An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1491.001 | Internal Defacement |
| AC-6 | Least Privilege | Protects | T1491.001 | Internal Defacement |
| CM-2 | Baseline Configuration | Protects | T1491.001 | Internal Defacement |
| CP-10 | System Recovery and Reconstitution | Protects | T1491.001 | Internal Defacement |
| CP-2 | Contingency Plan | Protects | T1491.001 | Internal Defacement |
| CP-7 | Alternate Processing Site | Protects | T1491.001 | Internal Defacement |
| CP-9 | System Backup | Protects | T1491.001 | Internal Defacement |
| SI-3 | Malicious Code Protection | Protects | T1491.001 | Internal Defacement |
| SI-4 | System Monitoring | Protects | T1491.001 | Internal Defacement |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1491.001 | Internal Defacement |
| attribute.availability.variety.Obscuration | Conversion or obscuration (ransomware) | related-to | T1491.001 | Defacement: Internal Defacement |
| attribute.integrity.variety.Defacement | Deface content | related-to | T1491.001 | Defacement: Internal Defacement |