Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

ID: T1491
Sub-techniques:  T1491.001, T1491.002
Tactic: Impact
Platforms: IaaS, Linux, Windows, macOS
Impact Type: Integrity
Version: 1.2
Created: 08 April 2019
Last Modified: 08 March 2021
Provided by LAYER 8


ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[1] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.


ID Data Source Data Component
DS0015 Application Log Application Log Content
DS0022 File File Creation
File Modification
DS0029 Network Traffic Network Traffic Content

Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.