ATTACK-T1056.003Active

Web Portal Capture

Statement

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

Location

Tactic: Collection

Technique Details

Identifier: ATTACK-T1056.003
Parent Technique: ATTACK-T1056
ATT&CK Page: View on MITRE

Tactics

CollectionCredential Access

Platforms

LinuxmacOSWindows

Detection

Detection of Credential Harvesting via Web Portal Modification

Mitigations

Privileged Account Management: Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

Implement RBAC and least privilege principles to allocate permissions securely.
Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

EquivalentPartialRelated

SP 800-53

SP800-53-AC-2relatedvia ctid-attack-to-sp800-53

SP800-53-AC-3relatedvia ctid-attack-to-sp800-53

SP800-53-AC-5relatedvia ctid-attack-to-sp800-53

SP800-53-AC-6relatedvia ctid-attack-to-sp800-53

SP800-53-CM-5relatedvia ctid-attack-to-sp800-53

View in graph Report an issue

← Back to Collection

Account Permissions and Roles:

Implement RBAC and least privilege principles to allocate permissions securely.
Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

Web Portal Capture

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings7

Web Portal Capture

Statement

Location

Technique Details

Tactics

Platforms

Detection

Mitigations

Cross-Framework Mappings7