T1491.002

External Defacement

Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.

Microsoft Sentinel / Defender

kusto

let WebServerProcesses = dynamic(["w3wp.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "php.exe", "tomcat.exe", "java.exe", "apache.exe"]);
let ShellProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash", "sh", "python.exe", "python3", "perl.exe", "mshta.exe"]);
let WebRootPaths = dynamic(["\\inetpub\\wwwroot\\", "\\wwwroot\\", "\\htdocs\\", "\\public_html\\", "\\web\\", "\\webroot\\"]);
let WebFileExtensions = dynamic([".html", ".htm", ".asp", ".aspx", ".php", ".js", ".css", ".jsp"]);
// Branch 1: Web server processes spawning shells (indicates RCE/web shell exploitation)
let WebShellBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| where FileName has_any (ShellProcesses)
| extend DetectionType = "WebServerSpawnedShell"
| extend Severity = "Critical"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath = "",
         ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionType, Severity;
// Branch 2: Non-standard processes modifying web root content files
let FileModBranch = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebFileExtensions)
    or FileName in~ ("index.html", "index.php", "index.asp", "index.aspx",
                     "default.htm", "default.asp", "default.aspx", "home.html")
| where InitiatingProcessFileName !in~ ("svchost.exe", "TrustedInstaller.exe",
         "WaAppAgent.exe", "msiexec.exe", "WUDFHost.exe", "MicrosoftEdgeUpdate.exe")
| extend DetectionType = "WebFileModified"
| extend Severity = iff(InitiatingProcessFileName has_any (ShellProcesses), "High", "Medium")
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         FileName, FolderPath, ProcessCommandLine = InitiatingProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionType, Severity;
WebShellBranch
| union FileModBranch
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

CI/CD deployment agents (Jenkins agents, GitHub Actions runners, Azure DevOps build agents) writing updated web content to wwwroot as part of legitimate deployments
CMS auto-update processes — WordPress, Drupal, and Joomla modify PHP and HTML files during plugin, theme, or core updates, often via the same httpd or php-fpm worker process
Web developers directly editing files on development or staging servers via SSH, FTP, or mounted network shares, where the modifying process is an editor (code.exe, notepad++.exe) that is excluded
IIS Application Initialization Module or health-check handlers causing w3wp.exe to spawn cmd.exe for application warmup or custom startup scripts
Monitoring and observability agents (Datadog agent, New Relic, Dynatrace OneAgent) that instrument web server processes and may appear as unexpected child processes of w3wp.exe or httpd

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11)
| eval IsWebServerShell=if(
    EventCode=1
    AND (like(ParentImage, "%\\w3wp.exe") OR like(ParentImage, "%\\httpd.exe") OR like(ParentImage, "%\\nginx.exe") OR like(ParentImage, "%\\php-cgi.exe") OR like(ParentImage, "%\\php.exe") OR like(ParentImage, "%\\apache%.exe") OR like(ParentImage, "%\\tomcat%.exe"))
    AND (like(Image, "%\\cmd.exe") OR like(Image, "%\\powershell.exe") OR like(Image, "%\\pwsh.exe") OR like(Image, "%\\wscript.exe") OR like(Image, "%\\cscript.exe") OR like(Image, "%\\mshta.exe") OR like(Image, "%\\bash.exe") OR like(Image, "%\\sh.exe")),
    1, 0)
| eval IsWebFileModified=if(
    EventCode=11
    AND (like(TargetFilename, "%\\wwwroot\\%") OR like(TargetFilename, "%\\inetpub\\%") OR like(TargetFilename, "%\\htdocs\\%") OR like(TargetFilename, "%\\public_html\\%") OR like(TargetFilename, "%\\webroot\\%"))
    AND (like(TargetFilename, "%.html") OR like(TargetFilename, "%.htm") OR like(TargetFilename, "%.asp") OR like(TargetFilename, "%.aspx") OR like(TargetFilename, "%.php") OR like(TargetFilename, "%.js") OR like(TargetFilename, "%index.%") OR like(TargetFilename, "%default.%"))
    AND NOT (like(Image, "%\\svchost.exe") OR like(Image, "%\\TrustedInstaller.exe") OR like(Image, "%\\WaAppAgent.exe") OR like(Image, "%\\msiexec.exe") OR like(Image, "%\\WUDFHost.exe")),
    1, 0)
| where IsWebServerShell=1 OR IsWebFileModified=1
| eval DetectionType=case(IsWebServerShell=1, "WebServerSpawnedShell", IsWebFileModified=1, "WebFileModified", true(), "Unknown")
| eval Severity=case(
    IsWebServerShell=1, "Critical",
    IsWebFileModified=1 AND (like(Image, "%\\cmd.exe") OR like(Image, "%\\powershell.exe") OR like(Image, "%\\pwsh.exe") OR like(Image, "%\\wscript.exe") OR like(Image, "%\\cscript.exe")), "High",
    true(), "Medium")
| eval AffectedFile=coalesce(TargetFilename, "")
| table _time, host, User, AffectedFile, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, Severity
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

