b250-ab70db582c95:c605e690-af90-4864-ac93-9ba2ee47ffb4HTTPS2014-08-05T21:14:23.6339844-04:00011e7f64d-1344-426f-a3f4-95cc67f5d10fAutoGeneratedc605e690-af90-4864-ac93-9ba2ee47ffb4External Entity Generic External Interactor Potentially Denies Receiving DataR7falseRepudiationGeneric External Interactor claims that it did not receive data from a process on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Repudiation threats involve an adversary denying that something happened.falseS811e7f64d-1344-426f-a3f4-95cc67f5d10f71757af4-a321-47e7-b250-ab70db582c95c605e690-af90-4864-ac93-9ba2ee47ffb4987eebc4-de2a-403c-b414-2175343b874471757af4-a321-47e7-b250-ab70db582c9511e7f64d-1344-426f-a3f4-95cc67f5d10f:71757af4-a321-47e7-b250-ab70db582c95:c605e690-af90-4864-ac93-9ba2ee47ffb4HTTPS2014-08-05T21:14:23.6339844-04:00011e7f64d-1344-426f-a3f4-95cc67f5d10fAutoGeneratedc605e690-af90-4864-ac93-9ba2ee47ffb4Spoofing of the Generic External Interactor External Destination EntityS8falseSpoofingGeneric External Interactor may be spoofed by an attacker and this may lead to data being sent to the attacker's target instead of Generic External Interactor. Consider using a standard authentication mechanism to identify the external entity.Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.falseD5fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:14:23.6339844-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eData Store InaccessibleD5falseDenial Of ServiceAn external agent prevents access to a data store on the other side of the trust boundary.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseD4fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:14:23.6339844-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eData Flow Generic Data Flow Is Potentially InterruptedD4falseDenial Of ServiceAn external agent interrupts data flowing across a trust boundary in either direction.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseI6fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:14:23.6339844-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eData Flow SniffingI6falseInformation DisclosureData flowing across Generic Data Flow may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow.Information disclosure happens when the information can be read by an unauthorized party.falseR8fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:14:23.6339844-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eData Store Denies Generic Data Store Potentially Writing DataR8falseRepudiationGeneric Data Store claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Repudiation threats involve an adversary denying that something happened.falseT18fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:14:23.6339844-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eThe Generic Data Store Data Store Could Be CorruptedT18falseTamperingData flowing across Generic Data Flow may be tampered with by an attacker. This may lead to corruption of Generic Data Store. Ensure the integrity of the data flow to the data store.Tampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes.falseS1fd47100f-b03f-456a-93d3-d21abdddf295572d2c00-cb06-42af-836c-fc804df04d3dd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e987eebc4-de2a-403c-b414-2175343b8744572d2c00-cb06-42af-836c-fc804df04d3dfd47100f-b03f-456a-93d3-d21abdddf295:572d2c00-cb06-42af-836c-fc804df04d3d:d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eGeneric Data Flow2014-08-05T21:14:23.6339844-04:000fd47100f-b03f-456a-93d3-d21abdddf295AutoGeneratedd1fda5a3-28d6-4074-aaaf-c1c2542e2b2eSpoofing the OS Process ProcessS1falseSpoofingOS Process may be spoofed by an attacker and this may lead to unauthorized access to Generic Data Store. Consider using a standard authentication mechanism to identify the source process.Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.falseE7d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:14:23.6339844-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Elevation by Changing the Execution Flow in OS ProcessE7falseElevation Of PrivilegeAn attacker may pass data into OS Process in order to change the flow of program execution within OS Process to the attacker's choosing.A user subject gains increased capability or privilege by taking advantage of an implementation bug.falseE6d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:14:23.6339844-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295OS Process May be Subject to Elevation of Privilege Using Remote Code ExecutionE6falseElevation Of PrivilegeGeneric Data Store may be able to remotely execute code for OS Process.A user subject gains increased capability or privilege by taking advantage of an implementation bug.falseD5d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:14:23.6339844-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Data Store InaccessibleD5falseDenial Of ServiceAn external agent prevents access to a data store on the other side of the trust boundary.