AN1320: Analytic 1320
Detects unauthorized modifications to login-facing web server files (e.g., index.php, login.js) typically tied to VPN, SSO, or intranet portals. Correlates suspicious file changes with remote access artifacts or web shell behavior.
Analyst context for executives and security teams
This analytic matters because login-facing web files on Linux-hosted VPN, SSO, or intranet portals are high-value control points for identity access and business continuity. Unauthorized changes to files such as index.php or login.js may indicate tampering with a user-facing authentication surface, especially when those changes align with remote access artifacts or web shell-like behavior.
Executive priority
Security leaders should treat this as a validation point for identity and remote-access resilience: do teams know when externally or internally facing login portal code changes, who approved the change, and whether incident responders can quickly distinguish maintenance from suspicious modification? The priority is strongest for organizations that operate Linux-based VPN, SSO, or intranet web portals, because these systems often support workforce access and can become material to incident response, audit evidence, and continuity decisions.
Technical view
For SOC, detection engineering, and IR teams, validate that Linux web server file integrity events for login-facing portal paths can be correlated with remote access artifacts and indicators of web shell behavior. Because ATT&CK does not provide a specific detection implementation for AN1320, teams should define local baselines for expected deployment activity, privileged file writes, web server process behavior, and authentication or remote access events around the same timeframe.
Likely telemetry
- Linux file integrity monitoring or audit logs for web root and portal application directories
- File creation, modification, ownership, permission, and timestamp change events for login-facing files such as index.php or login.js
- Web server access and error logs associated with VPN, SSO, or intranet portals
- Remote access logs relevant to the portal environment
- Process execution telemetry from Linux web servers, especially web server child processes or script interpreters
Detection direction
- Confirm that monitoring covers the actual Linux hosts and directories serving login-facing VPN, SSO, or intranet portal content.
- Correlate file modifications with approved deployment windows and administrative activity to reduce false positives from legitimate releases.
- Prioritize alerts where portal file changes coincide with unusual remote access activity, unexpected web server process behavior, or possible web shell indicators.
- Tune for environment-specific filenames and application layouts rather than only the examples in the ATT&CK description.
- Validate retention and time synchronization across file, web, process, and remote access logs so responders can reconstruct the sequence of events.
Mitigation priorities
- Establish explicit ownership and change-control requirements for login-facing web portal files.
- Deploy or validate file integrity monitoring on Linux web servers hosting VPN, SSO, or intranet login portals.
- Restrict write access to web application directories and review privileged access paths used for deployment or administration.
- Segment and harden portal servers so abnormal web server process behavior is easier to identify and contain.
- Ensure incident response playbooks include rapid validation of portal file integrity, recent deployments, remote access logs, and possible web shell behavior.
Analyst notes and limits
AN1320 is a detection analytic, not a technique, and no tactic is specified in the supplied object. Its value is primarily as a coverage validation item for Linux-hosted login-facing web infrastructure. The strongest defensive use is correlation: suspicious file changes become more actionable when compared with remote access artifacts, web server behavior, and authorized change records.
The official object provides a description but no detailed detection logic, relationships, tactics, or implementation guidance. The assessment must therefore remain environment-dependent. Local file paths, portal architecture, logging availability, and change management practices are required to determine practical coverage and alert quality.
Analytic 1320
Detects unauthorized modifications to login-facing web server files (e.g., index.php, login.js) typically tied to VPN, SSO, or intranet portals. Correlates suspicious file changes with remote access artifacts or web shell behavior.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 940546772259… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1320Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.