CI/CD pipeline deployment agents writing HTML/PHP content to web root directories as part of scheduled deployments
CMS platforms (WordPress, Drupal, Joomla) auto-updating core files or plugins via their internal HTTP-based updaters, which trigger the web server process to write files
Web developers editing files directly on development servers using editors (code.exe, notepad++.exe) that should be added to the Image exclusion list
IIS application pool recycle events or custom startup executables configured in IIS that may appear as cmd.exe children of w3wp.exe
Content syndication or CDN origin pull agents that write cached or translated content files to the web root on a schedule

Elastic Security (EQL)

eql

any where (
  (
    event.category == "process" and event.type == "start" and
    process.parent.name like~ ("w3wp.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "php.exe", "tomcat.exe", "java.exe", "apache.exe") and
    process.name like~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash", "sh", "python.exe", "python3", "perl.exe", "mshta.exe")
  )
  or
  (
    event.category == "file" and event.type in ("creation", "change") and
    (
      file.path like~ "*\\inetpub\\wwwroot\\*" or file.path like~ "*\\wwwroot\\*" or
      file.path like~ "*\\htdocs\\*" or file.path like~ "*\\public_html\\*" or
      file.path like~ "*\\webroot\\*" or file.path like~ "*/var/www/*" or
      file.path like~ "*/srv/www/*" or file.path like~ "*/srv/http/*"
    ) and
    (
      file.extension like~ ("html", "htm", "asp", "aspx", "php", "js", "css", "jsp") or
      file.name like~ ("index.html", "index.php", "index.asp", "index.aspx",
                       "default.htm", "default.asp", "default.aspx", "home.html")
    ) and
    not process.name like~ ("svchost.exe", "TrustedInstaller.exe", "WaAppAgent.exe",
                             "msiexec.exe", "WUDFHost.exe", "MicrosoftEdgeUpdate.exe")
  )
)

critical severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent (endpoint integration) Winlogbeat with Sysmon module Auditbeat (Linux file integrity)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-* auditbeat-*

False Positives

CI/CD deployment agents (Jenkins, GitLab Runner, Octopus Deploy) executing under web server service accounts that write updated HTML or PHP files to web root directories during scheduled release pipelines
Java-based application servers (Tomcat, JBoss, WildFly) that legitimately spawn bash or sh helper scripts as part of startup sequences, health checks, or server-side CGI processing
CMS auto-update mechanisms (WordPress, Drupal, Joomla) that modify index.php or core web files during automated plugin or core version upgrades executed by the web server process itself

