1. Home
  2. ATT&CK Techniques
  3. T1491 Defacement

T1491 Defacement Mappings

Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-3 Access Enforcement Protects T1491 Defacement
AC-6 Least Privilege Protects T1491 Defacement
CM-2 Baseline Configuration Protects T1491 Defacement
CP-10 System Recovery and Reconstitution Protects T1491 Defacement
CP-2 Contingency Plan Protects T1491 Defacement
CP-7 Alternate Processing Site Protects T1491 Defacement
CP-9 System Backup Protects T1491 Defacement
SI-3 Malicious Code Protection Protects T1491 Defacement
SI-4 System Monitoring Protects T1491 Defacement
SI-7 Software, Firmware, and Information Integrity Protects T1491 Defacement
CVE-2012-0158 n/a uncategorized T1491 Defacement
CVE-2020-9459 n/a uncategorized T1491 Defacement
CVE-2018-15961 ColdFusion uncategorized T1491 Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491 Defacement
aws_config AWS Config technique_scores T1491 Defacement
Comments
This control provides significant coverage for all of this technique's sub-techniques, resulting in an overall score of Significant.
References
  1. https://docs.aws.amazon.com/config
  2. https://docs.aws.amazon.com/config/latest/developerguide
  3. https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html
amazon_guardduty Amazon GuardDuty technique_scores T1491 Defacement
Comments
GuardDuty provides multiple finding types that flag malicious activity against resources. These findings focus on API calls that look suspicious and although they do not flag events such as Defacement specifically, it can be inferred that these findings can result in mitigating this technique's negative impact. With this assumption the score is capped at Partial.
References
  1. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-ec2.html#recon-ec2-portscan
  2. https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings.html
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1491 Defacement
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. This mapping is given a score of Significant because it supports all of the sub-techniques (2 of 2).
References
  1. https://aws.amazon.com/cloudendure-disaster-recovery/
  2. https://docs.cloudendure.com/#Configuring_and_Running_Disaster_Recovery/Configuring_and_Running_Disaster_Recovery.htm

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1491.002 External Defacement 15
T1491.001 Internal Defacement 14