Skip to content

T1056.003 Web Portal Capture

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.1

Item Value
ID T1056.003
Sub-techniques T1056.001, T1056.002, T1056.003, T1056.004
Tactics TA0009, TA0006
Platforms Linux, Windows, macOS
Version 1.0
Created 11 February 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
S1022 IceApple The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials.2

Mitigations

ID Mitigation Description
M1026 Privileged Account Management Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component
DS0022 File File Modification

References

  1. Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017. 

  2. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.