- Tactics
- Collection , Credential Access
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1056.003
Description
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Collection, Credential Access tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1003 — OS Credential Dumping
- T1005 — Data from Local System
- T1025 — Data from Removable Media
- T1039 — Data from Network Shared Drive
- T1040 — Network Sniffing
- T1056 — Input Capture
- T1074 — Data Staged
- T1110 — Brute Force
- T1111 — Multi-Factor Authentication Interception
- T1113 — Screen Capture
- T1114 — Email Collection
- T1115 — Clipboard Data