T1056.003SubTechniquecollectioncredential-accessagent-callable

T1056.003Web Portal Capture

Sub-technique of T1056

Platforms: Linux · macOS · Windows

ATT&CK version: 14.1

What it is

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

ATT&CK tactics· 2

CollectionCredential Access

References

  1. https://attack.mitre.org/techniques/T1056/003
  2. https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1056.003: Web Portal Capture | SQUR Knowledge Base