T1491 - Defacement

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

Atomic Tests:

Currently, no tests are available for this technique.

Detection

Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.

Shield Active Defense

System Activity Monitoring

Collect system activity logs which can reveal adversary activity.

Capturing system logs can show logins, user and system events, etc. Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system.

Opportunity

There is an opportunity to detect an adversary who modifies website content (internally or externally) by monitoring for unauthorized changes to websites.

Use Case

A defender can monitor websites for unplanned content changes and generate alerts when activity is detected.

Procedures

Ensure that systems capture and retain common system level activity artifacts that might be produced. Monitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc.