Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.AA-05.02 | Privileged system access | Mitigates | T1056.003 | Web Portal Capture |
Comments
This diagnostic statement protects against Web Portal Capture through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1056.003 | Web Portal Capture |
Comments
This diagnostic statement protects against Web Portal Capture through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1056.003 | Web Portal Capture | |
| CM-05 | Access Restrictions for Change | mitigates | T1056.003 | Web Portal Capture | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1056.003 | Web Portal Capture | |
| AC-02 | Account Management | mitigates | T1056.003 | Web Portal Capture | |
| AC-03 | Access Enforcement | mitigates | T1056.003 | Web Portal Capture | |
| AC-05 | Separation of Duties | mitigates | T1056.003 | Web Portal Capture | |
| AC-06 | Least Privilege | mitigates | T1056.003 | Web Portal Capture |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| attribute.confidentiality.data_disclosure | None | related-to | T1056.003 | Web Portal Capture |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1056.003 | Web Portal Capture |
Comments
Google Security Ops is able to trigger an alert based on adversary methods of obtaining credentials or collecting information (e.g., web skimming attacks).
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/cloud_security/proxy/the_gocgle_malicious_campaign.yaral
References
|