An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-3 | Access Enforcement | Protects | T1491.001 | Internal Defacement | |
AC-6 | Least Privilege | Protects | T1491.001 | Internal Defacement | |
CM-2 | Baseline Configuration | Protects | T1491.001 | Internal Defacement | |
CP-10 | System Recovery and Reconstitution | Protects | T1491.001 | Internal Defacement | |
CP-2 | Contingency Plan | Protects | T1491.001 | Internal Defacement | |
CP-7 | Alternate Processing Site | Protects | T1491.001 | Internal Defacement | |
CP-9 | System Backup | Protects | T1491.001 | Internal Defacement | |
SI-3 | Malicious Code Protection | Protects | T1491.001 | Internal Defacement | |
SI-4 | System Monitoring | Protects | T1491.001 | Internal Defacement | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1491.001 | Internal Defacement | |
attribute.integrity.variety.Defacement | Deface content | related-to | T1491.001 | Defacement: Internal Defacement | |
aws_config | AWS Config | technique_scores | T1491.001 | Internal Defacement |
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes.
The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront.
Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.
References
|
amazon_guardduty | Amazon GuardDuty | technique_scores | T1491.001 | Internal Defacement |
Comments
The following finding types can be used to detect behavior that can lead to the defacement of
cloud resources:
Impact:S3/MaliciousIPCaller
Exfiltration:S3/MaliciousIPCaller
Exfiltration:S3/ObjectRead.Unusual
PenTest:S3/KaliLinux
PenTest:S3/ParrotLinux
PenTest:S3/PentooLinux
UnauthorizedAccess:S3/MaliciousIPCaller.Custom
UnauthorizedAccess:S3/TorIPCaller
References
|
aws_cloudendure_disaster_recovery | AWS CloudEndure Disaster Recovery | technique_scores | T1491.001 | Internal Defacement |
Comments
AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
References
|