MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1056.003: Web Portal Capture

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts or as part of the initial compromise by exploitation of the externally facing web service.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

web_servers_abnormal_activity: PT-CR-1975: Web_Servers_Abnormal_Activity_CaptivePortal_Custom_Page: An attacker can create a custom captive portal page to collect confidential user data

Detection

IDDS0022Data source and componentFile: File ModificationDescription

Monitor for changes made to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Do not allow administrator accounts that have permissions to modify the Web content of organization login portals to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.