Detect External Defacement in Elastic Security
Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Sub-technique
- T1491.002 External Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/002/
Elastic Detection Query
any where (
(
event.category == "process" and event.type == "start" and
process.parent.name like~ ("w3wp.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "php.exe", "tomcat.exe", "java.exe", "apache.exe") and
process.name like~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash", "sh", "python.exe", "python3", "perl.exe", "mshta.exe")
)
or
(
event.category == "file" and event.type in ("creation", "change") and
(
file.path like~ "*\\inetpub\\wwwroot\\*" or file.path like~ "*\\wwwroot\\*" or
file.path like~ "*\\htdocs\\*" or file.path like~ "*\\public_html\\*" or
file.path like~ "*\\webroot\\*" or file.path like~ "*/var/www/*" or
file.path like~ "*/srv/www/*" or file.path like~ "*/srv/http/*"
) and
(
file.extension like~ ("html", "htm", "asp", "aspx", "php", "js", "css", "jsp") or
file.name like~ ("index.html", "index.php", "index.asp", "index.aspx",
"default.htm", "default.asp", "default.aspx", "home.html")
) and
not process.name like~ ("svchost.exe", "TrustedInstaller.exe", "WaAppAgent.exe",
"msiexec.exe", "WUDFHost.exe", "MicrosoftEdgeUpdate.exe")
)
)Detects T1491.002 External Defacement via two branches using Elastic EQL across all event types. Branch 1 identifies web server processes (IIS, Apache, Nginx, PHP, Tomcat) spawning interactive shell interpreters, indicating RCE exploitation or web shell execution. Branch 2 detects non-system processes creating or modifying web content files (HTML, PHP, ASP, JS, CSS) inside known web root paths on both Windows and Linux hosts, excluding known-benign system updaters.
Data Sources
Required Tables
False Positives & Tuning
- CI/CD deployment agents (Jenkins, GitLab Runner, Octopus Deploy) executing under web server service accounts that write updated HTML or PHP files to web root directories during scheduled release pipelines
- Java-based application servers (Tomcat, JBoss, WildFly) that legitimately spawn bash or sh helper scripts as part of startup sequences, health checks, or server-side CGI processing
- CMS auto-update mechanisms (WordPress, Drupal, Joomla) that modify index.php or core web files during automated plugin or core version upgrades executed by the web server process itself
Other platforms for T1491.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace IIS Default Web Page with Defacement Content
Expected signal: Sysmon Event ID 11: File Create event with TargetFilename=C:\inetpub\wwwroot\iisstart.htm (or index.html), Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceFileEvents: ActionType=FileModified, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=powershell.exe. Security Event ID 4663 if SACL object access auditing is enabled on the inetpub directory.
- Test 2Simulate Web Shell Spawning Shell Process on IIS
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cmd.exe, ParentImage=C:\Windows\System32\taskeng.exe or svchost.exe (Task Scheduler host). CommandLine contains whoami and output redirection. Security Event ID 4688: cmd.exe process creation with full command line (if command line auditing enabled). Security Event ID 4698: Scheduled task created. Note: A real web shell test on a configured IIS server would show ParentImage=C:\Windows\System32\inetsrv\w3wp.exe — the highest-fidelity telemetry for this technique.
- Test 3Deface Apache Web Root on Linux
Expected signal: Linux auditd (if configured with -w /var/www/html -p wa -k webroot-write): syscall audit record for open/write on /var/www/html/index.html with uid of executing user. Sysmon for Linux (if deployed): File creation/modification event for /var/www/html/index.html with process image=/usr/bin/tee and parent=/bin/bash. Syslog entries from sudo invocation in /var/log/auth.log. File metadata change visible via: stat /var/www/html/index.html showing updated Modify and Change timestamps.
- Test 4Mass Page Replacement Simulating Automated Hacktivist Defacement
Expected signal: Sysmon Event ID 11: 8 consecutive File Create events in C:\Temp\argus-webroot-test\ for *.html files with Image=powershell.exe, all within a few seconds. DeviceFileEvents: 8 events ActionType=FileCreated in FolderPath=C:\Temp\argus-webroot-test\. Note: The test uses C:\Temp to avoid requiring IIS installation; for highest-fidelity results, modify testWebRoot to C:\inetpub\wwwroot\argus-test\ to trigger both path-based filters and bulk modification threshold.
References (10)
- https://attack.mitre.org/techniques/T1491/002/
- https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf
- https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf
- https://web.archive.org/web/20210719110553/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf
- https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.002/T1491.002.md
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Cookie_Attributes
Unlock Pro Content
Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.