AN0663: Analytic 0663
Adversary gains shell access or uploads a malicious script to deface hosted web content in Nginx, Apache, or other services.
Analyst context for executives and security teams
This analytic concerns Linux-hosted web content being changed after an adversary obtains shell access or uploads a malicious script to services such as Nginx or Apache. For leaders, the practical issue is not just website appearance; unauthorized web content changes can undermine customer trust, trigger incident response and compliance questions, and signal broader server compromise that may affect business continuity.
Executive priority
Treat this as a resilience and evidence-readiness issue for public-facing Linux web infrastructure. Security leaders should ask whether teams can quickly prove what changed, which account or process made the change, whether the web server was only defaced or more broadly compromised, and how restoration would be governed. Because ATT&CK provides no official detection logic for this analytic, priority should go to validating telemetry and control coverage rather than assuming existing SOC content is sufficient.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around Linux web servers running Nginx, Apache, or similar services. Key questions are whether web-root file changes, uploaded scripts, web server process activity, and shell execution can be correlated. Since no tactics, relationships, or official detection text are supplied, teams should build local logic from observed web content change patterns, process lineage, account context, and approved change windows.
Likely telemetry
- Linux file creation, modification, deletion, and permission-change events for web content directories
- Web server access and error logs from Nginx, Apache, or comparable services
- Linux process execution telemetry showing shells, interpreters, or script execution associated with web server accounts or service processes
- Authentication and session logs relevant to shell access on Linux hosts
- Web application or upload logs where hosted applications permit file uploads
Detection direction
- Baseline expected web content deployment paths, owners, and update windows, then alert on unexpected changes to hosted content or executable script files.
- Correlate web-root changes with web server logs, Linux process execution, and account activity to separate normal publishing from possible defacement behavior.
- Tune carefully for legitimate CMS, CI/CD, backup, and administrator activity that can create high false-positive volume.
- Pay particular attention to blind spots where only web access logs are retained but file integrity, process execution, or authentication telemetry is missing.
- Because ATT&CK supplies no official detection text or relationships for this analytic, detection quality depends on local Linux logging, web server architecture, and change-control evidence.
Mitigation priorities
- Define and enforce authorized web content deployment processes, including reviewable change records.
- Restrict write permissions to web content directories and minimize privileges for web server accounts.
- Use file integrity monitoring or equivalent change validation on critical hosted content and server-side scripts.
- Harden and monitor upload functionality where web applications allow user-supplied files.
- Maintain tested restoration procedures for public-facing content so defacement can be contained and recovered quickly.
Analyst notes and limits
This object is a detection analytic, AN0663, for Linux environments. The official description is limited to adversary shell access or malicious script upload used to deface hosted web content in Nginx, Apache, or other services. No ATT&CK tactics, relationships, aliases, labels, or official detection content were supplied.
Assessment is constrained to the supplied STIX fields and external reference. There is no relationship context, no official detection logic, and no supported claim about active exploitation, attribution, impact, or existing detection coverage. Local architecture, logging depth, web deployment model, and change-management practices are required to operationalize this take.
Analytic 0663
Adversary gains shell access or uploads a malicious script to deface hosted web content in Nginx, Apache, or other services.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e3e56031d7f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0663Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.