Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1623: Analytic 1623

Adversary compromises a Linux-based web server and modifies hosted web files by exploiting upload vulnerabilities, remote code execution, or replacing index.html via SSH/webshell.

EnterpriseAN1623AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic describes a Linux web server compromise where an adversary changes hosted web content after gaining access through an upload weakness, remote code execution, SSH, or a webshell. For leaders, the practical issue is trust and continuity: altered public web files can disrupt customer-facing services, damage credibility, and become an incident-response trigger even when the original intrusion path is still unclear.

Executive priority

Prioritize this as a web operations and incident readiness concern for Linux-hosted services. Executives should ask whether teams can quickly prove when web content changed, who or what changed it, whether the change was authorized, and whether the initial access path was an application vulnerability, exposed remote access, or a webshell. The business decision value is in validating logging, file integrity evidence, web application security controls, and response ownership before a public-facing service is modified during an incident.

Technical view

For SOC, detection engineering, and IR teams, this object supports validation around Linux web servers and hosted web file modification. Because no official detection logic is provided and no ATT&CK relationships are supplied, teams should build local coverage around unauthorized changes to web roots and key hosted files, correlated with web upload activity, web server process behavior, SSH access, and possible webshell activity. Tuning should distinguish expected deployment or content-management activity from changes made by unusual users, processes, sessions, paths, or times.

Likely telemetry

  • Linux file modification events for hosted web directories and key files such as site entry pages
  • Web server access logs, including upload requests and unusual requests to newly changed files
  • Authentication and session logs for SSH access to Linux web servers
  • Process execution telemetry on Linux web servers, especially web server child processes modifying hosted files
  • Application, CMS, or deployment pipeline logs showing authorized content changes

Detection direction

  • Validate that monitoring covers Linux web roots and hosted content locations rather than only operating system directories.
  • Correlate web file changes with authorized deployment windows, known administrators, CI/CD activity, or content-management workflows to reduce false positives.
  • Investigate web content changes made by web server service accounts, unexpected shell sessions, or processes associated with request handling.
  • Use web logs and authentication logs to determine whether a file change aligns with upload activity, remote code execution indicators, SSH access, or suspected webshell use.
  • Account for a major blind spot: without file integrity, process, web, and authentication telemetry on the server, teams may only notice the compromise after visible website changes.

Mitigation priorities

  • Establish authorized change paths for hosted web files, including deployment logging and ownership of emergency changes.
  • Enable file integrity or equivalent change monitoring for critical hosted content on Linux web servers.
  • Harden and monitor upload functionality, remote administration paths, and web application execution permissions.
  • Restrict and audit SSH access to web servers using least privilege and accountable identities.
  • Prepare IR procedures to preserve changed files, related logs, and deployment history so responders can determine scope and likely entry path.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux only. It describes adversary modification of hosted web files after compromise but provides no official detection text, tactics, labels, aliases, or relationship context. The most useful defensive interpretation is therefore evidence-readiness: can the organization distinguish legitimate web content changes from unauthorized modification and pivot to the likely access path?

This take is based only on the supplied STIX fields and the single MITRE external reference. No active exploitation, attribution, specific malware, impact outcome, or guaranteed detection coverage is stated. Local web architecture, deployment practices, logging configuration, and server hardening determine the actual risk and detection quality.

Official MITRE ATT&CK definition

Analytic 1623

Adversary compromises a Linux-based web server and modifies hosted web files by exploiting upload vulnerabilities, remote code execution, or replacing index.html via SSH/webshell.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d14a54776eee83e2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d14a54776eee…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1623
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use