T1491 Defacement Mappings

Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1491 Defacement
AC-6 Least Privilege Protects T1491 Defacement
CM-2 Baseline Configuration Protects T1491 Defacement
CP-10 System Recovery and Reconstitution Protects T1491 Defacement
CP-2 Contingency Plan Protects T1491 Defacement
CP-7 Alternate Processing Site Protects T1491 Defacement
CP-9 System Backup Protects T1491 Defacement
SI-3 Malicious Code Protection Protects T1491 Defacement
SI-4 System Monitoring Protects T1491 Defacement
SI-7 Software, Firmware, and Information Integrity Protects T1491 Defacement
CVE-2012-0158 n/a uncategorized T1491 Defacement
CVE-2020-9459 n/a uncategorized T1491 Defacement
CVE-2018-15961 ColdFusion uncategorized T1491 Defacement
attribute.integrity.variety.Defacement Deface content related-to T1491 Defacement
aws_config AWS Config technique_scores T1491 Defacement
amazon_guardduty Amazon GuardDuty technique_scores T1491 Defacement
aws_cloudendure_disaster_recovery AWS CloudEndure Disaster Recovery technique_scores T1491 Defacement

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1491.002 External Defacement 15
T1491.001 Internal Defacement 14