IR Playbook Web defacement

IR Playbook Web defacement

If you are working with CSS Security they can assist with data gathering and analysis

Web Defacement can be broken down into 2 categories.

  • Data on the file system was modified
    • WEBDAV permissions issues
    • FPSE permissions issues
    • Files modified via FTP
    • Files modified via SMB
    • Files modified interactively on the system either via local/RDP/Other logged on user
  • Data in a database that sources the web site was modified
    • This is typically due to SQL Injection

Data gathering

  • All Event Logs
  • All IIS logs (this includes FTP and logs for all Web Sites within IIS)
  • A complete dump of the file system metatadata ie file names along with date created/date modified/date accessed
  • When was the defacement first seen
  • Is this affecting a single web site or multiple web sites
  • If multiple sites are they on the same system
  • What are the characteristics of the defacement, i.e. was the whole page replaced, was a portion of content on the page replaced, was only content that is sourced from a backend database modified?

Data Analysis



Leave a Comment
  • Please add 4 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Maheshkumar S Tiwari edited Revision 1. Comment: Added tags

Page 1 of 1 (1 items)