Skip to content

T1491.002 External Defacement

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.123 External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.4

Item Value
ID T1491.002
Sub-techniques T1491.001, T1491.002
Tactics TA0040
Platforms IaaS, Linux, Windows, macOS
Version 1.2
Created 20 February 2020
Last Modified 25 March 2022

Procedure Examples

ID Name Description
G0034 Sandworm Team Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.67


ID Mitigation Description
M1053 Data Backup Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.5 Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
DS0029 Network Traffic Network Traffic Content