Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1056.003 | Web Portal Capture |
| AC-3 | Access Enforcement | Protects | T1056.003 | Web Portal Capture |
| AC-5 | Separation of Duties | Protects | T1056.003 | Web Portal Capture |
| AC-6 | Least Privilege | Protects | T1056.003 | Web Portal Capture |
| CM-5 | Access Restrictions for Change | Protects | T1056.003 | Web Portal Capture |
| CM-6 | Configuration Settings | Protects | T1056.003 | Web Portal Capture |
| IA-2 | Identification and Authentication (organizational Users) | Protects | T1056.003 | Web Portal Capture |
| action.malware.variety.Capture app data | Capture data from application or system process | related-to | T1056.003 | Input Capture: Web Portal Capture |