Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0480: Detection of Credential Harvesting via Web Portal Modification

DET0480 is about detecting credential harvesting caused by modification of a web portal, tied to ATT&CK technique T1056.003 Web Portal Capture. The busines...

EnterpriseDET0480Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0480 is about detecting credential harvesting caused by modification of a web portal, tied to ATT&CK technique T1056.003 Web Portal Capture. The business issue is that a compromised login page, such as an externally facing portal, can turn a trusted access path into a credential collection point. For leaders, the key question is whether the organization can prove that changes to authentication portals are authorized, monitored, and investigated quickly enough to protect remote access and account integrity.

Executive priority

Prioritize this as an identity and business continuity risk where externally facing portals or remote access login pages are important to operations. The decision value is not just malware detection; it is control assurance around who can change portal code, how those changes are reviewed, and whether SOC and incident response teams can validate portal integrity during a suspected credential compromise. This also supports audit and compliance evidence for change control, privileged access governance, and monitoring of authentication infrastructure.

Technical view

The supplied ATT&CK object has no official description, detection logic, tactics, or platforms of its own. Its relationship to T1056.003 indicates the detection strategy should focus on evidence that a web portal used for authentication has been modified to capture and transmit submitted credentials. SOC and IR teams should validate monitoring around portal file/content changes, administrative access to portal infrastructure, authentication-page integrity, and suspicious outbound activity from the portal environment. Because the related technique is associated with collection and credential-access, investigations should connect portal-change evidence with authentication anomalies and potential credential misuse.

Likely telemetry

  • Web server and application logs for authentication portals
  • File integrity or content change monitoring for portal code and login page assets
  • Administrative access logs for systems hosting externally facing portals
  • Change management records for portal updates
  • Authentication logs for users accessing the affected portal

Detection direction

  • Validate that the SOC can distinguish approved portal updates from unauthorized web page or application code changes.
  • Correlate portal modifications with administrator logons, change tickets, deployment activity, and authentication events.
  • Review monitoring coverage for externally facing login pages, including VPN or other remote access portals where applicable to the environment.
  • Tune for false positives from legitimate deployments, emergency fixes, and scheduled maintenance while preserving alerting for changes outside approved windows or by unusual accounts.
  • During IR, treat unexplained portal modification as both a web/application compromise concern and a credential exposure concern; determine which users authenticated after the suspected change.

Mitigation priorities

  • Harden administrative access to portal infrastructure with least privilege and strong change control.
  • Maintain integrity monitoring or equivalent validation for authentication portal code and assets.
  • Require review and approval of changes to externally facing authentication pages.
  • Ensure logs from portal hosts, authentication systems, and network egress points are retained and available to SOC and IR teams.
  • Prepare incident response procedures for suspected credential capture, including portal integrity review and credential reset scoping based on authentication activity.
Analyst notes and limits

The strongest relationship-driven context is T1056.003 Web Portal Capture, which MITRE describes as adversaries installing code on externally facing portals to capture and transmit user credentials. DET0480 itself is a detection strategy object, but the supplied official fields do not include detailed detection analytics, data sources, or platforms. Glexia teams should use this as a control-validation prompt for identity, web application, remote access, SOC monitoring, and incident response readiness.

The DET0480 object has no official description, official detection text, tactics, labels, aliases, or platforms specified. Any concrete detection content must be derived from the relationship to T1056.003 and confirmed against local architecture, logging, and change management evidence. This summary does not assert active exploitation, attribution, impact, or existing detection coverage.

Official MITRE ATT&CK definition

Detection of Credential Harvesting via Web Portal Modification

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1056.003 Web Portal Capture Sub-technique This object detects Web Portal Capture.
Relationship explorer

All related ATT&CK context

detects · Technique T1056.003: Web Portal Capture Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d4dfb4621138b761...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d4dfb4621138…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0480
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use