216.73.217.22

T1056.003: T1056.003

View on MITRE ATT&CK The MITRE Corporation · Published 16/12/2025 19:38 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID
T1056.003
Confidence
100/100
Revoked
No
Published
16/12/2025 19:38
Modified
27/03/2026 01:10
Author / Source
The MITRE Corporation

Aliases

Web Portal Capture

Platforms

windows macos linux

Description

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

Kill chain phases

Kill chainPhase
mitre-attack collection
mitre-attack credential-access

Marking (TLP)

TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (8)

  • APT28 uses IRON TWILIGHTSNAKEMACKEREL
    The MITRE Corporation Confidence 100

    [APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 08/04/2026 13:02
  • UNC6508 uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/06/2026 13:48 · Modified 16/06/2026 13:48
  • Winter Vivern uses UAC-0114TA473
    The MITRE Corporation Confidence 100

    Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targeting various European government and NGO entities, along with sporadic targeting of …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
  • BlueDelta uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 05:08 · Modified 21/12/2025 05:08
  • Kimsuky uses Black BansheeVelvet Chollima
    The MITRE Corporation Confidence 100

    [Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33
  • Fox Kitten uses UNC757Parisite
    The MITRE Corporation Confidence 100

    [Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • FIN7 uses GOLD NIAGARAITG14
    The MITRE Corporation Confidence 100

    [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13
  • Telekopye uses
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:12 · Modified 21/12/2025 08:12

Malware (17)

  • IceApple
  • HealthKick uses
    Family
    Published 28/04/2026 07:09 · Modified 28/04/2026 07:09
  • INFINITERED uses
    Family
    Published 15/06/2026 19:33 · Modified 15/06/2026 19:33
  • XWorm uses
    Family
    Published 27/03/2026 08:45 · Modified 27/03/2026 08:45
  • HeadLace uses
    Family
    Published 05/08/2024 08:30 · Modified 05/08/2024 08:30
  • Telekopye uses
    Family
    Published 17/11/2024 00:25 · Modified 17/11/2024 00:25
  • MageCart uses
    Family
    Published 13/02/2025 01:13 · Modified 13/02/2025 01:13
  • httd uses
    Family
    Published 18/03/2026 10:51 · Modified 18/03/2026 10:51
  • Carbanak - S0030 uses
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Rhadamanthys uses
    Family
    Published 29/04/2026 02:24 · Modified 29/04/2026 02:24
  • WARPWIRE
  • Gracewire uses
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Carbanak
  • GOVERSHELL uses
    Family
    Published 28/04/2026 07:09 · Modified 28/04/2026 07:09
  • EugenLoader uses
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Gremlin stealer uses
    Family
    Published 15/05/2026 15:23 · Modified 15/05/2026 15:23
  • SpyPress.Roundish uses
    Family
    Published 18/03/2026 10:51 · Modified 18/03/2026 10:51

Reports (15)

Attack patterns (MITRE) (1)

  • T1056 subtechnique-of
    Input Capture

Campaign (2)

  • Triton Safety Instrumented System Attack uses
  • Cutting Edge uses

Course Of Action (1)

  • Privileged Account Management mitigates