CAPEC-504: Task Impersonation
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.
执行流程
步骤 1 Explore
[Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing sensitive information.
- Determine what tasks prompt a user for their credentials.
- Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.
步骤 2 Exploit
[Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.
- Prompt a user for their credentials, while making the user believe the credential request is legitimate.
- Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.
前提条件
- The adversary must already have access to the target system via some means.
- A legitimate task must exist that an adversary can impersonate to glean credentials.
- The user's privileges allow them to execute certain tasks with elevated privileges.
所需技能
所需资源
- Malware or some other means to initially comprise the target system.
- Additional malware to impersonate a legitimate task.
后果影响
影响范围: Access Control Authentication
技术影响: Gain Privileges
缓解措施
The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.
示例实例
An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.
An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1036.004 | Masquerading: Masquerade Task or Service |