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseD4d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:14:23.6339844-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Data Flow Generic Data Flow Is Potentially InterruptedD4falseDenial Of ServiceAn external agent interrupts data flowing across a trust boundary in either direction.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseD3d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:14:23.6339844-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Potential Process Crash or Stop for OS ProcessD3falseDenial Of ServiceOS Process crashes, halts, stops or runs slowly; in all cases violating an availability metric.Denial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseR6d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:14:23.6339844-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Potential Data Repudiation by OS ProcessR6falseRepudiationOS Process claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.Repudiation threats involve an adversary denying that something happened.falseS2d1fda5a3-28d6-4074-aaaf-c1c2542e2b2e4be4f95b-3c66-4621-a027-ab4078f7ce5cfd47100f-b03f-456a-93d3-d21abdddf295987eebc4-de2a-403c-b414-2175343b87444be4f95b-3c66-4621-a027-ab4078f7ce5cd1fda5a3-28d6-4074-aaaf-c1c2542e2b2e:4be4f95b-3c66-4621-a027-ab4078f7ce5c:fd47100f-b03f-456a-93d3-d21abdddf295Generic Data Flow2014-08-05T21:14:23.6339844-04:000d1fda5a3-28d6-4074-aaaf-c1c2542e2b2eAutoGeneratedfd47100f-b03f-456a-93d3-d21abdddf295Spoofing the OS Process ProcessS2falseSpoofingOS Process may be spoofed by an attacker and this may lead to information disclosure by Generic Data Store. Consider using a standard authentication mechanism to identify the destination process.Spoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.falsetrue4.2falsefalseNot SelectedManagedUnmanagedCode TypeVirtualDynamiccodeTypeListfalseNot SelectedKernelSystemNetwork ServiceLocal ServiceAdministratorStandard User With ElevationStandard User Without ElevationWindows Store AppRunning AsVirtualDynamicrunningAsListfalseNot SelectedAppContainerLow Integrity LevelMicrosoft Office Isolated Conversion Environment (MOICE)SandboxIsolation LevelVirtualDynamicIsolationListfalseNot SelectedAny Remote User or EntityKernel, System, or Local AdminLocal or Network ServiceLocal Standard User With ElevationLocal Standard User Without ElevationWindows Store Apps or App Container ProcessesNothingOtherAccepts Input FromVirtualDynamicacceptsInputFromListfalseNoYesImplements or Uses an Authentication MechanismVirtualDynamicimplementsAuthenticationSchemeListfalseNoYesImplements or Uses an Authorization MechanismVirtualDynamicimplementsCustomAuthorizationMechanismListfalseNoYesImplements or Uses a Communication ProtocolVirtualDynamicimplementsCommunicationProtocolListA representation of a generic process.falseGE.P/Images/ImageProcess7.pngGeneric ProcessROOTEllipsefalsefalseNoYesAuthenticates ItselfVirtualDynamicauthenticatesItselfListfalseNot SelectedCodeHumanTypeVirtualDynamictypeList A representation of an external interactor. falseGE.EI/Images/ImageExternalInteractor7.pngGeneric External InteractorROOTRectanglefalsefalseNot SelectedWireWi-FiBluetooth2G-4GPhysical NetworkVirtualDynamicchannelListfalseNoYesSource AuthenticatedVirtualDynamicauthenticatesSourceListfalseNoYesDestination AuthenticatedVirtualDynamicauthenticatesDestinationListfalseNoYesProvides ConfidentialityVirtualDynamicprovidesConfidentialityListfalseNoYesProvides IntegrityVirtualDynamicprovidesIntegrityListfalseNoYesTransmits XMLVirtualDynamicXMLencList A unidirectional representation of the flow of data between elements. falseGE.DF/Images/ImageDataFlow7.pngGeneric Data FlowROOTLinefalsefalseNoYesStores CredentialsVirtualDynamicstoresCredentialsListfalseNoYesStores Log DataVirtualDynamicstoresLogDataListfalseNoYesEncryptedVirtualDynamicEncryptedListfalseNoYesSignedVirtualDynamicSignedListfalseNoYesWrite AccessVirtualDynamicAccessTypeListfalseNoYesRemovable StorageVirtualDynamicRemoveableStorageListfalseNoYesBackupVirtualDynamicBackupListfalseNoYesSharedVirtualDynamicsharedList A representation of a data store. falseGE.DS/Images/ImageDataStore7.pngGeneric Data StoreROOTParallelLinesfalse An arc representation of a trust boundary. trueGE.TB/Images/ImageGenericTrustBoundaryArc7.pngGeneric Trust BoundaryROOTLineBoundaryfalse An arc representation of a trust boundary. falseGE.TB.L/Images/ImageGenericTrustBoundaryArc7.pngGeneric Trust BoundaryGE.TBLineBoundaryfalse A border representation of a trust boundary. falseGE.TB.B/Images/ImageGenericTrustBoundaryBorder7.pngGeneric Trust BoundaryGE.TBBorderBoundaryfalse A representation of an annotation. falseGE.A/Images/ImageAnnotation7.pngFree Text AnnotationROOTAnnotationTwC MSECcc62ebae-3748-431e-b1df-f4220dc9003fSDL TM Knowledge Base (Core)4.0.2.1false A Windows Process. falseSE.P.TMCore.OSProcess/Images/ImageWin3264Application7.pngOS ProcessGE.PInheritedfalse A thread of execution in a Windows process. falseSE.P.TMCore.Thread/Images/ImageWin3264Application7.pngThreadGE.PInheritedfalsefalseUnmanagedCode TypeVirtualStaticcodeTypeList A thread of execution in the Windows kernel. falseSE.P.TMCore.KernelThread/Images/ImageWin3264Application7.pngKernel ThreadGE.PInheritedfalsefalseUnmanagedCode TypeVirtualStaticcodeTypeList A representation of a Win32 or Win64 application. falseSE.P.TMCore.WinApp/Images/ImageWin3264Application7.pngNative ApplicationGE.PInheritedfalsefalseManagedCode TypeVirtualStaticcodeTypeList A representation of a .NET Web application. falseSE.P.TMCore.NetApp/Images/ImageNetWebApplication7.pngManaged ApplicationGE.PInheritedfalsefalseUnmanagedCode TypeVirtualStaticcodeTypeList A representation of a thick client. falseSE.P.TMCore.ThickClient/Images/ImageThickClient7.pngThick ClientGE.PInheritedfalsefalseUnmanagedCode TypeVirtualStaticcodeTypeList A representation of a browser client. falseSE.P.TMCore.BrowserClient/Images/ImageBrowserClient7.pngBrowser ClientGE.PInheritedfalsefalseNoYesActiveXVirtualDynamicActiveXListfalseNoYesBrower Plug-in Object (BHO)VirtualDynamicBHOList A representation of an browser plugin. falseSE.P.TMCore.PlugIn/Images/ImageBrowserPlugin7.pngBrowser and ActiveX Plug-insGE.PInheritedfalsefalseManagedUnmanagedCode TypeVirtualDynamiccodeTypeListfalseNot SelectedYesNoSanitizes InputVirtualDynamichasInputSanitizersListfalseNot SelectedYesNoSanitizes OutputVirtualDynamichasOutputSanitizersList A representation of an Web Server Process. falseSE.P.TMCore.WebServer/Images/ImageWebServer7.pngWeb ServerGE.PInheritedfalsefalseLocalWebContextVirtualDynamiccontextListfalseManagedCode TypeVirtualStaticcodeTypeListfalseNot SelectedYesNo'Documents Library' capabilityVirtualDynamicdocumentsLibraryListfalseNot SelectedYesNo'Enterprise Authentication' capabilityVirtualDynamicenterprizeAuthenticationListfalseNot SelectedYesNo'Internet (Client & Server)' capabilityVirtualDynamicinternetClientServerListfalseNot SelectedYesNo'Internet (Client)' capabilityVirtualDynamicinternetClientListfalseNot SelectedYesNo'Location' capabilityVirtualDynamiclocationListfalseNot SelectedYesNo'Microphone' capabilityVirtualDynamicmicrophoneListfalseNot SelectedYesNo'Music Library' capabilityVirtualDynamicmusicLibraryListfalseNot SelectedYesNo'Pictures Library' capabilityVirtualDynamicpictureLibraryListfalseNot SelectedYesNo'Private Networks (Client & Server)' capabilityVirtualDynamicprivateNetworkClientServerListfalseNot SelectedYesNo'Proximity' capabilityVirtualDynamicproximityListfalseNot SelectedYesNo'Removable Storage' capabilityVirtualDynamicremovableStorageListfalseNot SelectedYesNo'Shared User Certificates' capabilityVirtualDynamicsharedUserCertificatesListfalseNot SelectedYesNo'Text Messaging' capabilityVirtualDynamicsmsListfalseNot SelectedYesNo'Videos Library' capabilityVirtualDynamicvideosLibraryListfalseNot SelectedYesNo'Webcam' capabilityVirtualDynamicwebcamList A representation of a Windows Store process. falseSE.P.TMCore.Modern/Images/ImageProcess7.pngWindows Store ProcessGE.PInheritedfalsefalseUnmanagedManagedCode TypeVirtualDynamiccodeTypeList A representation of an network process or service. falseSE.P.TMCore.Win32Service/Images/ImageNetWebApplication7.pngWin32 ServiceGE.PInheritedfalsefalseUnmanagedManagedCode TypeVirtualDynamiccodeTypeListfalseNot SelectedYesNoSanitizes InputVirtualDynamichasInputSanitizersListfalseNot SelectedYesNoSanitizes OutputVirtualDynamichasOutputSanitizersList Delivers web content to a human user. falseSE.P.TMCore.WebApp/Images/ImageNetWebApplication7.pngWeb ApplicationGE.PInheritedfalsefalseUnmanagedManagedCode TypeVirtualDynamiccodeTypeList Exposes a programmatic interface. falseSE.P.TMCore.WebSvc/Images/ImageNetWebApplication7.pngWeb ServiceGE.PInheritedfalse A virtual machine running in a Hyper-V partition. falseSE.P.TMCore.VM/Images/ImageProcess7.pngVirtual MachineGE.PInheritedfalse Microsoft applications running on operating systems from Google or Apple. falseSE.P.TMCore.NonMS/Images/ImageProcess7.pngApplications Running on a non-Microsoft