CAPEC-504 Task Impersonation – Attack Pattern Analysis

CAPEC-504 Metadata

Likelihood of Attack

Medium

Typical Severity

High

Overview

Summary

An adversary, through a previously installed malicious application, impersonates an expected or routine task in an attempt to steal sensitive information or leverage a user's privileges.

Prerequisites

The adversary must already have access to the target system via some means. A legitimate task must exist that an adversary can impersonate to glean credentials. The user's privileges allow them to execute certain tasks with elevated privileges.

Execution Flow

Step	Phase	Description	Techniques
1	Explore	[Determine suitable tasks to exploit] Determine what tasks exist on the target system that may result in a user providing sensitive information.	Determine what tasks prompt a user for their credentials. Determine what tasks may prompt a user to authorize a process to execute with elevated privileges.
2	Exploit	[Impersonate Task] Impersonate a legitimate task, either expected or unexpected, in an attempt to gain user credentials or to ride the user's privileges.	Prompt a user for their credentials, while making the user believe the credential request is legitimate. Prompt a user to authorize a task to run with elevated privileges, while making the user believe the request is legitimate.

Potential Solutions / Mitigations

The only known mitigation to this attack is to avoid installing the malicious application on the device. However, to impersonate a running task the malicious application does need the GET_TASKS permission to be able to query the task list, and being suspicious of applications with that permission can help.

Related Weaknesses (CWE)

CWE ID	Description
CWE-1021	Improper Restriction of Rendered UI Layers or Frames

Related CAPECs

CAPEC ID	Description
CAPEC-173	An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.

CAPEC ID

Description

CAPEC-173

An adversary is able to disguise one action for another and therefore trick a user into initiating one type of action when they intend to initiate a different action. For example, a user might be led to believe that clicking a button will submit a query, but in fact it downloads software. Adversaries may perform this attack through social means, such as by simply convincing a victim to perform the action or relying on a user's natural inclination to do so, or through technical means, such as a clickjacking attack where a user sees one interface but is actually interacting with a second, invisible, interface.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID	Entry Name
1036.004	Masquerading: Masquerade Task or Service

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.