AN1622: Analytic 1622

Adversary modifies externally-facing web content by accessing and overwriting hosted HTML/JS/CSS files, typically following web shell deployment, credential abuse, or exploitation of web application vulnerabilities.

EnterpriseAN1622AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic concerns unauthorized modification of public web content on Windows-hosted environments, such as overwriting HTML, JavaScript, or CSS files. For leaders, the risk is not just a changed webpage: public content changes can affect customer trust, incident communications, compliance evidence, and the integrity of externally facing services. The ATT&CK object notes this often follows web shell deployment, credential abuse, or exploitation of web application vulnerabilities, so a detected content change should be treated as a potential sign of deeper compromise until proven otherwise.

Executive priority

Prioritize this as an external-facing service integrity issue. Executives and risk owners should ask whether the organization can prove who changed public web content, when it changed, from where, and whether the change was authorized. This also supports incident decision-making: a website defacement or unauthorized script change may require web application, identity, vulnerability management, and IR teams to work together rather than treating it as a simple web publishing issue.

Technical view

The object is a Windows-focused detection analytic with no official detection logic supplied and no ATT&CK tactics specified. SOC and IR teams should validate whether they can monitor writes or overwrites to hosted HTML, JS, and CSS files on externally facing web servers, correlate those changes with authenticated user activity, service accounts, remote access, web server process activity, and recent web application vulnerability or web shell investigation leads. Because the description references possible precursors such as web shell deployment, credential abuse, or exploitation of web application vulnerabilities, file modification alerts should be triaged with surrounding authentication, web access, process execution, and file integrity context.

Likely telemetry

File integrity monitoring or endpoint file modification events for hosted HTML, JavaScript, and CSS paths on Windows web servers
Web server access logs showing requests around the time content was changed
Windows security and authentication logs for interactive, remote, service, or administrative access
Endpoint process telemetry showing which process or account wrote to web content directories
Change management, deployment, or CI/CD records for authorized web content updates

Detection direction

Validate that monitoring covers externally facing Windows web servers and the directories where public HTML, JS, and CSS are hosted.
Tune alerts to distinguish authorized publishing or deployment activity from direct server-side overwrites, emergency changes, or changes by unexpected accounts/processes.
Correlate file modifications with user identity, source host, remote access method, and deployment records to reduce false positives from legitimate web operations.
Treat unexpected modification of public web content as a pivot point for IR: check for related web shell indicators, credential misuse, and recent web application vulnerability activity as suggested by the ATT&CK description.
Document blind spots where web content is updated through tooling that does not generate endpoint-level file events or where web server logs are incomplete.

Mitigation priorities

Establish authoritative change control for externally facing web content, including who may publish and how changes are approved.
Restrict write permissions to hosted web content directories to required accounts and deployment mechanisms only.
Use file integrity monitoring or equivalent control evidence for public web content paths on Windows web servers.
Review privileged and service account access used for web publishing, especially where credentials could be abused.
Ensure vulnerability management and web application security processes cover externally facing applications that can lead to unauthorized file writes.

Analyst notes and limits

This take is based on the supplied ATT&CK analytic description for AN1622. The most useful operational framing is to treat unauthorized public web content modification as both a website integrity issue and a possible symptom of earlier compromise. Relationship context was not supplied, so no specific techniques, tactics, groups, malware, or campaigns are inferred.

Official detection content was not provided, tactics were not specified, and no relationships were supplied. The object only supports Windows as the platform. Local architecture, hosting model, deployment process, and logging coverage are required to convert this into reliable detections or control evidence.

Official MITRE ATT&CK definition

Analytic 1622

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: 67db9411199c86ac...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`67db9411199c…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1622
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use