{ "type": "bundle", "id": "bundle--3baabc4b-746a-452d-bf27-6146a667be97", "spec_version": "2.0", "objects": [ { "x_mitre_platforms": [ "Windows", "IaaS", "Linux", "macOS" ], "x_mitre_domains": [ "enterprise-attack" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "id": "attack-pattern--0cfe31a7-81fc-472c-bc45-e2808d1066a3", "type": "attack-pattern", "created": "2020-02-20T14:34:08.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [ { "source_name": "mitre-attack", "external_id": "T1491.002", "url": "https://attack.mitre.org/techniques/T1491/002" }, { "source_name": "FireEye Cyber Threats to Media Industries", "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf", "description": "FireEye. (n.d.). Retrieved April 19, 2019." }, { "source_name": "Kevin Mandia Statement to US Senate Committee on Intelligence", "url": "https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf", "description": "Kevin Mandia. (2017, March 30). Prepared Statement of Kevin Mandia, CEO of FireEye, Inc. before the United States Senate Select Committee on Intelligence. Retrieved April 19, 2019." }, { "source_name": "Anonymous Hackers Deface Russian Govt Site", "url": "https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/", "description": "Andy. (2018, May 12). \u2018Anonymous\u2019 Hackers Deface Russian Govt. Site to Protest Web-Blocking (NSFW). Retrieved April 19, 2019." }, { "source_name": "Trend Micro Deep Dive Into Defacement", "url": "https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf", "description": "Marco Balduzzi, Ryan Flores, Lion Gu, Federico Maggi, Vincenzo Ciancaglini, Roel Reyes, Akira Urano. (n.d.). A Deep Dive into Defacement: How Geopolitical Events Trigger Web Attacks. Retrieved April 19, 2019." } ], "modified": "2022-03-25T19:34:37.539Z", "name": "External Defacement", "description": "An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. [External Defacement](https://attack.mitre.org/techniques/T1491/002) may ultimately cause users to distrust the systems and to question/discredit the system\u2019s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "impact" } ], "x_mitre_detection": "Monitor external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", "x_mitre_is_subtechnique": true, "x_mitre_version": "1.2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", "File: File Creation", "Application Log: Application Log Content", "File: File Modification" ], "x_mitre_impact_type": [ "Integrity" ] } ] }