Dark Mode

Settings

Capec-504 Detail

Task Impersonation

Standard Software Likelihood: Medium Typical Severity: High

Parents: 173

Children: 654

Description

An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.

Extended Description

When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred. A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.
External ID Source Link Description
CAPEC-504 capec https://capec.mitre.org/data/definitions/504.html
CWE-1021 cwe http://cwe.mitre.org/data/definitions/1021.html
T1036.004 ATTACK https://attack.mitre.org/wiki/Technique/T1036/004 Masquerading: Masquerade Task or Service
REF-434 reference_from_CAPEC https://people.eecs.berkeley.edu/~daw/papers/mobphish-w2sp11.pdf Adrienne Porter Felt, David Wagner, Phishing on Mobile Devices, 2011, University of California, Berkeley
Explore

  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing sensitive information.

    2. Techniques
    Determine what tasks prompt a user for their credentials.
    Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.
Exploit

  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.

    2. Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
    Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.
  1. The adversary must already have access to the target system via some means.
  2. A legitimate task must exist that an adversary can impersonate to glean credentials.
  3. The user's privileges allow them to execute certain tasks with elevated privileges.
  1. Malware or some other means to initially comprise the target system.
  2. Additional malware to impersonate a legitimate task.
Low
Once an adversary has gained access to the target system, impersonating a task is trivial.
Access Control Authentication
Gain Privileges Gain Privileges
  1. An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.
  2. An adversary prompts a user to authorize an elevation of privileges, implying that a background task needs additional permissions to execute. The user accepts the privilege elevation, allowing the adversary to execute additional malware or tasks with the user's privileges.

We use cookies to ensure you get the best experience on our website.