T1056.003 Web Portal Capture Mappings

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1056.003 Web Portal Capture
AC-3 Access Enforcement Protects T1056.003 Web Portal Capture
AC-5 Separation of Duties Protects T1056.003 Web Portal Capture
AC-6 Least Privilege Protects T1056.003 Web Portal Capture
CM-5 Access Restrictions for Change Protects T1056.003 Web Portal Capture
CM-6 Configuration Settings Protects T1056.003 Web Portal Capture
IA-2 Identification and Authentication (organizational Users) Protects T1056.003 Web Portal Capture