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  username AS User,
  "Image",
  "CommandLine",
  "ParentImage",
  "ParentCommandLine",
  "TargetFilename",
  CASE
    WHEN QIDNAME(qid) ILIKE '%Process Create%'
      AND (
        "ParentImage" ILIKE '%\\w3wp.exe' OR "ParentImage" ILIKE '%\\httpd.exe' OR
        "ParentImage" ILIKE '%\\nginx.exe' OR "ParentImage" ILIKE '%\\php-cgi.exe' OR
        "ParentImage" ILIKE '%\\php.exe' OR "ParentImage" ILIKE '%\\apache%.exe' OR
        "ParentImage" ILIKE '%\\tomcat%.exe'
      )
    THEN 'WebServerSpawnedShell'
    WHEN QIDNAME(qid) ILIKE '%File Create%'
      AND (
        "TargetFilename" ILIKE '%\\wwwroot\\%' OR "TargetFilename" ILIKE '%\\inetpub\\%' OR
        "TargetFilename" ILIKE '%\\htdocs\\%' OR "TargetFilename" ILIKE '%\\public_html\\%' OR
        "TargetFilename" ILIKE '%\\webroot\\%'
      )
    THEN 'WebFileModified'
    ELSE 'Unknown'
  END AS DetectionType,
  CASE
    WHEN "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR "Image" ILIKE '%\\pwsh.exe'
      AND QIDNAME(qid) ILIKE '%Process Create%'
    THEN 'Critical'
    WHEN "Image" ILIKE '%\\wscript.exe' OR "Image" ILIKE '%\\cscript.exe' OR "Image" ILIKE '%\\mshta.exe'
      AND QIDNAME(qid) ILIKE '%Process Create%'
    THEN 'High'
    WHEN QIDNAME(qid) ILIKE '%File Create%'
      AND (
        "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR "Image" ILIKE '%\\pwsh.exe'
      )
    THEN 'High'
    ELSE 'Medium'
  END AS Severity
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) ILIKE '%Sysmon%'
  AND starttime > NOW() - 86400000
  AND (
    (
      QIDNAME(qid) ILIKE '%Process Create%'
      AND (
        "ParentImage" ILIKE '%\\w3wp.exe' OR "ParentImage" ILIKE '%\\httpd.exe' OR
        "ParentImage" ILIKE '%\\nginx.exe' OR "ParentImage" ILIKE '%\\php-cgi.exe' OR
        "ParentImage" ILIKE '%\\php.exe' OR "ParentImage" ILIKE '%\\apache%.exe' OR
        "ParentImage" ILIKE '%\\tomcat%.exe'
      )
      AND (
        "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR
        "Image" ILIKE '%\\pwsh.exe' OR "Image" ILIKE '%\\wscript.exe' OR
        "Image" ILIKE '%\\cscript.exe' OR "Image" ILIKE '%\\mshta.exe' OR
        "Image" ILIKE '%\\bash.exe' OR "Image" ILIKE '%\\sh.exe' OR
        "Image" ILIKE '%\\python.exe' OR "Image" ILIKE '%\\perl.exe'
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%File Create%'
      AND (
        "TargetFilename" ILIKE '%\\wwwroot\\%' OR "TargetFilename" ILIKE '%\\inetpub\\%' OR
        "TargetFilename" ILIKE '%\\htdocs\\%' OR "TargetFilename" ILIKE '%\\public_html\\%' OR
        "TargetFilename" ILIKE '%\\webroot\\%'
      )
      AND (
        "TargetFilename" ILIKE '%.html' OR "TargetFilename" ILIKE '%.htm' OR
        "TargetFilename" ILIKE '%.asp' OR "TargetFilename" ILIKE '%.aspx' OR
        "TargetFilename" ILIKE '%.php' OR "TargetFilename" ILIKE '%.js' OR
        "TargetFilename" ILIKE '%.css' OR "TargetFilename" ILIKE '%.jsp' OR
        "TargetFilename" ILIKE '%\\index.%' OR "TargetFilename" ILIKE '%\\default.%'
      )
      AND NOT (
        "Image" ILIKE '%\\svchost.exe' OR "Image" ILIKE '%\\TrustedInstaller.exe' OR
        "Image" ILIKE '%\\WaAppAgent.exe' OR "Image" ILIKE '%\\msiexec.exe' OR
        "Image" ILIKE '%\\WUDFHost.exe'
      )
    )
  )
ORDER BY starttime DESC

critical severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon via QRadar Windows DSM QRadar Universal DSM for Sysmon XML

Required Tables

events

False Positives

Automated software deployment pipelines (TeamCity, GitLab CI, Bamboo) that invoke PowerShell or cmd.exe under the context of IIS application pool accounts to stage updated web content
Web server CGI or FastCGI handlers that spawn Python, Perl, or shell interpreters as child processes to process legitimate HTTP requests
IT asset management or remote monitoring agents (e.g., Tanium, BigFix) that are whitelisted at the process level but interact with web root directories during compliance scans

