Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0662: Analytic 0662

Adversary modifies website or application-hosted content via unauthorized file changes or script injections, often by exploiting web servers or CMS access.

EnterpriseAN0662AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about detecting unauthorized changes to website or application-hosted content, such as unexpected file modifications or injected scripts. For business leaders, the significance is that public-facing or internal web content can become a trust, fraud, compliance, and operational issue even before deeper compromise is confirmed. Because ATT&CK provides no detection logic for this analytic, organizations should treat it as a coverage-validation prompt rather than an out-of-the-box rule.

Executive priority

Prioritize this where Windows-hosted web applications, content management systems, or application servers support customer trust, revenue operations, regulated workflows, or executive communications. Leaders should ask whether the organization can prove when web content changed, who or what changed it, whether the change was authorized, and how quickly incident responders can restore known-good content. This is also relevant to audit evidence because file integrity, access accountability, and change-control records often determine whether an incident can be scoped confidently.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring around unauthorized file changes and script injection indicators on Windows systems hosting web or application content. Since no official detection text or ATT&CK relationships are supplied, build the technical view from local architecture: expected web roots, CMS upload paths, application deployment directories, service accounts, administrative access paths, and approved release pipelines. Detection should distinguish normal deployments and CMS publishing from out-of-band changes, unexpected script files, modified static assets, suspicious timestamps, or changes made by unusual users, processes, or remote sources.

Likely telemetry

  • Windows file creation, modification, deletion, and permission-change events for web/application content paths
  • File integrity monitoring or endpoint telemetry covering web roots, CMS directories, upload folders, and application deployment locations
  • Web server and application logs showing requests to modified or newly created content
  • Authentication and authorization logs for CMS, administrative portals, remote access, and service accounts
  • Change-management, CI/CD, deployment, or content publishing records used to validate authorized changes

Detection direction

  • Define the protected content paths first; without an accurate inventory of Windows-hosted web and application content, this analytic will miss relevant changes or generate excessive noise.
  • Correlate file changes with approved deployment windows, ticketed changes, CMS publishing events, and known service accounts to reduce false positives.
  • Alert on changes to executable script types, included JavaScript, templates, configuration-backed content, and public-facing static assets when made outside expected workflows.
  • Tune for environment-specific deployment tools and backup/restore processes, which can otherwise resemble mass unauthorized modification.
  • Validate whether telemetry captures the actor context: account, process, parent process, host, path, timestamp, and source of access. File-change-only alerts without context may be difficult to investigate.

Mitigation priorities

  • Establish and maintain an inventory of Windows systems and directories that host web or application content.
  • Enforce least privilege for web server, CMS, deployment, and service accounts so content changes occur only through approved paths.
  • Use change control and deployment records as authoritative allowlists for expected content updates.
  • Implement file integrity monitoring or equivalent endpoint monitoring on critical content locations.
  • Maintain tested restore procedures for known-good web content and application files.
Analyst notes and limits

This object is a detection analytic, not a full ATT&CK technique. The supplied fields identify Windows as the platform and describe unauthorized modification of website or application-hosted content through file changes or script injections. No tactic, relationship context, or official detection procedure was provided, so the strongest use is as a defensive coverage checklist for web content integrity, change accountability, and incident response readiness.

The official object does not provide detection logic, data sources, tactics, related techniques, adversary examples, or mitigations. Any practical rule thresholds, file paths, script types, or account baselines must come from the organization’s own Windows web/application hosting environment and approved deployment processes.

Official MITRE ATT&CK definition

Analytic 0662

Adversary modifies website or application-hosted content via unauthorized file changes or script injections, often by exploiting web servers or CMS access.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
27b3c6d0ef081918...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 27b3c6d0ef08…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0662
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use