AN1321: Analytic 1321
Detects tampering of IIS-based login pages (e.g., default.aspx, login.aspx) tied to VPN, OWA, or SharePoint via script injection or unexpected editor processes modifying web roots.
Analyst context for executives and security teams
This analytic matters because tampering with IIS-based login pages can undermine high-value access points such as VPN, Outlook Web Access, or SharePoint. For leaders, the practical issue is whether externally facing authentication pages are monitored closely enough to prove they have not been altered, especially during an incident involving credential exposure or suspicious access.
Executive priority
Prioritize this as a resilience and assurance control for Windows-hosted IIS authentication surfaces. Security leaders should ask whether web root integrity, change control, privileged editing activity, and incident evidence are available for VPN, OWA, and SharePoint login pages. The business value is faster confidence during breach triage, stronger audit evidence around critical access systems, and reduced blind spots around unauthorized page modification.
Technical view
SOC and IR teams should validate monitoring around IIS web roots that host login pages such as default.aspx and login.aspx. The supplied analytic describes detection of script injection or unexpected editor processes modifying those locations, but no official detection logic is provided. Detection engineering should therefore focus on file modification events, process-to-file relationships, and approved-change baselines for Windows IIS servers supporting VPN, OWA, or SharePoint.
Likely telemetry
- Windows file creation and modification events for IIS web root directories
- Process execution telemetry showing editors, scripting tools, or administrative utilities modifying .aspx login pages
- File integrity monitoring or hash-change records for default.aspx, login.aspx, and related authentication page assets
- Web server change/audit logs where available
- Administrative session, account, and change-control records for IIS-hosted access portals
Detection direction
- Baseline expected login page files and approved deployment processes for IIS-hosted VPN, OWA, and SharePoint pages.
- Alert on unexpected modification of default.aspx, login.aspx, or similar authentication pages in web roots, especially outside approved maintenance windows.
- Correlate file changes with the modifying process and user context to distinguish authorized web administration from suspicious editor or script activity.
- Tune carefully for legitimate application updates, patching, and content deployments to avoid excessive false positives.
- Account for blind spots where file integrity monitoring, process telemetry, or centralized Windows logging is absent on IIS servers.
Mitigation priorities
- Identify IIS servers hosting externally exposed or business-critical login pages.
- Implement change control and integrity monitoring for web roots and authentication page files.
- Restrict who and what can modify IIS web directories using least privilege and administrative separation.
- Ensure Windows process, file, and administrative activity logs from these servers are retained and available to SOC and IR teams.
- Include IIS login page integrity checks in incident response playbooks for suspected credential theft or access portal compromise.
Analyst notes and limits
The object is a detection analytic for Windows environments and specifically references IIS-based login pages tied to VPN, OWA, or SharePoint. No ATT&CK tactics, relationships, aliases, labels, or official detection query were supplied, so this take focuses on defensive validation and telemetry requirements rather than a specific rule implementation.
The source fields do not provide detection logic, related techniques, adversary procedures, or relationship context. Local IIS architecture, web root paths, logging configuration, approved deployment methods, and change-management records are required to operationalize this analytic safely.
Analytic 1321
Detects tampering of IIS-based login pages (e.g., default.aspx, login.aspx) tied to VPN, OWA, or SharePoint via script injection or unexpected editor processes modifying web roots.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 09ba798b26ba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1321Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.