Detects unauthorized modifications to login-facing web server files (e.g., index.php, login.js) typically tied to VPN, SSO, or intranet portals. Correlates suspicious file changes with remote access artifacts or web shell behavior.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | write |
| Network Traffic Content (DC0085) | NSM:Flow | HTTP Request Logging |
| Field | Description |
|---|---|
| MonitoredFilePaths | Target login-related files (e.g., /var/www/html/login.php) for integrity monitoring |
| TimeWindow | Tune detection to correlate file edits and web access within a short duration |
Detects tampering of IIS-based login pages (e.g., default.aspx, login.aspx) tied to VPN, OWA, or SharePoint via script injection or unexpected editor processes modifying web roots.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Traffic Content (DC0085) | WinEventLog:iis | IIS Logs |
| Field | Description |
|---|---|
| FilePath | Define path to monitored IIS web root (e.g., C:\inetpub\wwwroot\login.aspx) |
| ProcessName | Exclude legitimate updates (e.g., msdeploy.exe) and alert on suspicious editors (e.g., notepad.exe, certutil.exe) |
Detects unauthorized changes to locally hosted login pages on macOS (common in developer VPN environments) and links file edits to cron jobs, background scripts, or SUID binaries.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | fs:fsusage | Filesystem Access Logging |
| Network Traffic Content (DC0085) | macos:unifiedlog | subsystem=com.apple.WebKit |
| Field | Description |
|---|---|
| WebRootPath | Specify custom web service directories (e.g., /Library/WebServer/Documents/) |
| AnomalousProcess | Alert on web root changes from non-web processes or scripts |