Input Capture: Web Portal Capture (T1056.003)
Tactics: Collection, Credential Access · Platforms: Linux, macOS, Windows
The interactive view maps 1 detection strategy, 1 mitigation, 2 threat groups, 2 software entries, 2 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Input Capture (T1056).
Overview
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.