Skip to content

T1491 Defacement

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

Item Value
ID T1491
Sub-techniques T1491.001, T1491.002
Tactics TA0040
Platforms IaaS, Linux, Windows, macOS
Version 1.3
Created 08 April 2019
Last Modified 25 March 2022

Mitigations

ID Mitigation Description
M1053 Data Backup Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.1 Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

Detection

ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Traffic Content

References

  1. Ready.gov. (n.d.). IT Disaster Recovery Plan. Retrieved March 15, 2019.