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| parse regex "<EventID>(?<EventCode>\d+)<\/EventID>" nodrop
| parse regex "<Data Name='Image'>(?<Image>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='CommandLine'>(?<CommandLine>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='ParentImage'>(?<ParentImage>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='TargetFilename'>(?<TargetFilename>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='User'>(?<User>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='Computer'>(?<Computer>[^<]+)<\/Data>" nodrop
| where EventCode in ("1", "11")
| where (
    EventCode = "1"
    AND (
      ParentImage matches "*\\w3wp.exe" OR ParentImage matches "*\\httpd.exe" OR
      ParentImage matches "*\\nginx.exe" OR ParentImage matches "*\\php-cgi.exe" OR
      ParentImage matches "*\\php.exe" OR ParentImage matches "*\\apache*.exe" OR
      ParentImage matches "*\\tomcat*.exe" OR ParentImage matches "*\\java.exe"
    )
    AND (
      Image matches "*\\cmd.exe" OR Image matches "*\\powershell.exe" OR
      Image matches "*\\pwsh.exe" OR Image matches "*\\wscript.exe" OR
      Image matches "*\\cscript.exe" OR Image matches "*\\mshta.exe" OR
      Image matches "*\\bash.exe" OR Image matches "*\\sh.exe" OR
      Image matches "*\\python.exe" OR Image matches "*\\perl.exe"
    )
  )
  OR (
    EventCode = "11"
    AND (
      TargetFilename matches "*\\wwwroot\\*" OR TargetFilename matches "*\\inetpub\\*" OR
      TargetFilename matches "*\\htdocs\\*" OR TargetFilename matches "*\\public_html\\*" OR
      TargetFilename matches "*\\webroot\\*"
    )
    AND (
      TargetFilename matches "*.html" OR TargetFilename matches "*.htm" OR
      TargetFilename matches "*.asp" OR TargetFilename matches "*.aspx" OR
      TargetFilename matches "*.php" OR TargetFilename matches "*.js" OR
      TargetFilename matches "*.css" OR TargetFilename matches "*.jsp" OR
      TargetFilename matches "*\\index.*" OR TargetFilename matches "*\\default.*"
    )
    AND NOT (
      Image matches "*\\svchost.exe" OR Image matches "*\\TrustedInstaller.exe" OR
      Image matches "*\\WaAppAgent.exe" OR Image matches "*\\msiexec.exe" OR
      Image matches "*\\WUDFHost.exe" OR Image matches "*\\MicrosoftEdgeUpdate.exe"
    )
  )
| eval DetectionType = if(EventCode = "1", "WebServerSpawnedShell", "WebFileModified")
| eval Severity = if(EventCode = "1", "Critical",
    if(
      Image matches "*\\cmd.exe" OR Image matches "*\\powershell.exe" OR
      Image matches "*\\pwsh.exe" OR Image matches "*\\wscript.exe" OR
      Image matches "*\\cscript.exe",
      "High", "Medium"
    )
  )
| fields _messageTime, Computer, User, TargetFilename, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, Severity
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic (Windows Sysmon collector) Sumo Logic Cloud SIEM Enterprise Sumo Logic Installed Collector with Windows Event Log source

Required Tables

Sysmon XML Windows Event Log (_sourceCategory matching *sysmon*)

False Positives

Web application deployment tools (Ansible playbooks, Puppet manifests, Chef recipes) that run under privileged accounts and write updated web content files to IIS or Apache web root directories during automated change windows
Apache mod_cgi or PHP-FPM processes that invoke shell scripts or interpreter processes as part of legitimate CGI request handling for dynamic content generation
WordPress, Drupal, or Joomla automatic update processes that rewrite core PHP files (including index.php) when performing minor version upgrades while the web server is running

