T1056 - Input Capture - MITRE ATT&CK - Cyber Threat Intelligence

T1056 - Input Capture

Tactics:
Credential Access Collection

Platforms:
Linux macOS Network Devices Windows

Detection:
Not specified

Description:

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).

Sub-techniques (4)

ID	ATT&CK	Actions
T1056.001	Keylogging
T1056.002	GUI Input Capture
T1056.003	Web Portal Capture
T1056.004	Credential API Hooking

Used by Actors (3)

APT39
Unknown

APT42
Nation-state

Storm-1811
Unknown

Malware (7)

InvisibleFerret other Mafalda other FlawedAmmyy other Chaes other Kobalos other metaMain other NPPSPY tool

Metadata

MITRE ID:	T1056
STIX ID:	attack-pattern--bb5a00de-e086-...
Platforms:	Linux, macOS, Network Devices, Windows
Created:	13/01/2026 17:48
Updated:	21/04/2026 16:00