Share via

IR Playbook Web defacement

  • Article

If you are working with CSS Security they can assist with data gathering and analysis

Web Defacement can be broken down into 2 categories.

  • Data on the file system was modified
    • WEBDAV permissions issues
    • FPSE permissions issues
    • Files modified via FTP
    • Files modified via SMB
    • Files modified interactively on the system either via local/RDP/Other logged on user
  • Data in a database that sources the web site was modified
    • This is typically due to SQL Injection

Data gathering

  • All Event Logs
  • All IIS logs (this includes FTP and logs for all Web Sites within IIS)
  • A complete dump of the file system metatadata ie file names along with date created/date modified/date accessed
  • When was the defacement first seen
  • Is this affecting a single web site or multiple web sites
  • If multiple sites are they on the same system
  • What are the characteristics of the defacement, i.e. was the whole page replaced, was a portion of content on the page replaced, was only content that is sourced from a backend database modified?

Data Analysis