OSGE.PInheritedfalsefalseCodeTypeVirtualStatictypeList A representation of an external Web browser. falseSE.EI.TMCore.Browser/Images/ImageBrowser7.pngBrowserGE.EIInheritedfalsefalseNoYesMicrosoftVirtualDynamicMSList A representation of an external authorization provider. falseSE.EI.TMCore.AuthProvider/Images/ImageAuthorizationProvider7.pngAuthorization ProviderGE.EIInheritedfalsefalseCodeTypeVirtualStatictypeListfalseNoYesMicrosoftVirtualDynamicMSList A representation of an external Web application (portal, front ed, etc.). falseSE.EI.TMCore.WebApp/Images/ImageWebApp7.pngWeb ApplicationGE.EIInheritedfalsefalseCodeTypeVirtualStatictypeListfalseNoYesMicrosoftVirtualDynamicMSList A representation of an external Web service. falseSE.EI.TMCore.WebSvc/Images/ImageWebService7.pngWeb ServiceGE.EIInheritedfalsefalseHumanTypeVirtualStatictypeList A representation of a user. falseSE.EI.TMCore.User/Images/ImageHumanUser7.pngHuman UserGE.EIInheritedfalse A large service that has only one instance on the Internet, for example, Outlook.com and Xbox Live. falseSE.EI.TMCore.Megasevrice/Images/ImageCloudService7.pngMegaserviceGE.EIInheritedfalsefalseCodeTypeVirtualStatictypeListfalseNot ApplicableAuthenticates ItselfVirtualStaticauthenticatesItselfList Represents the point where an application calls into an unmanged runtime library such as the CRT. falseSE.EI.TMCore.CRT/Images/ImageExternalInteractor7.pngWindows RuntimeGE.EIInheritedfalsefalseCodeTypeVirtualStatictypeListfalseNot ApplicableAuthenticates ItselfVirtualStaticauthenticatesItselfList Represents the point where an application calls into the .NET Framework. falseSE.EI.TMCore.NFX/Images/ImageExternalInteractor7.pngWindows .NET RuntimeGE.EIInheritedfalsefalseCodeTypeVirtualStatictypeListfalseNot ApplicableAuthenticates ItselfVirtualStaticauthenticatesItselfList Represents the point where an application calls into WinRT. falseSE.EI.TMCore.WinRT/Images/ImageExternalInteractor7.pngWindows RT RuntimeGE.EIInheritedfalsefalseNoSource AuthenticatedVirtualStaticauthenticatesSourceListfalseNoDestination AuthenticatedVirtualStaticauthenticatesDestinationListfalseNoProvides ConfidentialityVirtualStaticprovidesConfidentialityListfalseNoProvides IntegrityVirtualStaticprovidesIntegrityListfalseYesNoContains CookiesVirtualDynamicCookiesListfalseNoYesSOAP PayloadVirtualDynamicSOAPListfalseNoYesREST PayloadVirtualDynamicRESTListfalseNoYesRSS PayloadVirtualDynamicRSSListfalseNoYesJSON PayloadVirtualDynamicJSONList A representation of an HTTP data flow. falseSE.DF.TMCore.HTTP/Images/ImageHTTP7.pngHTTPGE.DFInheritedfalsefalseYesDestination AuthenticatedVirtualStaticauthenticatesDestinationListfalseYesProvides ConfidentialityVirtualStaticprovidesConfidentialityListfalseYesProvides IntegrityVirtualStaticprovidesIntegrityListfalseYesNoContains CookiesVirtualDynamicCookiesListfalseNoYesSOAP PayloadVirtualDynamicSOAPListfalseNoYesREST PayloadVirtualDynamicRESTListfalseNoYesRSS PayloadVirtualDynamicRSSListfalseNoYesJSON PayloadVirtualDynamicJSONList A representation of an HTTPS data flow. falseSE.DF.TMCore.HTTPS/Images/ImageHTTPS7.pngHTTPSGE.DFInheritedfalse A representation of an Binary data flow. falseSE.DF.TMCore.Binary/Images/ImageBinary7.pngBinaryGE.DFInheritedfalsefalseYesSource AuthenticatedVirtualStaticauthenticatesSourceListfalseYesDestination AuthenticatedVirtualStaticauthenticatesDestinationListfalseYesProvides ConfidentialityVirtualStaticprovidesConfidentialityListfalseYesProvides IntegrityVirtualStaticprovidesIntegrityList A representation of an IPsec data flow. falseSE.DF.TMCore.IPsec/Images/ImageIPSec7.pngIPsecGE.DFInheritedfalse A representation of a named pipe data flow. falseSE.DF.TMCore.NamedPipe/Images/ImageNamedPipe7.pngNamed PipeGE.DFInheritedfalse A representation of a SMBv1 or SMBv2 data flow. falseSE.DF.TMCore.SMB/Images/ImageSOAP7.pngSMBGE.DFInheritedfalse A representation of an RPC or Distributed COM (DCOM) data flow. falseSE.DF.TMCore.RPC/Images/ImageREST7.pngRPC/DCOMGE.DFInheritedfalse A representation of an (Advanced) Local Procedure Call data flow. falseSE.DF.TMCore.ALPC/Images/ImageDataFlow7.pngALPCGE.DFInheritedfalse User Data Protocol Transport. falseSE.DF.TMCore.UDP/Images/ImageDataFlow7.pngUDPGE.DFInheritedfalse An interface for an application to communicate to a device driver. falseSE.DF.TMCore.IOCTL/Images/ImageDataFlow7.pngIOCTL InterfaceGE.DFInheritedfalse A representation of a Cloud Storage. falseSE.DS.TMCore.CloudStorage/Images/ImageCloudStorage7.pngCloud StorageGE.DSInheritedfalse A representation of a SQL Database. falseSE.DS.TMCore.SQL/Images/ImageSQLDatabase7.pngSQL DatabaseGE.DSInheritedfalse A representation of a non-relational database. falseSE.DS.TMCore.NoSQL/Images/ImageNoSQLDatabase7.pngNon-Relational