Detect Web Portal Capture in Sumo Logic CSE
Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. A compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts, or as part of the initial compromise by exploitation of the externally facing web service. Notable examples include IceApple's OWA credential logger, WARPWIRE targeting Ivanti VPN portals, and Winter Vivern mimicking government email logon sites.
MITRE ATT&CK
- Tactic
- Collection Credential Access
- Technique
- T1056 Input Capture
- Sub-technique
- T1056.003 Web Portal Capture
- Canonical reference
- https://attack.mitre.org/techniques/T1056/003/
Sumo Detection Query
(_sourceCategory=*windows/sysmon* OR _sourceCategory=*linux/auditd* OR _sourceCategory=*linux/syslog*)
| where EventID = 11 OR EventID = 1
| parse regex "(?s)Image=(?<ProcessImage>[^\r\n]+)" nodrop
| parse regex "(?s)ParentImage=(?<ParentImage>[^\r\n]+)" nodrop
| parse regex "(?s)CommandLine=(?<CommandLine>[^\r\n]+)" nodrop
| parse regex "(?s)TargetFilename=(?<TargetFilename>[^\r\n]+)" nodrop
| parse regex "(?s)User=(?<UserAccount>[^\r\n]+)" nodrop
| where (
(EventID = 11
AND (TargetFilename matches "*inetpub*" OR TargetFilename matches "*wwwroot*"
OR TargetFilename matches "*\\owa\\*" OR TargetFilename matches "*\\ecp\\*"
OR TargetFilename matches "*\\vpn\\*" OR TargetFilename matches "*\\sslvpn\\*"
OR TargetFilename matches "*/var/www/*" OR TargetFilename matches "*/opt/web/*")
AND (TargetFilename matches "*.aspx" OR TargetFilename matches "*.php"
OR TargetFilename matches "*.asp" OR TargetFilename matches "*.jsp"
OR TargetFilename matches "*.js" OR TargetFilename matches "*.config")
AND (ProcessImage matches "*w3wp.exe*" OR ProcessImage matches "*iisexpress.exe*"
OR ProcessImage matches "*httpd*" OR ProcessImage matches "*nginx*"
OR ProcessImage matches "*apache2*" OR ProcessImage matches "*tomcat*"))
OR (EventID = 1
AND (ParentImage matches "*w3wp.exe*" OR ParentImage matches "*iisexpress.exe*"
OR ParentImage matches "*httpd*" OR ParentImage matches "*nginx*"
OR ParentImage matches "*apache2*")
AND (ProcessImage matches "*cmd.exe*" OR ProcessImage matches "*powershell.exe*"
OR ProcessImage matches "*/bash" OR ProcessImage matches "*/bin/sh"
OR ProcessImage matches "*/sh" OR ProcessImage matches "*python*"
OR ProcessImage matches "*perl*" OR ProcessImage matches "*whoami*"
OR ProcessImage matches "*net.exe*" OR ProcessImage matches "*certutil*"))
OR (EventID = 1
AND (ProcessImage matches "*w3wp.exe*" OR ProcessImage matches "*iisexpress.exe*")
AND (toLowerCase(CommandLine) matches "*password*" OR toLowerCase(CommandLine) matches "*credential*"
OR toLowerCase(CommandLine) matches "*passwd*" OR toLowerCase(CommandLine) matches "*username*"
OR toLowerCase(CommandLine) matches "*token*" OR toLowerCase(CommandLine) matches "*cookie*"
OR toLowerCase(CommandLine) matches "*session*"))
)
| eval EventType = if(EventID = 11, "WebFileCreation",
if((ProcessImage matches "*cmd.exe*" OR ProcessImage matches "*powershell.exe*"
OR ProcessImage matches "*/bash" OR ProcessImage matches "*/bin/sh"
OR ProcessImage matches "*/sh*")
AND (ParentImage matches "*w3wp*" OR ParentImage matches "*iisexpress*"
OR ParentImage matches "*httpd*" OR ParentImage matches "*nginx*"
OR ParentImage matches "*apache2*"), "WebShellSpawn",
"WebProcessCredentialExec"))
| eval WebPortalHit = if(TargetFilename matches "*(inetpub|wwwroot|\\owa\\|\\ecp\\|\\vpn\\|\\sslvpn\\)*"
OR TargetFilename matches "*/var/www/*" OR TargetFilename matches "*/opt/web/*", 1, 0)
| eval CredentialHit = if(toLowerCase(CommandLine) matches
"*(password|passwd|credential|username|login|auth|token|session|cookie)*", 1, 0)
| eval ShellSpawn = if(
(ProcessImage matches "*(cmd.exe|powershell.exe|/bash|/bin/sh|/sh)*")
AND (ParentImage matches "*(w3wp|iisexpress|httpd|nginx|apache2)*"), 1, 0)
| eval SuspicionScore = WebPortalHit + CredentialHit + ShellSpawn
