T1491.001 Internal Defacement Mappings

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-3 Access Enforcement Protects T1491.001 Internal Defacement
AC-6 Least Privilege Protects T1491.001 Internal Defacement
CM-2 Baseline Configuration Protects T1491.001 Internal Defacement
CP-10 System Recovery and Reconstitution Protects T1491.001 Internal Defacement
CP-2 Contingency Plan Protects T1491.001 Internal Defacement
CP-7 Alternate Processing Site Protects T1491.001 Internal Defacement
CP-9 System Backup Protects T1491.001 Internal Defacement
SI-3 Malicious Code Protection Protects T1491.001 Internal Defacement
SI-4 System Monitoring Protects T1491.001 Internal Defacement
SI-7 Software, Firmware, and Information Integrity Protects T1491.001 Internal Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491.001 Defacement: Internal Defacement
aws_config AWS Config technique_scores T1491.001 Internal Defacement
Comments
The following AWS Config managed rules can identify configuration problems that should be fixed in order to prevent malicious write access to data within Amazon Simple Storage Service (S3) storage, which may include internal and/or external defacement: "s3-bucket-blacklisted-actions-prohibited" checks whether bucket policies prohibit disallowed actions (including encryption configuration changes) for principals from other AWS accounts, "s3-bucket-default-lock-enabled" checks whether a bucket that should be locked in write-once-read-many (WORM) mode is configured to prevent modification, and "s3-bucket-public-write-prohibited" checks whether a bucket is configured to allow public access and modification. All of these controls are run on configuration changes. The following AWS Config managed rules can identify configuration problems that should be fixed in order to ensure backups and redundancy are in place which can mitigate the effects of malicious defacement: "aurora-mysql-backtracking-enabled" for data in Aurora MySQL; "db-instance-backup-enabled" and "rds-in-backup-plan" for Amazon Relational Database Service (RDS) data; "dynamodb-in-backup-plan" and "dynamodb-pitr-enabled" for Amazon DynamoDB table contents; "ebs-in-backup-plan" for Elastic Block Store (EBS) volumes; "efs-in-backup-plan" for Amazon Elastic File System (EFS) file systems; "elasticache-redis-cluster-automatic-backup-check" for Amazon ElastiCache Redis cluster data; "redshift-backup-enabled" and "redshift-cluster-maintenancesettings-check" for Redshift; "s3-bucket-replication-enabled" and "s3-bucket-versioning-enabled" for S3 storage; and "cloudfront-origin-failover-enabled" for CloudFront. Coverage factor is significant for these rules, since they cover a wide range of services used to host content for websites within AWS, resulting in an overall score of Significant.
References
    amazon_guardduty Amazon GuardDuty technique_scores T1491.001 Internal Defacement
    Comments
    The following finding types can be used to detect behavior that can lead to the defacement of cloud resources: Impact:S3/MaliciousIPCaller Exfiltration:S3/MaliciousIPCaller Exfiltration:S3/ObjectRead.Unusual PenTest:S3/KaliLinux PenTest:S3/ParrotLinux PenTest:S3/PentooLinux UnauthorizedAccess:S3/MaliciousIPCaller.Custom UnauthorizedAccess:S3/TorIPCaller
    References
      aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1491.001 Internal Defacement
      Comments
      AWS CloudEndure Disaster Recovery enables the replication and recovery of servers into AWS Cloud. In the event that servers are defaced, AWS CloudEndure can be used to provision an instance of the server from a previous point in time within minutes. As a result, this mapping is given a score of Significant.
      References