T1491.002 Google Chronicle · YARA-L

Detect External Defacement in Google Chronicle

Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Sub-technique
T1491.002 External Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1491_002_web_server_spawned_shell {
  meta:
    author = "Detection Engineering"
    description = "Detects T1491.002 External Defacement - web server process spawning a shell interpreter indicating RCE or active web shell exploitation"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.002"
    severity = "CRITICAL"
    confidence = "HIGH"
    version = "1.0"
    rule_type = "SINGLE_EVENT"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path,
      `(?i)(w3wp\.exe|httpd\.exe|nginx\.exe|php\-cgi\.exe|php\.exe|tomcat\.exe|java\.exe|apache\.exe)$`)
    re.regex($e.target.process.file.full_path,
      `(?i)(\\|/)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|bash|sh|python\.exe|python3|perl\.exe)$`)

  condition:
    $e
}

rule t1491_002_web_root_file_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects T1491.002 External Defacement - non-standard process creating or modifying web content files in known web root directories"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.002"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    rule_type = "SINGLE_EVENT"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path,
      `(?i)(\\inetpub\\wwwroot\\|\\wwwroot\\|\\htdocs\\|\\public_html\\|\\webroot\\|/var/www/|/srv/www/|/srv/http/)`)
    re.regex($e.target.file.full_path,
      `(?i)\.(html|htm|asp|aspx|php|js|css|jsp)$|(\\|/)(index\.|default\.|home\.html)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(svchost\.exe|TrustedInstaller\.exe|WaAppAgent\.exe|msiexec\.exe|WUDFHost\.exe|MicrosoftEdgeUpdate\.exe)$`)

  condition:
    $e
}
critical severity high confidence

Two Chronicle YARA-L 2.0 rules detecting T1491.002 External Defacement using UDM event model. Rule 1 (CRITICAL) fires on PROCESS_LAUNCH events where the principal process is a known web server binary and the target spawned process is a shell interpreter — a strong indicator of post-exploitation RCE via a web shell. Rule 2 (HIGH) fires on FILE_CREATION events where web content files are written to standard web root paths by non-system processes on both Windows and Linux endpoints.

Data Sources

Google Chronicle SIEMChronicle UDM (Unified Data Model)Endpoint telemetry forwarded to Chronicle via forwarder or ingestion APIs

Required Tables

UDM Events (event_type: PROCESS_LAUNCH, FILE_CREATION)

False Positives & Tuning

  • Automated blue/green or rolling deployment systems running under web service accounts that use process execution or file copy operations to publish updated static site content to web root directories
  • Java enterprise application servers (WebSphere, JBoss EAP) that spawn operating system shell scripts during application lifecycle events such as startup, shutdown, or health checks configured in server.xml
  • System package managers (apt-get, yum, dnf) or web server package update scripts that overwrite web root index files or configuration files during OS-level patch application cycles
Download portable Sigma rule (.yml)

Other platforms for T1491.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Replace IIS Default Web Page with Defacement Content

    Expected signal: Sysmon Event ID 11: File Create event with TargetFilename=C:\inetpub\wwwroot\iisstart.htm (or index.html), Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceFileEvents: ActionType=FileModified, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=powershell.exe. Security Event ID 4663 if SACL object access auditing is enabled on the inetpub directory.

  2. Test 2Simulate Web Shell Spawning Shell Process on IIS

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cmd.exe, ParentImage=C:\Windows\System32\taskeng.exe or svchost.exe (Task Scheduler host). CommandLine contains whoami and output redirection. Security Event ID 4688: cmd.exe process creation with full command line (if command line auditing enabled). Security Event ID 4698: Scheduled task created. Note: A real web shell test on a configured IIS server would show ParentImage=C:\Windows\System32\inetsrv\w3wp.exe — the highest-fidelity telemetry for this technique.

  3. Test 3Deface Apache Web Root on Linux

    Expected signal: Linux auditd (if configured with -w /var/www/html -p wa -k webroot-write): syscall audit record for open/write on /var/www/html/index.html with uid of executing user. Sysmon for Linux (if deployed): File creation/modification event for /var/www/html/index.html with process image=/usr/bin/tee and parent=/bin/bash. Syslog entries from sudo invocation in /var/log/auth.log. File metadata change visible via: stat /var/www/html/index.html showing updated Modify and Change timestamps.

  4. Test 4Mass Page Replacement Simulating Automated Hacktivist Defacement

    Expected signal: Sysmon Event ID 11: 8 consecutive File Create events in C:\Temp\argus-webroot-test\ for *.html files with Image=powershell.exe, all within a few seconds. DeviceFileEvents: 8 events ActionType=FileCreated in FolderPath=C:\Temp\argus-webroot-test\. Note: The test uses C:\Temp to avoid requiring IIS installation; for highest-fidelity results, modify testWebRoot to C:\inetpub\wwwroot\argus-test\ to trigger both path-based filters and bulk modification threshold.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1491Defacement

Related Sub-techniques

T1491.001Internal Defacement

Related Techniques

T1491DefacementT1491.001Internal DefacementT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059Command and Scripting InterpreterT1078.003Local AccountsT1565.001Stored Data ManipulationT1189Drive-by CompromiseT1071.001Web ProtocolsT1583.001Domains

Same Tactic: Impact

Popular Detections