Adversary modifies website or application-hosted content via unauthorized file changes or script injections, often by exploiting web servers or CMS access.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | WinEventLog:Security | EventCode=4663 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Application Log Content (DC0038) | WinEventLog:Application | Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files |
| Field | Description |
|---|---|
| target_filenames | Environment-specific naming of defacement-prone files like 'index.html', 'main.css', 'app.js'. |
| TimeWindow | Detection based on rapid sequence of file writes and script injections within short time intervals. |
Adversary gains shell access or uploads a malicious script to deface hosted web content in Nginx, Apache, or other services.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | write |
| Network Traffic Content (DC0085) | apache:access_log | Unusual HTTP POST or PUT requests to paths such as '/uploads/', '/admin/', or CMS plugin folders |
| Process Creation (DC0032) | linux:syslog | Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http |
| Field | Description |
|---|---|
| UploadPathRegex | Regex for CMS-specific upload directories subject to defacement (e.g., wp-content/uploads). |
| FileExtensionScope | Types of files to monitor for defacement (e.g., .html, .php, .jsp). |
Adversary modifies internal or external site content through manipulated application bundles, hosted content, or web server configs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents |
| File Modification (DC0061) | macos:unifiedlog | File creation or overwrite in common web-hosting folders |
| Field | Description |
|---|---|
| TargetDirectoryPath | Web root folders will vary depending on how services are configured on macOS (e.g., /Library/WebServer/Documents). |
Adversary defaces internal VM-hosted portals or web UIs by modifying static content on datastore-mounted paths.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | esxi:vmkernel | Unauthorized file modifications within datastore volumes via shell access or vCLI |
| Field | Description |
|---|---|
| DatastoreVolumeName | Each environment’s VMFS/volume mounts will vary in name and path. |
Adversary uses compromised instance credentials or web application access to deface content hosted in S3 buckets, Azure Blob Storage, or GCP Buckets.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | CloudTrail:PutObject | PutObject |
| Cloud Storage Access (DC0025) | AWS:CloudTrail | GetObject |
| Field | Description |
|---|---|
| BucketNameRegex | Patterns of S3 or GCP buckets used for static website hosting may vary by organization. |
| IAMRoleContext | Some uploads may appear benign unless enriched with user/role metadata. |