Description
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
Platforms
Mitigations (1)
Privileged Account ManagementM1026
Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has collected credentials from a fake Google account login page.(Citation: FBI_KimsukyQR_Jan2026) |
| G1035 | Winter Vivern | [Winter Vivern](https://attack.mitre.org/groups/G1035) registered and hosted domains to allow for creation of web pages mimicking legitimate governmen... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1116 | WARPWIRE | Malware | [WARPWIRE](https://attack.mitre.org/software/S1116) can capture credentials submitted during the web logon process in order to access layer seven appl... |
| S1022 | IceApple | Malware | The [IceApple](https://attack.mitre.org/software/S1022) OWA credential logger can monitor for OWA authentication requests and log the credentials.(Cit... |
References
Frequently Asked Questions
What is T1056.003 (Web Portal Capture)?
T1056.003 is a MITRE ATT&CK technique named 'Web Portal Capture'. It belongs to the Collection, Credential Access tactic(s). Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login...
How can T1056.003 be detected?
Detection of T1056.003 (Web Portal Capture) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1056.003?
There are 1 documented mitigations for T1056.003. Key mitigations include: Privileged Account Management.
Which threat groups use T1056.003?
Known threat groups using T1056.003 include: Kimsuky, Winter Vivern.