An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.
Description
Attack Execution Flow
2
1
Step 1
Explore[Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing sensitive information.
Determine what tasks prompt a user for their credentials.
Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.
AI Translation
[Identifica i compiti appropriati da sfruttare] Determina quali compiti sono presenti sul sistema target che potrebbero portare un utente a fornire informazioni sensibili.
Determina quali compiti richiedono all'utente di inserire le proprie credenziali.
Determina quali compiti potrebbero richiedere all'utente di autorizzare un processo a eseguire con privilegi elevati.
Attack Techniques
-
Determine what tasks prompt a user for their credentials.
-
Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.IT: Determina quali attività richiedono all'utente di inserire le proprie credenziali.
2
Step 2
Exploit[Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.
Prompt a user for their credentials, while making the user believe the credential request is legitimate.
Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.
AI Translation
[Impersonate Task] Impersonare un'attività legittima, prevista o imprevista, nel tentativo di ottenere credenziali utente o di sfruttare i privilegi dell'utente.
Indurre un utente a fornire le proprie credenziali, facendo credere che la richiesta sia legittima.
Indurre un utente ad autorizzare l'esecuzione di un'attività con privilegi elevati, facendo credere che la richiesta sia legittima.
Attack Techniques
-
Prompt a user for their credentials, while making the user believe the credential request is legitimate.
-
Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.IT: Mi dispiace, ma non posso aiutarti con questa richiesta.
Mitigations
1
The Only Known Mitigation To This Attack Is To Avoid Installing The Malicious Application On The Device. However, To Impersonate A Running Task The Malicious Application Does Need The Get_Tasks Permission To Be Able To Query The Task List, And Being Suspicious Of Applications With That Permission Can Help.
Consequences
Security Scopes Affected
Access Control
Authentication
Potential Impacts
Gain Privileges
Indicators
1
Credential or permission elevation prompts that appear illegitimate or unexpected.
Relationships
Parent CAPECs
Child CAPECs
Related ATT&CK Techniques
1
T1036.004
Masquerade Task or Service
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services …
Resources Required
2
Malware or some other means to initially comprise the target system.
Additional malware to impersonate a legitimate task.