1. Home
  2. Techniques
  3. Enterprise
  4. Input Capture
  5. Web Portal Capture

Input Capture: Web Portal Capture

ID Name
T1056.001 Keylogging
T1056.002 GUI Input Capture
T1056.003 Web Portal Capture
T1056.004 Credential API Hooking

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.[1]

ID: T1056.003
Sub-technique of:  T1056
Platforms: Linux, Windows, macOS
Version: 1.1
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
C0029 Cutting Edge

During Cutting Edge, threat actors modified the JavaScript loaded by the Ivanti Connect Secure login page to capture credentials entered.[2]
S1022 IceApple

The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials.[3]
C0030 Triton Safety Instrumented System Attack

In the Triton Safety Instrumented System Attack, TEMP.Veles captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.[4]
S1116 WARPWIRE

WARPWIRE can capture credentials submitted during the web logon process in order to access layer seven applications such as RDP.[5]
G1035 Winter Vivern

Winter Vivern registered and hosted domains to allow for creation of web pages mimicking legitimate government email logon sites to collect logon information.[6]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0480 Detection of Credential Harvesting via Web Portal Modification AN1320

Detects unauthorized modifications to login-facing web server files (e.g., index.php, login.js) typically tied to VPN, SSO, or intranet portals. Correlates suspicious file changes with remote access artifacts or web shell behavior.
AN1321

Detects tampering of IIS-based login pages (e.g., default.aspx, login.aspx) tied to VPN, OWA, or SharePoint via script injection or unexpected editor processes modifying web roots.
AN1322

Detects unauthorized changes to locally hosted login pages on macOS (common in developer VPN environments) and links file edits to cron jobs, background scripts, or SUID binaries.

References

  1. Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.
  2. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  3. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  1. Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024.
  2. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  3. Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.