DatabaseGE.DSInheritedfalsefalseNTFSExFATFATReFSIFSUDFOtherFile System TypeVirtualDynamicfsTypeList A representation of a file system. falseSE.DS.TMCore.FS/Images/ImageFileSystem7.pngFile SystemGE.DSInheritedfalse A representation of a Registry. falseSE.DS.TMCore.Registry/Images/ImageRegistryHive7.pngRegistry HiveGE.DSInheritedfalse A configuration file, this includes XML, INI, and INF files. falseSE.DS.TMCore.ConfigFile/Images/ImageRegistryHive7.pngConfiguration FileGE.DSInheritedfalse A representation of a local data cache. falseSE.DS.TMCore.Cache/Images/ImageCache7.pngCacheGE.DSInheritedfalse A representation of HTML5 local storage. falseSE.DS.TMCore.HTML5LS/Images/ImageHTML5LocalStorage7.pngHTML5 Local StorageGE.DSInheritedfalsefalseNoYesHTTPOnlyVirtualDynamicHTTPOnlyList A representation of cookie storage. falseSE.DS.TMCore.Cookie/Images/ImageCookies7.pngCookiesGE.DSInheritedfalsefalseNoYesGPSVirtualDynamicGPSListfalseNoYesContactsVirtualDynamicContactsListfalseNoYesCalendar EventsVirtualDynamicCalendarListfalseNoYesSMS messagesVirtualDynamicSMSListfalseNoYesCached CredentialsVirtualDynamicCredsListfalseNoYesEnterprise DataVirtualDynamicEnterpriseListfalseNoYesMessaging Data (Mail, IM, SMS...)VirtualDynamice-mailListfalseNoYesSIM StorageVirtualDynamicSIMListfalseNoYesOther DataVirtualDynamicmiscList A representation of device local storage. falseSE.DS.TMCore.Device/Images/ImageDevice7.pngDeviceGE.DSInheritedfalsefalseInternetBoundary TypeVirtualStaticboundaryTypeList An arc representation of an Internet trust boundary. falseSE.TB.L.TMCore.Internet/Images/ImageGenericTrustBoundaryArc7.pngInternet BoundaryGE.TB.LInheritedfalsefalseCorporate NetworkBoundary TypeVirtualStaticboundaryTypeList A border representation of a corporate network trust boundary. falseSE.TB.B.TMCore.CorpNet/Images/ImageGenericTrustBoundaryBorder7.pngCorpNet Trust BoundaryGE.TB.BInheritedfalsefalseMachine BoundaryBoundary TypeVirtualStaticboundaryTypeList An arc representation of a machine trust boundary. falseSE.TB.L.TMCore.Machine/Images/ImageGenericTrustBoundaryArc7.pngMachine Trust BoundaryGE.TB.LInheritedfalsefalseKernel BoundaryBoundary TypeVirtualStaticboundaryTypeList A border representation of user-model / kernel-mode separation. falseSE.TB.L.TMCore.Kernel/Images/ImageGenericTrustBoundaryArc7.pngUser-mode / Kernel-mode BoundaryGE.TB.LInheritedfalsefalseAppContainer BoundaryBoundary TypeVirtualStaticboundaryTypeList A border representation for a Window Store AppContainer boundary. falseSE.TB.L.TMCore.AppContainer/Images/ImageGenericTrustBoundaryArc7.pngAppContainer BoundaryGE.TB.LInheritedfalsefalseSandbox BoundaryBoundary TypeVirtualStaticboundaryTypeList A border representation of a sandbox trust boundary. falseSE.TB.B.TMCore.Sandbox/Images/ImageGenericTrustBoundaryBorder7.pngSandbox Trust Boundary BorderGE.TB.BInheritedfalsefalseIE BoundaryBoundary TypeVirtualStaticboundaryTypeListfalseNoYesLow Integrity Level SandboxVirtualDynamicIntegrity LevelListfalseNoYesApp Container SandboxVirtualDynamicApp ContainerListfalseNoYesJavaScript SandboxVirtualDynamicJavaScriptListfalseNoYesFlash SandboxVirtualDynamicFlashList Describes the types of trust boundaries implemented by Internet Explorer. falseSE.TB.B.TMCore.IEB/Images/ImageGenericTrustBoundaryBorder7.pngInternet Explorer BoundariesGE.TB.BInheritedfalsefalseOtherBoundary TypeVirtualStaticboundaryTypeListfalseNoYesChrome JavaScript SandboxVirtualDynamicChromeJavaListfalseNoYesChrome SandboxVirtualDynamicChromeListfalseNoYesFirefox JavaScript SandboxVirtualDynamicFirefoxJavaList Describes the types of trust boundaries implemented by Google Chrome and Firefox. falseSE.TB.B.TMCore.NonIEB/Images/ImageGenericTrustBoundaryBorder7.pngOther Browsers' BoundariesGE.TB.BInheritedfalseSSpoofingSpoofing is when a process or entity is something other than its claimed identity. Examples include substituting a process, a file, website or a network address.falseTTamperingTampering is the act of altering the bits. Tampering with a process involves changing bits in the running process. Similarly, Tampering with a data flow involves changing bits on the wire or between two running processes.falseRRepudiationRepudiation threats involve an adversary denying that something happened.falseIInformation DisclosureInformation disclosure happens when the information can be read by an unauthorized party.falseDDenial Of ServiceDenial of Service happens when the process or a datastore is not able to service incoming requests or perform up to spec.falseEElevation Of PrivilegeA user subject gains increased capability or privilege by taking advantage of an implementation bug.falseAAbuseAbuse is when a legitimate user violates the terms of use for the system without violating a system security policy.falseSThreat was migrated from V3.source is 'ROOT'SUSpoofing (v3)falseTThreat was migrated from V3.source is 'ROOT'TUTampering (v3)falseRThreat was migrated from V3.source is 'ROOT'RURepudiation (v3)falseIThreat was migrated from V3.source is 'ROOT'IUInformation Disclosure (v3)falseDThreat was migrated from V3.source is 'ROOT'DUDenial Of Service (v3)falseEThreat was migrated from V3.source is 'ROOT'EUElevation Of Privilege (v3)falseS{source.Name} may be spoofed by an attacker and this may lead to unauthorized access to {target.Name}. Consider using a standard authentication mechanism to identify the source process.flow.authenticatesSource is 'Yes' or source.implementsAuthenticationScheme is 'Yes'source is 'GE.P' and (target is 'GE.P' or target is 'GE.DS') and flow crosses 'GE.TB'S1Spoofing the {source.Name} ProcessfalseS{target.Name} may be spoofed by an attacker and this may lead to information disclosure by {source.Name}. Consider using a standard authentication mechanism to identify the destination process.flow.authenticatesDestination is 'Yes'(source is 'GE.P' or source is 'GE.EI' or source is 'GE.DS') and target is 'GE.P' and flow crosses 'GE.TB'S2Spoofing the {target.Name} ProcessfalseS{source.Name} may be spoofed by an attacker and this may lead to unauthorized access to {target.Name}. Consider using a standard authentication mechanism to identify the external entity.source.authenticatesItself is 'Yes' or flow.authenticatesSource is 'Yes'source is 'GE.EI' and target is 'GE.P'S3Spoofing the {source.Name} External EntityfalseS{source.Name} may be spoofed by an attacker and this may lead to incorrect data delivered to {target.Name}. Consider using a standard authentication mechanism to identify the source data store.source is 'GE.DS'S7Spoofing of Source Data Store {source.Name}falseS{target.Name} may be spoofed by an attacker and this may lead to data being written to the attacker's target instead of {target.Name}. Consider using a standard authentication mechanism to identify the destination data store.target is 'GE.DS'S7.1Spoofing of Destination Data Store {target.Name}falseS{target.Name} may be spoofed by an attacker and this may lead to data being sent to the attacker's target instead of {target.Name}. Consider using a standard authentication mechanism to identify the external entity.source is 'GE.P' and target is 'GE.EI' and flow crosses 'GE.TB'S8Spoofing of the {target.Name} External Destination EntityfalseTData flowing across {flow.Name} may be tampered with by an attacker. This may lead to a denial of service attack against {target.Name} or an elevation of privilege attack against {target.Name} or an information disclosure by {target.Name}. Failure to verify that input is as expected is a root cause of a very large number of exploitable issues. Consider all paths and the way they handle data. Verify that all input is verified for correctness using an approved list input validation approach.(flow.providesConfidentiality is 'Yes' and flow.providesIntegrity is 'Yes')(source is 'GE.P' or source is 'GE.EI') and target is 'GE.P' and (flow crosses 'GE.TB')T1Potential Lack of Input Validation for {target.Name}falseTIf {source.Name} is given access to memory, such as shared memory or pointers, or is given the ability to control what {target.Name} executes (for example, passing back a function pointer.), then {source.Name} can tamper with {target.Name}. Consider if the function could work with less access to memory, such as passing data rather than pointers. Copy in data provided, and then validate it.source is 'GE.P' and target is 'GE.P' and target.codeType is 'Unmanaged'T2{source.Name} Process Memory TamperedfalseTPackets or messages without sequence numbers or timestamps can be captured and replayed in a wide variety of ways. Implement or utilize an existing communication protocol that supports anti-replay techniques (investigate sequence numbers before timers) and strong integrity.source is 'GE.P' and target is 'GE.P' and source.implementsCommunicationProtocol is 'Yes'T3Replay AttacksfalseTAttackers who can send a series of packets or messages may be able to overlap data. For example, packet 1 may be 100 bytes starting at offset 0. Packet 2 may be 100 bytes starting at offset 25. Packet 2 will overwrite 75 bytes of packet 1. Ensure you reassemble data before filtering it, and ensure you explicitly handle these sorts of cases.source is 'GE.P' and target is 'GE.P' and source.implementsCommunicationProtocol is 'Yes'T4Collision AttacksfalseTLog readers can come under attack via log files. Consider ways to canonicalize data in all logs. Implement a single reader for the logs, if possible, in order to reduce attack surface area. Be sure to understand and document log file elements which come from untrusted sources.