T1056.003 IBM QRadar · QRadar

Detect Web Portal Capture in IBM QRadar

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. A compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts, or as part of the initial compromise by exploitation of the externally facing web service. Notable examples include IceApple's OWA credential logger, WARPWIRE targeting Ivanti VPN portals, and Winter Vivern mimicking government email logon sites.

MITRE ATT&CK

Tactic
Collection Credential Access
Technique
T1056 Input Capture
Sub-technique
T1056.003 Web Portal Capture
Canonical reference
https://attack.mitre.org/techniques/T1056/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSourceName,
  sourceip AS SourceIP,
  username AS UserName,
  QIDNAME(qid) AS EventName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentImage,
  "TargetFilename" AS TargetFilename,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN QIDNAME(qid) LIKE '%File Create%' THEN 'WebFileCreation'
    WHEN ("Image" LIKE '%cmd.exe' OR "Image" LIKE '%powershell.exe' OR "Image" LIKE '%bash.exe' OR "Image" LIKE '%sh.exe')
         AND ("ParentImage" LIKE '%w3wp.exe' OR "ParentImage" LIKE '%iisexpress.exe' OR "ParentImage" LIKE '%httpd%' OR "ParentImage" LIKE '%nginx%')
    THEN 'WebShellSpawn'
    WHEN "Image" LIKE '%w3wp.exe' OR "Image" LIKE '%iisexpress.exe' THEN 'WebProcessCredentialExec'
    ELSE 'Unknown'
  END AS EventType,
  (CASE WHEN "TargetFilename" LIKE '%inetpub%' OR "TargetFilename" LIKE '%wwwroot%'
              OR "TargetFilename" LIKE '%\owa\%' OR "TargetFilename" LIKE '%\ecp\%'
              OR "TargetFilename" LIKE '%\vpn\%' OR "TargetFilename" LIKE '%/var/www/%'
        THEN 1 ELSE 0 END
   + CASE WHEN LOWER("CommandLine") LIKE '%password%' OR LOWER("CommandLine") LIKE '%credential%'
               OR LOWER("CommandLine") LIKE '%passwd%' OR LOWER("CommandLine") LIKE '%username%'
               OR LOWER("CommandLine") LIKE '%token%' OR LOWER("CommandLine") LIKE '%cookie%'
          THEN 1 ELSE 0 END
   + CASE WHEN ("Image" LIKE '%cmd.exe' OR "Image" LIKE '%powershell.exe' OR "Image" LIKE '%bash.exe' OR "Image" LIKE '%sh.exe')
               AND ("ParentImage" LIKE '%w3wp.exe' OR "ParentImage" LIKE '%iisexpress.exe'
                    OR "ParentImage" LIKE '%httpd%' OR "ParentImage" LIKE '%nginx%')
          THEN 1 ELSE 0 END) AS SuspicionScore
FROM events
WHERE
  devicetime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    (
      ("TargetFilename" LIKE '%\inetpub\%' OR "TargetFilename" LIKE '%\wwwroot\%'
        OR "TargetFilename" LIKE '%\owa\%' OR "TargetFilename" LIKE '%\ecp\%'
        OR "TargetFilename" LIKE '%\vpn\%' OR "TargetFilename" LIKE '%\sslvpn\%'
        OR "TargetFilename" LIKE '%/var/www/%' OR "TargetFilename" LIKE '%/opt/web/%')
      AND ("TargetFilename" LIKE '%.aspx' OR "TargetFilename" LIKE '%.asp'
        OR "TargetFilename" LIKE '%.php' OR "TargetFilename" LIKE '%.jsp'
        OR "TargetFilename" LIKE '%.js' OR "TargetFilename" LIKE '%.config')
      AND ("Image" LIKE '%\w3wp.exe' OR "Image" LIKE '%\iisexpress.exe'
        OR "Image" LIKE '%\httpd.exe' OR "Image" LIKE '%\nginx.exe'
        OR "Image" LIKE '%/httpd' OR "Image" LIKE '%/nginx' OR "Image" LIKE '%/apache2')
    )
    OR (
      ("ParentImage" LIKE '%\w3wp.exe' OR "ParentImage" LIKE '%\iisexpress.exe'
        OR "ParentImage" LIKE '%\httpd.exe' OR "ParentImage" LIKE '%/httpd'
        OR "ParentImage" LIKE '%/nginx' OR "ParentImage" LIKE '%/apache2')
      AND ("Image" LIKE '%\cmd.exe' OR "Image" LIKE '%\powershell.exe'
        OR "Image" LIKE '%\bash.exe' OR "Image" LIKE '%\sh.exe'
        OR "Image" LIKE '%\net.exe' OR "Image" LIKE '%\whoami.exe'
        OR "Image" LIKE '%/bash' OR "Image" LIKE '%/sh' OR "Image" LIKE '%/python%')
    )
    OR (
      ("Image" LIKE '%\w3wp.exe' OR "Image" LIKE '%\iisexpress.exe')
      AND (
        LOWER("CommandLine") LIKE '%password%' OR LOWER("CommandLine") LIKE '%credential%'
        OR LOWER("CommandLine") LIKE '%username%' OR LOWER("CommandLine") LIKE '%passwd%'
        OR LOWER("CommandLine") LIKE '%token%' OR LOWER("CommandLine") LIKE '%cookie%'
        OR LOWER("CommandLine") LIKE '%session%'
      )
    )
  )
ORDER BY EventTime DESC, SuspicionScore DESC
high severity medium confidence

IBM QRadar AQL query detecting T1056.003 Web Portal Capture using Sysmon and Windows Security event log data ingested via QRadar DSMs. Identifies three behavior clusters: script-file creation in web portal directories (inetpub, wwwroot, OWA, ECP, VPN, /var/www) by recognized web server processes; shells or interpreters spawned directly from IIS/Apache/Nginx parent processes; and IIS worker processes executing with credential-related keywords in their command line arguments. A computed SuspicionScore (0-3) combines all three indicators for analyst triage prioritization. Requires Sysmon log source mapped in QRadar with Event ID 1 (Process Create) and Event ID 11 (File Create) normalized fields Image, ParentImage, CommandLine, and TargetFilename available as custom event properties.

Data Sources

IBM QRadar SIEMMicrosoft Windows Security Event Log DSM (Event IDs 4688, 4663)Sysmon DSM via Windows Event Log (Event IDs 1, 11, 13)Linux OS DSM (auditd process and file events)

Required Tables

events

False Positives & Tuning

  • Automated application deployment tools (Octopus Deploy, Azure Pipelines release agents) that run under IIS application pool identity and write updated ASPX files directly to the wwwroot during a production deployment window
  • Web application frameworks performing dynamic compilation or template rendering (ASP.NET Razor view compilation, JSP precompilation by Tomcat) that cause the web server process to write compiled artifacts to temporary directories under the web root
  • Third-party web application monitoring agents (Dynatrace, AppDynamics, New Relic) that inject into the IIS worker process and create temporary instrumentation files or spawn short-lived diagnostic child processes with credential-adjacent field names in their arguments
Download portable Sigma rule (.yml)

Other platforms for T1056.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Credential Capture File Creation in IIS Web Root

    Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=C:\inetpub\wwwroot\login_helper.php, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FolderPath contains \inetpub\wwwroot\, FileName=login_helper.php. Security Event 4663 if SACL auditing is enabled on the wwwroot directory.

  2. Test 2Web Server Process Spawning Command Shell (WebShell Simulation)

    Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. Sysmon Event ID 11: TargetFilename=C:\Windows\Temp\webshell_test.txt. Security Event 4688 with NewProcessName=cmd.exe if process creation auditing is enabled.

  3. Test 3Inject Credential Capture Code into Existing ASPX Login Page

    Expected signal: Sysmon Event ID 11 (FileCreate/Modify): TargetFilename=C:\inetpub\wwwroot\testportal\login.aspx, Image=powershell.exe. DeviceFileEvents: ActionType=FileModified, FileName=login.aspx, FolderPath contains \inetpub\wwwroot\. Security Event 4663 if SACL file auditing is configured on the web root.

  4. Test 4Simulate Credential Exfiltration via Web Server Outbound HTTP

    Expected signal: Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9001, Protocol=tcp. DeviceNetworkEvents: InitiatingProcessFileName=powershell.exe, RemotePort=9001. PowerShell ScriptBlock Log Event ID 4104 showing the HTTP POST with credential parameters.

Last updated: 2026-04-16 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1056.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1056Input Capture

Related Sub-techniques

T1056.001KeyloggingT1056.002GUI Input CaptureT1056.004Credential API Hooking

Related Techniques

T1056Input CaptureT1056.001KeyloggingT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1078Valid AccountsT1133External Remote ServicesT1539Steal Web Session CookieT1557Adversary-in-the-MiddleT1112Modify RegistryT1027Obfuscated Files or Information

Same Tactic: Collection

Popular Detections