| fields _time, _sourceHost, EventID, EventType, ProcessImage, CommandLine, ParentImage, TargetFilename, UserAccount, SuspicionScore
| sort by SuspicionScore desc, _time descSumo Logic CSE search detecting T1056.003 Web Portal Capture from Sysmon and Linux auditd log sources. Parses Sysmon Event ID 11 (File Create) to detect script file writes in web portal directories by recognized web server processes, and Event ID 1 (Process Create) for shells or interpreters spawned from web server parents or credential-keyword activity in IIS worker process command lines. The SuspicionScore field (0-3) aggregates three binary indicators: web portal path match, credential keyword in command line, and shell spawned from web server parent. Set source category patterns to match your Sumo Logic collector configuration for Windows Sysmon and Linux system logs.
Data Sources
Required Tables
False Positives & Tuning
- Automated deployment pipelines running as the IIS application pool identity that push web application code updates by writing ASPX, PHP, or JS files directly to wwwroot or web portal directories during scheduled maintenance windows
- Content management system automatic update mechanisms (WordPress auto-update, Joomla update manager) that download and write new PHP plugin files to web-accessible directories under the web server process context
- Load balancer and reverse proxy health check probes or ACME protocol challenge responders that create temporary token files in the webroot directory under the web server's running user, triggering file creation events with .html or .txt extensions
Other platforms for T1056.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Credential Capture File Creation in IIS Web Root
Expected signal: Sysmon Event ID 11 (FileCreate): TargetFilename=C:\inetpub\wwwroot\login_helper.php, Image=cmd.exe. DeviceFileEvents: ActionType=FileCreated, FolderPath contains \inetpub\wwwroot\, FileName=login_helper.php. Security Event 4663 if SACL auditing is enabled on the wwwroot directory.
- Test 2Web Server Process Spawning Command Shell (WebShell Simulation)
Expected signal: Sysmon Event ID 1 (Process Create): Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. Sysmon Event ID 11: TargetFilename=C:\Windows\Temp\webshell_test.txt. Security Event 4688 with NewProcessName=cmd.exe if process creation auditing is enabled.
- Test 3Inject Credential Capture Code into Existing ASPX Login Page
Expected signal: Sysmon Event ID 11 (FileCreate/Modify): TargetFilename=C:\inetpub\wwwroot\testportal\login.aspx, Image=powershell.exe. DeviceFileEvents: ActionType=FileModified, FileName=login.aspx, FolderPath contains \inetpub\wwwroot\. Security Event 4663 if SACL file auditing is configured on the web root.
- Test 4Simulate Credential Exfiltration via Web Server Outbound HTTP
Expected signal: Sysmon Event ID 3 (Network Connection): Image=powershell.exe, DestinationIp=127.0.0.1, DestinationPort=9001, Protocol=tcp. DeviceNetworkEvents: InitiatingProcessFileName=powershell.exe, RemotePort=9001. PowerShell ScriptBlock Log Event ID 4104 showing the HTTP POST with credential parameters.
References (8)
- https://attack.mitre.org/techniques/T1056/003/
- https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
- https://www.mandiant.com/resources/blog/cutting-edge-suspected-apt-targets-ivanti-connect-secure-vpn-in-new-zero-day-exploitation
- https://www.crowdstrike.com/blog/iceapple-a-novel-internet-information-services-post-exploitation-framework/
- https://www.sentinelone.com/labs/winter-vivern-all-summer-long-unattributed-threat-actor-from-russia-or-belarus/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.003/T1056.003.md
- https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-system
Unlock Pro Content
Get the full detection package for T1056.003 including response playbook, investigation guide, and atomic red team tests.