T1056.003

Web Portal Capture

SUB-TECHNIQUE Collection Credential Access

Description

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

Platforms

LinuxmacOSWindows

Mitigations

M1026 — Privileged Account Management

Look up any technique

Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.

Our coverage

Operation HookedWing: 4-Year Phishing Campaign Hits 500+ Organizations Across Aviation, Energy, and Logistics

Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →