T1491.001: Internal Defacement
| View on MITRE ATT&CK | T1491.001 |
|---|---|
| Tactic(s) | Impact |
Data from MITRE ATT&CK®:
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
#StopRansomware: LockBit 3.0
This #StopRansomware Cybersecurity Advisory from CISA and partners describes the operations associated with LockBit 3.0 which operates as a ...
Mitigations for this technique
MITRE ATT&CK Mitigations
How to detect this technique
MITRE ATT&CK Data Components
Network Traffic Content (Network Traffic)
Logged network traffic data showing both protocol header and body values (ex: PCAP)Application Log Content (Application Log)
Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)File Modification (File)
Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)File Creation (File)
Initial construction of a new file (ex: Sysmon EID 11)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Replace Desktop Wallpaper by Powershell
Potentially Suspicious Desktop Background Change Using Reg.EXE
Potentially Suspicious Desktop Background Change Via Registry
Potential Ransomware Activity Using LegalNotice Message
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.