Google Chronicle / SecOps

yaral

rule t1491_002_web_server_spawned_shell {
  meta:
    author = "Detection Engineering"
    description = "Detects T1491.002 External Defacement - web server process spawning a shell interpreter indicating RCE or active web shell exploitation"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.002"
    severity = "CRITICAL"
    confidence = "HIGH"
    version = "1.0"
    rule_type = "SINGLE_EVENT"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path,
      `(?i)(w3wp\.exe|httpd\.exe|nginx\.exe|php\-cgi\.exe|php\.exe|tomcat\.exe|java\.exe|apache\.exe)$`)
    re.regex($e.target.process.file.full_path,
      `(?i)(\\|/)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh|python\.exe|python3|perl\.exe)$`)

  condition:
    $e
}

rule t1491_002_web_root_file_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects T1491.002 External Defacement - non-standard process creating or modifying web content files in known web root directories"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.002"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    rule_type = "SINGLE_EVENT"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path,
      `(?i)(\\inetpub\\wwwroot\\|\\wwwroot\\|\\htdocs\\|\\public_html\\|\\webroot\\|/var/www/|/srv/www/|/srv/http/)`)
    re.regex($e.target.file.full_path,
      `(?i)\.(html|htm|asp|aspx|php|js|css|jsp)$|(\\|/)(index\.|default\.|home\.html)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(svchost\.exe|TrustedInstaller\.exe|WaAppAgent\.exe|msiexec\.exe|WUDFHost\.exe|MicrosoftEdgeUpdate\.exe)$`)

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM (Unified Data Model) Endpoint telemetry forwarded to Chronicle via forwarder or ingestion APIs

Required Tables

UDM Events (event_type: PROCESS_LAUNCH, FILE_CREATION)

False Positives

Automated blue/green or rolling deployment systems running under web service accounts that use process execution or file copy operations to publish updated static site content to web root directories
Java enterprise application servers (WebSphere, JBoss EAP) that spawn operating system shell scripts during application lifecycle events such as startup, shutdown, or health checks configured in server.xml
System package managers (apt-get, yum, dnf) or web server package update scripts that overwrite web root index files or configuration files during OS-level patch application cycles

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|PeFileWritten|NewScriptWritten|SuspiciousScriptWritten)$/

| IsWebServerShell := if(
    #event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
    AND ParentBaseFileName = /^(w3wp|httpd|nginx|php\-cgi|php|tomcat|java|apache)(\.exe)?$/i
    AND ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript|mshta|bash|sh|python|python3|perl)(\.exe)?$/i,
    true, false)

| IsWebFileModified := if(
    #event_simpleName in ("PeFileWritten", "NewScriptWritten", "SuspiciousScriptWritten")
    AND TargetFileName = /\\(wwwroot|inetpub|htdocs|public_html|webroot)\\/i
    AND TargetFileName = /\.(html|htm|asp|aspx|php|js|css|jsp)$/i
    AND NOT ImageFileName = /\\(svchost|TrustedInstaller|WaAppAgent|msiexec|WUDFHost|MicrosoftEdgeUpdate)(\.exe)?$/i,
    true, false)

| IsWebServerShell = true OR IsWebFileModified = true

| DetectionType := if(IsWebServerShell = true, "WebServerSpawnedShell", "WebFileModified")

| Severity := if(
    IsWebServerShell = true, "Critical",
    if(
      ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript)(\.exe)?$/i,
      "High", "Medium"
    )
  )

| table(
    [_time, ComputerName, UserName, ImageFileName, CommandLine,
     ParentBaseFileName, ParentCommandLine, TargetFileName, DetectionType, Severity]
  )
| sort(field=_time, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Platform CrowdStrike LogScale (NG-SIEM) Falcon sensor process and file telemetry

Required Tables

ProcessRollup2 SyntheticProcessRollup2 PeFileWritten NewScriptWritten SuspiciousScriptWritten

False Positives

Managed deployment pipelines (e.g., Octopus Deploy tentacle agents, Azure DevOps pipeline agents) executing under IIS application pool identities that invoke PowerShell or cmd.exe to perform file copy operations targeting web root directories
Tomcat or Jetty servlet containers that spawn OS-level processes (bash, sh) as part of JSP compilation, server-side include processing, or custom servlet hooks that interact with the host OS
Security assessment tools or vulnerability scanners (Nessus, Qualys) that are permitted to write temporary probe files to web-accessible directories to verify file write access as part of credentialed scan checks

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

External Defacement

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections