Adversary modifies externally-facing web content by accessing and overwriting hosted HTML/JS/CSS files, typically following web shell deployment, credential abuse, or exploitation of web application vulnerabilities.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | WinEventLog:Security | EventCode=4663 |
| Network Traffic Content (DC0085) | NSM:Connections | Unusual POST requests to admin or upload endpoints |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| target_directory | Web root folder varies by environment, e.g., C:\inetpub\wwwroot |
| UserContext | May vary based on which service account hosts the website |
| TimeWindow | Time between webshell upload and file overwrite may vary |
Adversary compromises a Linux-based web server and modifies hosted web files by exploiting upload vulnerabilities, remote code execution, or replacing index.html via SSH/webshell.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open/write syscalls targeting web directory files |
| Logon Session Metadata (DC0088) | NSM:Connections | Successful sudo or ssh from unknown IPs |
| Network Traffic Content (DC0085) | NSM:Flow | Suspicious POSTs to upload endpoints |
| Field | Description |
|---|---|
| web_root | May differ (e.g., /var/www/html, /srv/http, etc.) |
| payload_hash | Adversary content hash may change across campaigns |
| UserContext | Can range from apache/nginx user to root if escalated |
Adversary modifies web-facing content on macOS via web development environments like MAMP or misconfigured Apache instances, typically with access to the hosting user account or via persistence tools.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | Terminal/Editor processes modifying web folder |
| Logon Session Metadata (DC0088) | macos:unifiedlog | loginwindow or sshd events with external IP |
| Field | Description |
|---|---|
| web_root_dir | May include ~/Sites or custom Apache paths |
| editor_name | Text editor or script modifying the files may vary (e.g., nano, VS Code) |
Adversary modifies content in cloud-hosted websites (e.g., AWS S3-backed, Azure Blob-hosted sites) by gaining access to management consoles or APIs and uploading altered HTML/JS files.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | AWS:CloudTrail | PutObject |
| Cloud Storage Enumeration (DC0017) | AWS:CloudTrail | ListBuckets |
| Cloud Storage Access (DC0025) | AWS:CloudTrail | GetObject |
| Field | Description |
|---|---|
| bucket_name | Website bucket name varies per org |
| region | Adversary may target multi-region failover setups |
| IAMRole | Attack may leverage stolen cross-account roles or elevated policies |