Home > CAPEC List > CAPEC-654: Credential Prompt Impersonation (Version 3.3)  

CAPEC-654: Credential Prompt Impersonation

Attack Pattern ID: 654
Abstraction: Detailed
Status: Stable
Presentation Filter:
+ Description
An adversary, through a previously installed malicious application, impersonates a credential prompt in an attempt to steal a user's credentials. The adversary may monitor the task list maintained by the operating system and wait for a specific legitimate credential prompt to become active. Once the prompt is detected, the adversary launches a new credential prompt in the foreground that mimics the user interface of the legitimate credential prompt. At this point, the user thinks that they are interacting with the legitimate credential prompt, but instead they are interacting with the malicious credential prompt. A second approach involves the adversary impersonating an unexpected credential prompt, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process or commonly used application (e.g., email reader) requires authentication for some purpose. The user, believing they are interacting with a legitimate credential prompt, enters their credentials which the adversary then leverages for nefarious purposes. The ultimate goal of this attack is to obtain sensitive information (e.g., credentials) from the user.
+ Likelihood Of Attack

Medium

+ Typical Severity

High

+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.504Task Impersonation

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Execution Flow
Explore
  1. Determine suitable tasks to exploit: Determine what tasks exist on the target system that may result in a user providing their credentials.

    Techniques
    Determine what tasks prompt a user for their credentials.
Exploit
  1. Impersonate Task: Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials.

    Techniques
    Prompt a user for their credentials, while making the user believe the credential request is legitimate.
+ Prerequisites
The adversary must already have access to the target system via some means.
A legitimate task must exist that an adversary can impersonate to glean credentials.
+ Skills Required
[Level: Low]
Once an adversary has gained access to the target system, impersonating a credential prompt is not difficult.
+ Resources Required
Malware or some other means to initially comprise the target system. Additional malware to impersonate a legitimate credential prompt.
+ Indicators
Credential prompts that appear illegitimate or unexpected.
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Access Control
Authentication
Gain Privileges
+ Mitigations
The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.
+ Example Instances
An adversary monitors the system task list for Microsoft Outlook in an attempt to determine when the application may prompt the user to enter their credentials to view encrypted email. Once the task is executed, the adversary impersonates the credential prompt to obtain the user's Microsoft Outlook encryption credentials. These credentials can then be leveraged by the adversary to read a user's encrypted email.
An adversary randomly prompts a user to enter their system credentials, tricking the user into believing that a background process requires the credentials to function. The adversary can then use these gleaned credentials to execute additional attacks or obtain data.
+ Content History
Submissions
Submission DateSubmitterOrganization
2020-07-30CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: July 30, 2020