Defacement

Sub-techniques (2)

ID	Name
T1491.A001	Subdomain Takeover

Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement [MITRE] include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement [MITRE] in order to cause user discomfort, or to pressure compliance with accompanying messages.

Detection

Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.

References

mitre-attack

Technique Information

ID: T1491

Aliases: T1491

Sub-techniques:

T1491.A001

Tactics:

Impact

Platforms:

Windows
IaaS
Linux
macOS
Amazon Web Services (AWS)

Created: 08 Apr 2019

Last Modified: 03 Jun 2025