(source is 'GE.P' and target is 'GE.DS' and target.storesLogData is 'Yes') or (target is 'GE.P' and source is 'GE.DS' and source.storesLogData is 'Yes')T5Risks from LoggingfalseTAn attacker can read or modify data transmitted over an authenticated dataflow.(flow.providesConfidentiality is 'Yes' and flow.providesIntegrity is 'Yes')(flow.authenticatesSource is 'Yes' or flow.authenticatesDestination is 'Yes')T6Authenticated Data Flow CompromisedfalseTSQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. (target is 'SE.DS.TMCore.SQL' and source is 'GE.P') T7Potential SQL Injection Vulnerability for {target.Name}falseTSQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker. (target is 'SE.DS.TMCore.SQL' and source is 'GE.EI') T8Potential SQL Injection Vulnerability for {target.Name}falseTIf a dataflow contains XML, XML processing threats (DTD and XSLT code execution) may be exploited.(flow.XMLenc is 'Yes' and target is 'GE.P')T11XML DTD and XSLT ProcessingfalseTIf a dataflow contains JSON, JSON processing and hijacking threats may be exploited.((flow is 'SE.DF.TMCore.HTTP' or flow is 'SE.DF.TMCore.HTTPS') and flow.JSON is 'Yes' and target is 'GE.P')T12JavaScript Object Notation ProcessingfalseTThe web server '{target.Name}' could be a subject to a cross-site scripting attack because it does not sanitize untrusted input.(target.hasOutputSanitizers is 'Yes') and (target.hasInputSanitizers is 'Yes')(target is 'SE.P.TMCore.WebServer' or target is 'SE.P.TMCore.WebApp')T13.1Cross Site ScriptingfalseTThe web server '{target.Name}' could be a subject to a persistent cross-site scripting attack because it does not sanitize data store '{source.Name}' inputs and output.(target.hasOutputSanitizers is 'Yes') and (target.hasInputSanitizers is 'Yes')(target is 'SE.P.TMCore.WebServer' or target is 'SE.P.TMCore.WebApp') and source is 'GE.DS'T13.2Persistent Cross Site ScriptingfalseTData flowing across {flow.Name} may be tampered with by an attacker. This may lead to corruption of {target.Name}. Ensure the integrity of the data flow to the data store.(source is 'GE.P' or source is 'GE.EI') and target is 'GE.DS' and (flow crosses 'GE.TB')T18The {target.Name} Data Store Could Be CorruptedfalseRIf you have trust levels, is anyone other outside of the highest trust level allowed to log? Letting everyone write to your logs can lead to repudiation problems. Only allow trusted code to log.(source is 'GE.P' or source is 'GE.EI') and (target is 'GE.DS') and (target.storesLogData is 'Yes')R1Lower Trusted Subject Updates LogsfalseRDo you accept logs from unknown or weakly authenticated users or systems? Identify and authenticate the source of the logs before accepting them.(source is 'GE.P' or source is 'GE.EI') and (target is 'GE.DS') and (target.storesLogData is 'Yes')R2Data Logs from an Unknown SourcefalseRDoes the log capture enough data to understand what happened in the past? Do your logs capture enough data to understand an incident after the fact? Is such capture lightweight enough to be left on all the time? Do you have enough data to deal with repudiation claims? Make sure you log sufficient and appropriate data to handle a repudiation claims. You might want to talk to an audit expert as well as a privacy expert about your choice of data.source is 'GE.P' and target is 'GE.DS' and target.storesLogData is 'Yes'R3Insufficient AuditingfalseRConsider what happens when the audit mechanism comes under attack, including attempts to destroy the logs, or attack log analysis programs. Ensure access to the log is through a reference monitor, which controls read and write separately. Document what filters, if any, readers can rely on, or writers should expectsource is 'GE.P' and target is 'GE.DS' and target.storesLogData is 'Yes'R4Potential Weak Protections for Audit DatafalseR{target.Name} claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.target is 'GE.P' and flow crosses 'GE.TB'R6Potential Data Repudiation by {target.Name}falseR{target.Name} claims that it did not receive data from a process on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.target is 'GE.EI' and flow crosses 'GE.TB'R7External Entity {target.Name} Potentially Denies Receiving DatafalseR{target.Name} claims that it did not write data received from an entity on the other side of the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data.target is 'GE.DS' and flow crosses 'GE.TB'R8Data Store Denies {target.Name} Potentially