title: Web Portal Capture (T1056.003)
id: df00tech-t1056-003
status: experimental
description: "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. A compromised login page may log provided user credentials before logging the user in to the service. This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through External Remote Services and Valid Accounts, or as part of the initial compromise by exploitation of the externally facing web service. Notable examples include IceApple's OWA credential logger, WARPWIRE targeting Ivanti VPN portals, and Winter Vivern mimicking government email logon sites."
references:
  - https://attack.mitre.org/techniques/T1056/003/
  - https://df00tech.com/detections/T1056.003
author: df00tech
date: 2026/04/16
tags:
  - attack.t1056.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate web application deployments or updates that modify web portal files via w3wp.exe or deployment scripts
  - "Web application frameworks (ASP.NET, PHP) dynamically generating or caching compiled files in wwwroot directories"
  - Security scanning tools or web application firewalls writing log or config files to web directories
  - IIS application pool recycles or maintenance scripts spawning cmd.exe or powershell.exe for configuration tasks
level: high