CAPEC-654: Credential Prompt Impersonation
CAPEC版本: 3.9
更新日期: 2023-01-24
攻击模式描述
An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials.
执行流程
步骤 1 Explore
[Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing their credentials.
- Determine what tasks prompt a user for their credentials.
步骤 2 Exploit
[Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.
- Prompt a user for their credentials, while making the user believe the credential request is legitimate.
前提条件
- The adversary must already have access to the target system via some means.
- A legitimate task must exist that an adversary can impersonate to glean credentials.
所需技能
所需资源
- Malware or some other means to initially comprise the target system.
- Additional malware to impersonate a legitimate credential prompt.
后果影响
影响范围: Access Control Authentication
技术影响: Gain Privileges
缓解措施
The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.
示例实例
An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.
An adversary randomly prompts a user to enter their system credentials, tricking the user into believing that a background process requires the credentials to function. The adversary can then use these gleaned credentials to execute additional attacks or obtain data.
分类映射
| 分类名称 | 条目ID | 条目名称 |
|---|---|---|
| ATTACK | 1056 | Input Capture |
| ATTACK | 1548.004 | Abuse Elevation Control Mechanism: Elevated Execution with Prompt |