Skip to content

DET0082 Internal Website and System Content Defacement via UI or Messaging Modifications

Item Value
ID DET0082
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1491.001 (Internal Defacement)

Analytics

Windows

AN0229

Adversary modifies internal UI messages (e.g., login banners, desktop wallpapers) or hosted intranet web pages by creating or altering content files using scripts or unauthorized access. Often preceded by privilege escalation or web shell deployment.

Log Sources
Data Component Name Channel
File Access (DC0055) WinEventLog:Security EventCode=4663, 4670, 4656
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
File Modification (DC0061) WinEventLog:Sysmon EventCode=2
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
FilePathPattern Location of web content or system UI config files that may vary across deployments (e.g., %SystemRoot%\Web, %APPDATA%\wallpaper.jpg)
TimeWindow Allowed hours for file/content modification events; defacement likely occurs during off-hours
UserContext System or domain accounts used to perform the modifications may be anomalous

Linux

AN0230

Adversary leverages root or sudo access to alter system banners, web content directories (e.g., /var/www/html), or login configurations (/etc/issue). File creation or overwrites may coincide with suspicious script execution or cron job activity.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open/write/unlink
Process Creation (DC0032) auditd:SYSCALL execve
User Account Modification (DC0010) linux:syslog sudo or su access prior to content change
Mutable Elements
Field Description
TargetDirectories Paths like /var/www/html, /etc/issue, or /etc/motd may vary across distros
UserContext Non-web-admin users modifying site content or banners should be rare
TimeWindow Defacement often happens outside normal maintenance hours

macOS

AN0231

Modification of user desktop backgrounds, login screen messages, or system banners by adversaries using admin privileges or script execution. May coincide with tampering in /Library/Desktop Pictures/ or use of AppleScript.

Log Sources
Data Component Name Channel
File Modification (DC0061) macos:unifiedlog loginwindow or desktopservices modified settings or files
Script Execution (DC0029) macos:unifiedlog osascript or AppleScript invocation modifying UI
Mutable Elements
Field Description
ScriptNames Uncommon scripts like AppleScript variants or osascript for wallpaper changes
UserContext Normal users should not alter global visual settings

ESXi

AN0232

Adversary modifies ESXi host login banner or MOTD file (/etc/motd), either through SSH or host console access. May involve configuration file overwrite or API calls from compromised vSphere clients.

Log Sources
Data Component Name Channel
File Modification (DC0061) ESXiLogs:messages changes to /etc/motd or /etc/vmware/welcome
Command Execution (DC0064) esxi:hostd modification of config files or shell command execution
Mutable Elements
Field Description
LoginBannerFilePath Target file paths (e.g., /etc/motd) may be changed via symbolic link or override
AccessOrigin ESXi hostd vs. SSH-based defacement origin may affect visibility