| ID | Name |
|---|---|
| ATAGS-T1117.001 | Credential API Hooking |
| ATAGS-T1117.002 | GUI Input Capture |
| ATAGS-T1117.003 | Keylogging |
| ATAGS-T1117.004 | Web Portal Capture |
Threat Actors may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.