MITRE ATT&CK Technique
Collection T1056
Description

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).

Supported Platforms
Linux macOS Network Devices Windows
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2017-05-31T21:30:48.323Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may use methods of capturing user input to obtain '
                'credentials or collect information. During normal system '
                'usage, users often provide credentials to various different '
                'locations, such as login pages/portals or system dialog '
                'boxes. Input capture mechanisms may be transparent to the '
                'user (e.g. [Credential API '
                'Hooking](https://attack.mitre.org/techniques/T1056/004)) or '
                'rely on deceiving the user into providing input into what '
                'they believe to be a genuine service (e.g. [Web Portal '
                'Capture](https://attack.mitre.org/techniques/T1056/003)).',
 'external_references': [{'external_id': 'T1056',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1056'},
                         {'description': 'Tinaztepe,  E. (n.d.). The '
                                         'Adventures of a Keystroke:  An '
                                         'in-depth look into keyloggers on '
                                         'Windows. Retrieved April 27, 2016.',
                          'source_name': 'Adventures of a Keystroke',
                          'url': 'http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf'}],
 'id': 'attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'collection'},
                       {'kill_chain_name': 'mitre-attack',
                        'phase_name': 'credential-access'}],
 'modified': '2025-10-24T17:49:17.884Z',
 'name': 'Input Capture',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['John Lambert, Microsoft Threat Intelligence Center'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': False,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['Linux', 'macOS', 'Network Devices', 'Windows'],
 'x_mitre_version': '1.4'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (10)
bluelocker
Low
donex
Low
APT42
High
8base
High
APT39
High
View All 10 Actors
Back to TTPs
Dashboard About