Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0664: Analytic 0664

Adversary modifies internal or external site content through manipulated application bundles, hosted content, or web server configs.

EnterpriseAN0664AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about detecting unauthorized changes to website or application content on macOS-hosted assets, including application bundles, hosted content, or web server configuration files. For leaders, the practical issue is content integrity: even without confirmed impact or attribution, unapproved site changes can affect customer trust, operational communications, compliance evidence, and incident response decision-making.

Executive priority

Prioritize this as a control-validation item for environments where macOS systems host, build, administer, or publish internal or external web content. Executives should ask whether the organization can prove who changed site content or web server configuration, when it changed, whether the change was approved, and how quickly unauthorized changes would be detected and reversed. Because ATT&CK provides no detection logic for this analytic, coverage depends heavily on local logging, file integrity monitoring, change management, and incident response readiness.

Technical view

SOC and detection teams should validate visibility into macOS file and configuration changes affecting application bundles, hosted content paths, and web server configuration files. Since no official detection logic or tactic mapping is supplied, treat this as a detection engineering requirement rather than an out-of-the-box analytic. Correlate file modification events with user identity, process lineage, deployment activity, change tickets, and web server behavior. IR teams should ensure they can compare current content and configuration against known-good versions and determine whether changes came from an approved deployment path.

Likely telemetry

  • macOS endpoint file creation, modification, deletion, and permission-change events
  • File integrity monitoring for application bundles, hosted content directories, and web server configuration files
  • Web server access and error logs from affected macOS-hosted services
  • Process execution and parent-child process context associated with content or configuration changes
  • User authentication and privilege-use logs for accounts modifying hosted content or configurations

Detection direction

  • Confirm which macOS systems can host, build, administer, or publish site content and whether their relevant content and configuration paths are monitored.
  • Tune detection around unauthorized or unusual changes to application bundles, hosted content, and web server configuration files, especially outside approved deployment windows or by unexpected users/processes.
  • Correlate file-change alerts with change-management and deployment records to reduce false positives from legitimate publishing activity.
  • Validate whether telemetry captures both the file change and the responsible identity/process; file-only alerts may be insufficient for triage.
  • Account for blind spots where content is modified through approved tools using compromised credentials, because the activity may resemble normal administration.

Mitigation priorities

  • Define ownership and approved change paths for hosted content, application bundles, and web server configuration on macOS systems.
  • Restrict write access to content and configuration locations to authorized service accounts and administrators.
  • Maintain version-controlled or otherwise recoverable known-good copies of hosted content and web server configuration.
  • Implement file integrity monitoring or equivalent change detection for critical content and configuration paths.
  • Require change approval and logging for site publishing and configuration updates, with evidence retained for audit and incident review.
Analyst notes and limits

ATT&CK identifies this as detection analytic AN0664 for macOS and describes adversary modification of internal or external site content through manipulated application bundles, hosted content, or web server configurations. No official detection logic, tactics, relationships, aliases, or labels were supplied, so the defensive value comes from translating the described behavior into local content-integrity monitoring and response validation.

This take is limited to the supplied ATT&CK fields. It does not establish active exploitation, adversary attribution, impact severity, or existing detection coverage. The official object does not provide detection logic or relationship context, so teams must determine relevant file paths, web server technologies, normal deployment patterns, and telemetry availability in their own environment.

Official MITRE ATT&CK definition

Analytic 0664

Adversary modifies internal or external site content through manipulated application bundles, hosted content, or web server configs.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f95d279ddfec75d9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f95d279ddfec…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0664
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use