DET0480 Detection of Credential Harvesting via Web Portal Modification
| Item |
Value |
| ID |
DET0480 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1056.003 (Web Portal Capture)
Analytics
Linux
AN1320
Detects unauthorized modifications to login-facing web server files (e.g., index.php, login.js) typically tied to VPN, SSO, or intranet portals. Correlates suspicious file changes with remote access artifacts or web shell behavior.
Log Sources
Mutable Elements
| Field |
Description |
| MonitoredFilePaths |
Target login-related files (e.g., /var/www/html/login.php) for integrity monitoring |
| TimeWindow |
Tune detection to correlate file edits and web access within a short duration |
Windows
AN1321
Detects tampering of IIS-based login pages (e.g., default.aspx, login.aspx) tied to VPN, OWA, or SharePoint via script injection or unexpected editor processes modifying web roots.
Log Sources
Mutable Elements
| Field |
Description |
| FilePath |
Define path to monitored IIS web root (e.g., C:\inetpub\wwwroot\login.aspx) |
| ProcessName |
Exclude legitimate updates (e.g., msdeploy.exe) and alert on suspicious editors (e.g., notepad.exe, certutil.exe) |
macOS
AN1322
Detects unauthorized changes to locally hosted login pages on macOS (common in developer VPN environments) and links file edits to cron jobs, background scripts, or SUID binaries.
Log Sources
Mutable Elements
| Field |
Description |
| WebRootPath |
Specify custom web service directories (e.g., /Library/WebServer/Documents/) |
| AnomalousProcess |
Alert on web root changes from non-web processes or scripts |