T1056.003 Google Chronicle · YARA-L

Detect Web Portal Capture in Google Chronicle

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. A compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts, or as part of the initial compromise by exploitation of the externally facing web service. Notable examples include IceApple's OWA credential logger, WARPWIRE targeting Ivanti VPN portals, and Winter Vivern mimicking government email logon sites.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.003 Web Portal Capture
Canonical reference
https://attack.mitre.org/techniques/T1056/003/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule T1056_003_web_portal_capture_file_drop {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1056.003 Web Portal Capture: web server process creating executable script files in externally-facing portal directories, indicating credential capture implant installation (e.g. IceApple OWA logger, WARPWIRE on Ivanti VPN)"
    reference = "https://attack.mitre.org/techniques/T1056/003/"
    severity = "HIGH"
    confidence = "MEDIUM"
    mitre_tactic = "Collection"
    mitre_technique = "T1056.003"
    mitre_subtechnique = "Web Portal Capture"
    platform = "Windows, Linux"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.process.file.full_path = /w3wp\.exe|iisexpress\.exe|httpd|nginx|apache2|tomcat|node|python|ruby|php-cgi/ nocase
    $e.target.file.full_path = /\\inetpub\\|\\wwwroot\\|\\webroot\\|\\owa\\|\\ecp\\|\\vpn\\|\\sslvpn\\|\\exchange\\|\/var\/www\/|\/opt\/web\/|\/usr\/share\/nginx/ nocase
    $e.target.file.full_path = /\.(aspx|asp|php|jsp|js|html|htm|config)$/ nocase

  condition:
    $e
}

rule T1056_003_web_portal_capture_shell_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1056.003 Web Portal Capture: web server process spawning a shell or script interpreter, indicating web shell execution or an active credential capture script running in web process context"
    reference = "https://attack.mitre.org/techniques/T1056/003/"
    severity = "CRITICAL"
    confidence = "HIGH"
    mitre_tactic = "Collection"
    mitre_technique = "T1056.003"
    mitre_subtechnique = "Web Portal Capture"
    platform = "Windows, Linux"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /w3wp\.exe|iisexpress\.exe|httpd|nginx|apache2/ nocase
    $e.target.process.file.full_path = /cmd\.exe|powershell\.exe|\/bin\/bash|\/bin\/sh|python3?|perl|whoami\.exe|net\.exe|certutil\.exe|bitsadmin\.exe|wscript\.exe|cscript\.exe/ nocase

  condition:
    $e
}
high severity medium confidence

Two Google Chronicle YARA-L 2.0 rules providing complementary T1056.003 Web Portal Capture coverage. Rule 1 (T1056_003_web_portal_capture_file_drop, HIGH severity, MEDIUM confidence) triggers on FILE_CREATION UDM events where a recognized web server process creates script files with web-executable extensions in portal-specific directory paths including IIS inetpub/wwwroot, OWA/ECP Exchange paths, VPN portal directories, and Linux web roots. Rule 2 (T1056_003_web_portal_capture_shell_spawn, CRITICAL severity, HIGH confidence) triggers on PROCESS_LAUNCH UDM events where IIS w3wp.exe, Apache httpd, or nginx directly spawns a command interpreter — a strong indicator of an active web shell or credential capture script executing in the web server context. Deploy both rules; Rule 2 has higher fidelity for active exploitation and Rule 1 catches the implant installation phase. Requires UDM normalization of Windows Sysmon or EDR telemetry to FILE_CREATION and PROCESS_LAUNCH event types.

Data Sources

Google Chronicle SIEM (UDM)Chronicle ingestion via Windows Event Forwarding (Sysmon Event IDs 1 and 11 mapped to UDM)Chronicle ingestion via CrowdStrike Falcon, SentinelOne, or Carbon Black EDR telemetry mapped to UDM FILE_CREATION and PROCESS_LAUNCH event types

Required Tables

UDM event stream (event_type: FILE_CREATION)UDM event stream (event_type: PROCESS_LAUNCH)

False Positives & Tuning

  • Legitimate web deployment automation (Ansible playbooks, Chef recipes, Puppet manifests) that apply application updates by writing portal script files through a temporary web server process context during change management windows
  • IIS application initialization module warm-up sequences that cause w3wp.exe to precompile ASPX views and spawn the ASP.NET compiler (csc.exe) as a child process, which may match the shell-spawn rule if compiler paths overlap with monitored interpreter patterns
  • Web application firewall inline agents or reverse proxy health monitors writing challenge response tokens or temporary diagnostic files to web-accessible directories as part of certificate renewal or availability checking workflows
Download portable Sigma rule (.yml)

Other platforms for T1056.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Credential Capture File Creation in IIS Web Root

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=C:\inetpub\wwwroot\login_helper.php, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FolderPath contains \inetpub\wwwroot\, FileName=login_helper.php. Security Event 4663 if SACL auditing is enabled on the wwwroot directory.

  2. Test 2Web Server Process Spawning Command Shell (WebShell Simulation)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. Sysmon Event ID 11: TargetFilename=C:\Windows\Temp\webshell_test.txt. Security Event 4688 with NewProcessName=cmd.exe if process creation auditing is enabled.

  3. Test 3Inject Credential Capture Code into Existing ASPX Login Page

    Expected signal: Sysmon Event ID 11 (FileCreate/Modify): TargetFilename=C:\inetpub\wwwroot\testportal\login.aspx, Image=powershell.exe. DeviceFileEvents: ActionType=FileModified, FileName=login.aspx, FolderPath contains \inetpub\wwwroot\. Security Event 4663 if SACL file auditing is configured on the web root.

  4. Test 4Simulate Credential Exfiltration via Web Server Outbound HTTP

    Expected signal: Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9001, Protocol=tcp. DeviceNetworkEvents: InitiatingProcessFileName=powershell.exe, RemotePort=9001. PowerShell ScriptBlock Log Event ID 4104 showing the HTTP POST with credential parameters.

Last updated: 2026-04-16 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1056.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1078Valid AccountsT1133External Remote ServicesT1539Steal Web Session CookieT1557Adversary-in-the-MiddleT1112Modify RegistryT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections