Skip to content

DET0238 Defacement via File and Web Content Modification Across Platforms

Item Value
ID DET0238
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1491 (Defacement)

Analytics

Windows

AN0662

Adversary modifies website or application-hosted content via unauthorized file changes or script injections, often by exploiting web servers or CMS access.

Log Sources
Data Component Name Channel
File Modification (DC0061) WinEventLog:Security EventCode=4663, 4670, 4656
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Application Log Content (DC0038) WinEventLog:Application Unexpected web application errors or CMS logs showing modification to index.html, default.aspx, or other public-facing files
Mutable Elements
Field Description
target_filenames Environment-specific naming of defacement-prone files like ‘index.html’, ‘main.css’, ‘app.js’.
TimeWindow Detection based on rapid sequence of file writes and script injections within short time intervals.

Linux

AN0663

Adversary gains shell access or uploads a malicious script to deface hosted web content in Nginx, Apache, or other services.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL write
Network Traffic Content (DC0085) apache:access_log Unusual HTTP POST or PUT requests to paths such as ‘/uploads/’, ‘/admin/’, or CMS plugin folders
Process Creation (DC0032) linux:syslog Unauthorized sudo or shell access, especially leading to file changes in /var/www or /srv/http
Mutable Elements
Field Description
UploadPathRegex Regex for CMS-specific upload directories subject to defacement (e.g., wp-content/uploads).
FileExtensionScope Types of files to monitor for defacement (e.g., .html, .php, .jsp).

macOS

AN0664

Adversary modifies internal or external site content through manipulated application bundles, hosted content, or web server configs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Execution of unexpected terminal or web scripts modifying /Library/WebServer/Documents
File Modification (DC0061) macos:unifiedlog File creation or overwrite in common web-hosting folders
Mutable Elements
Field Description
TargetDirectoryPath Web root folders will vary depending on how services are configured on macOS (e.g., /Library/WebServer/Documents).

ESXi

AN0665

Adversary defaces internal VM-hosted portals or web UIs by modifying static content on datastore-mounted paths.

Log Sources
Data Component Name Channel
File Modification (DC0061) esxi:vmkernel Unauthorized file modifications within datastore volumes via shell access or vCLI
Mutable Elements
Field Description
DatastoreVolumeName Each environment’s VMFS/volume mounts will vary in name and path.

IaaS

AN0666

Adversary uses compromised instance credentials or web application access to deface content hosted in S3 buckets, Azure Blob Storage, or GCP Buckets.

Log Sources
Data Component Name Channel
File Creation (DC0039) CloudTrail:PutObject PutObject
Cloud Storage Access (DC0025) AWS:CloudTrail GetObject, CopyObject
Mutable Elements
Field Description
BucketNameRegex Patterns of S3 or GCP buckets used for static website hosting may vary by organization.
IAMRoleContext Some uploads may appear benign unless enriched with user/role metadata.