Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e)
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) | Attack Pattern | Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) | Attack Pattern | 1 |