Writing DatafalseICan you access {target.Name} and bypass the permissions for the object? For example by editing the files directly with a hex editor, or reaching it via filesharing? Ensure that your program is the only one that can access the data, and that all other subjects have to use your interface.source is 'GE.P' and target is 'GE.DS' and source.implementsCustomAuthorizationMechanism is 'Yes'I2Authorization BypassfalseIData flowing across {flow.Name} may be sniffed by an attacker. Depending on what type of data an attacker can read, it may be used to attack other parts of the system or simply be a disclosure of information leading to compliance violations. Consider encrypting the data flow.flow.providesConfidentiality is 'Yes'((source is 'GE.P' or source is 'GE.EI') and target is 'GE.P' and flow crosses 'GE.TB') or (source is 'GE.P' and target is 'GE.DS' and flow crosses 'GE.TB')I6Data Flow SniffingfalseIImproper data protection of {source.name} can allow an attacker to read information not intended for disclosure. Review authorization settings.source is 'GE.DS' and (target is 'GE.P' or target is 'GE.EI')I23Weak Access Control for a ResourcefalseICredentials held at the server are often disclosed or tampered with and credentials stored on the client are often stolen. For server side, consider storing a salted hash of the credentials instead of storing the credentials themselves. If this is not possible due to business requirements, be sure to encrypt the credentials before storage, using an SDL-approved mechanism. For client side, if storing credentials is required, encrypt them and protect the data store in which they're storedsource is 'GE.P' and target is 'GE.DS' and target.storesCredentials is 'Yes'I24Weak Credential StoragefalseICredentials on the wire are often subject to sniffing by an attacker. Are the credentials re-usable/re-playable? Are credentials included in a message? For example, sending a zip file with the password in the email. Use strong cryptography for the transmission of credentials. Use the OS libraries if at all possible, and consider cryptographic algorithm agility, rather than hardcoding a choice.flow is 'SE.DF.TMCore.HTTPS' or flow is 'SE.DF.TMCore.IPsec'source is 'GE.P' and (target is 'GE.P' or target is 'GE.DS') and (flow crosses 'SE.TB.L.TMCore.Machine' or flow crosses 'SE.TB.B.TMCore.Machine')I25Weak Credential TransitfalseICustom authentication schemes are susceptible to common weaknesses such as weak credential change management, credential equivalence, easily guessable credentials, null credentials, downgrade authentication or a weak credential change management system. Consider the impact and potential mitigations for your custom authentication scheme.source is 'GE.P' and target is 'GE.P' and source.implementsAuthenticationScheme is 'Yes'I26Weak Authentication SchemefalseDDoes {source.Name} or {target.Name} take explicit steps to control resource consumption? Resource consumption attacks can be hard to deal with, and there are times that it makes sense to let the OS do the job. Be careful that your resource requests don't deadlock, and that they do timeout.source is 'GE.P' and target is 'GE.DS'D2Potential Excessive Resource Consumption for {source.Name} or {target.Name}falseD{target.Name} crashes, halts, stops or runs slowly; in all cases violating an availability metric.target is 'GE.P' and flow crosses 'GE.TB'D3Potential Process Crash or Stop for {target.Name}falseDAn external agent interrupts data flowing across a trust boundary in either direction.flow crosses 'GE.TB'D4Data Flow {flow.Name} Is Potentially InterruptedfalseDAn external agent prevents access to a data store on the other side of the trust boundary.(source is 'GE.DS' or target is 'GE.DS') and flow crosses 'GE.TB'D5Data Store InaccessiblefalseECommon SSO implementations such as OAUTH2 and OAUTH Wrap are vulnerable to MitM attacks.(target is 'SE.EI.TMCore.AuthProvider' and target.MS is 'Yes')target is 'SE.EI.TMCore.AuthProvider'E3Weakness in SSO AuthorizationfalseE{target.Name} may be able to impersonate the context of {source.Name} in order to gain additional privilege.(source is 'GE.EI' or source is 'GE.P') and target is 'GE.P'E5Elevation Using ImpersonationfalseE{source.Name} may be able to remotely execute code for {target.Name}.target is 'GE.P' and flow crosses 'GE.TB'E6{target.Name} May be Subject to Elevation of Privilege Using Remote Code ExecutionfalseEAn attacker may pass data into {target.Name} in order to change the flow of program execution within {target.Name} to the attacker's choosing.target is 'GE.P' and flow crosses 'GE.TB'E7Elevation by Changing the Execution Flow in {target.Name}