| ID | Name |
|---|---|
| T1056.001 | Keylogging |
| T1056.002 | GUI Input Capture |
| T1056.003 | Web Portal Capture |
| T1056.004 | Credential API Hooking |
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.[1]
| ID | Name | Description |
|---|---|---|
| S1022 | IceApple |
The IceApple OWA credential logger can monitor for OWA authentication requests and log the credentials.[2] |
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management |
Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0022 | File | File Modification |
Monitor for changes made to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content. |