T1056.003: Web Portal Capture

View on MITRE ATT&CK	T1056.003
Tactic(s)	Collection, Credential Access

Data from MITRE ATT&CK®:

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

APT40 Advisory - PRC MSS tradecraft in action

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...

View Source

Mitigations for this technique

MITRE ATT&CK Mitigations

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

How to detect this technique

MITRE ATT&CK Data Components

File Modification (File)

Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
CM-5: Access Restrictions for Change
AC-3: Access Enforcement
AC-6: Least Privilege
AC-5: Separation of Duties
CM-6: Configuration Settings
IA-2: Identification and Authentication (organizational Users)
AC-2: Account Management