Input Capture
Capture user input — keylogging, GUI hooks, credential portals, captured network creds.
§ Where this technique fits
T1056 is catalogued under the Collection tactic of the offensive-security kill-chain. It appears in 5 approved dossiers in the registry, typically at step 4 on average.
Authoritative reference: attack.mitre.org/techniques/T1056/.
§ Dossiers chaining this technique
- step 4 / 5
IMSI catcher → force 2G downgrade → SMS / call intercept
Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently.
- step 4 / 6
Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
- step 4 / 6
Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
- step 4 / 5
MITM unencrypted RTP → call eavesdropping
Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav.
- step 4 / 5
Autodiscover external leak → credential harvest
Mis-implemented Autodiscover falls back to autodiscover.<TLD>; register that domain externally, harvest plaintext Basic-auth credentials from clients that haven't been patched / configured properly.
§ What commonly comes next
- 01Exfiltration Over C2 Channelseen 2×T1041 · Exfiltration
- 02Valid Accountsseen 2×T1078 · Initial Access
- 03MFA Bypassseen 1×W-MFA-BYPASS · Credential Access