Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1056.003 | Web Portal Capture | |
| CM-05 | Access Restrictions for Change | mitigates | T1056.003 | Web Portal Capture | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1056.003 | Web Portal Capture | |
| AC-02 | Account Management | mitigates | T1056.003 | Web Portal Capture | |
| AC-03 | Access Enforcement | mitigates | T1056.003 | Web Portal Capture | |
| AC-05 | Separation of Duties | mitigates | T1056.003 | Web Portal Capture | |
| AC-06 | Least Privilege | mitigates | T1056.003 | Web Portal Capture |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.confidentiality.data_disclosure | None | related-to | T1056.003 | Web Portal Capture |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1056.003 | Web Portal Capture |
Comments
Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral
References
|