T1056.003: Web Portal Capture

Web Portal Capture matters because a trusted external login page, such as a VPN portal, can become the credential theft point. If attackers modify a portal after compromising it, users may successfully log in while their usernames and passwords are captured in the background. For leaders, this turns an edge service compromise into an identity, remote access, and persistence problem, not just a web server issue.

Executive priority

Prioritize this where externally facing authentication portals provide access to sensitive networks or business-critical operations. The key decision questions are: who can modify portal code, how quickly would unauthorized changes be noticed, are privileged changes logged and reviewed, and would stolen credentials be contained by privileged account management and least privilege? This technique is especially relevant to incident response planning because a restored portal may not be enough if credentials entered during compromise remain valid.

Technical view

This is a sub-technique of Input Capture under credential-access and collection for Linux, macOS, and Windows environments. SOC, detection engineering, and IR teams should validate integrity monitoring and change review for externally facing login portals, especially VPN or remote access services. Because ATT&CK provides no official detection text for this object, teams should use the related detection strategy DET0480, Detection of Credential Harvesting via Web Portal Modification, as a direction to assess portal modification evidence, administrative activity, and outbound transmission indicators. Relationship context also connects this behavior to External Remote Services and Valid Accounts in the description, so investigation should include credential reuse and remote access log review after any portal compromise.

Likely telemetry

Web portal file integrity and configuration change records
Administrative login and privileged action logs for systems hosting external portals
Web server, application server, and authentication portal access logs
Remote access or VPN authentication logs before, during, and after suspected modification
Outbound network connection logs from the portal host or service

Detection direction

Baseline legitimate portal files, scripts, templates, and configuration so unauthorized modification is distinguishable from approved change.
Correlate portal code or configuration changes with privileged account activity; focus on changes outside maintenance windows or by unusual administrators.
Review authentication success patterns after portal modification because users may be logged in normally while credentials are captured.
Tune for false positives from legitimate software updates, emergency maintenance, and approved branding or template changes.
Validate whether externally facing portal hosts generate sufficient logs; lack of file integrity, admin audit, or outbound connection telemetry is a major blind spot.

Mitigation priorities

Apply privileged account management for portal administration: least privilege, role separation, monitored privileged access, and accountability through logging and auditing.
Restrict who can alter externally facing authentication portal code, templates, and configuration.
Require auditable change control for portal modifications and preserve evidence needed to distinguish approved from unauthorized changes.
Harden and monitor externally facing remote access services because the technique may follow compromise of the web service or be used to maintain access through valid accounts.
After suspected portal capture, rotate potentially exposed credentials and review valid-account usage associated with the portal.

Analyst notes and limits

The relationship set increases the materiality of this technique: ATT&CK links it to campaigns, groups, and software, including WARPWIRE targeting VPN credentials during Cutting Edge and IceApple on Windows IIS. These relationships should inform threat modeling and detection validation, but they should not be treated as proof of current exposure in a specific environment without local evidence.

ATT&CK does not provide official detection guidance for this technique, so detection recommendations are derived from the official description and the supplied DET0480 relationship. The object lists Linux, macOS, and Windows platforms; some related software references network devices, but platform applicability should be validated against the local portal technology. No claim of active exploitation or guaranteed detection is made.

Official MITRE ATT&CK definition

Web Portal Capture

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1056	Input Capture	This object subtechnique of Input Capture.

Associated objects

Groups, software, and campaigns

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

G1035: Winter Vivern

Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of Indian and US victims. The group leverages a combination of document-based phishing activity and server-side exploitation for initial access, leveraging adversary-controlled and -created infrastructure for follow-on command and control.[1][2][3][4][5]

S1116: WARPWIRE

WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfiltration that was used during Cutting Edge to target Ivanti Connect Secure VPNs.[1][2]

Network Devices

S1022: IceApple

IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been used since at least 2021 against the technology, academic, and government sectors.[1]

Windows

C0030: Triton Safety Instrumented System Attack

Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.[1] The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.[2] The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.[3]

C0029: Cutting Edge

Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Group G0094: Kimsuky Enterprise uses · Group G1035: Winter Vivern Enterprise detects · Detection Strategy DET0480: Detection of Credential Harvesting via Web Portal Modification Enterprise uses · Campaign C0030: Triton Safety Instrumented System Attack Enterprise uses · Malware S1116: WARPWIRE Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise uses · Malware S1022: IceApple Enterprise subtechnique of · Technique T1056: Input Capture Enterprise uses · Campaign C0029: Cutting Edge Enterprise

Mitigations

Mitigation direction

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Feb 11, 2020, 18:59 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 098f3df655921934...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`098f3df65592…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Volexity Virtual Private Keylogging

Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.
Open source URL
[2]
mitre-attack T1056.003
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams