Detect External Defacement in CrowdStrike LogScale
Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Sub-technique
- T1491.002 External Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/002/
LogScale Detection Query
#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|PeFileWritten|NewScriptWritten|SuspiciousScriptWritten)$/
| IsWebServerShell := if(
#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
AND ParentBaseFileName = /^(w3wp|httpd|nginx|php\-cgi|php|tomcat|java|apache)(\.exe)?$/i
AND ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript|mshta|bash|sh|python|python3|perl)(\.exe)?$/i,
true, false)
| IsWebFileModified := if(
#event_simpleName in ("PeFileWritten", "NewScriptWritten", "SuspiciousScriptWritten")
AND TargetFileName = /\\(wwwroot|inetpub|htdocs|public_html|webroot)\\/i
AND TargetFileName = /\.(html|htm|asp|aspx|php|js|css|jsp)$/i
AND NOT ImageFileName = /\\(svchost|TrustedInstaller|WaAppAgent|msiexec|WUDFHost|MicrosoftEdgeUpdate)(\.exe)?$/i,
true, false)
| IsWebServerShell = true OR IsWebFileModified = true
| DetectionType := if(IsWebServerShell = true, "WebServerSpawnedShell", "WebFileModified")
| Severity := if(
IsWebServerShell = true, "Critical",
if(
ImageFileName = /\\(cmd|powershell|pwsh|wscript|cscript)(\.exe)?$/i,
"High", "Medium"
)
)
| table(
[_time, ComputerName, UserName, ImageFileName, CommandLine,
ParentBaseFileName, ParentCommandLine, TargetFileName, DetectionType, Severity]
)
| sort(field=_time, order=desc)CrowdStrike LogScale (Falcon NG-SIEM) query detecting T1491.002 External Defacement using native Falcon sensor telemetry. Branch 1 leverages ProcessRollup2 and SyntheticProcessRollup2 events to identify web server binaries spawning shell interpreters, which is characteristic of RCE via web shell exploitation. Branch 2 uses PeFileWritten, NewScriptWritten, and SuspiciousScriptWritten events to flag non-system processes writing web content files to known Windows IIS and Apache web root paths. Dynamic severity assignment distinguishes critical shell-spawn events from medium-severity file writes.
Data Sources
Required Tables
False Positives & Tuning
- Managed deployment pipelines (e.g., Octopus Deploy tentacle agents, Azure DevOps pipeline agents) executing under IIS application pool identities that invoke PowerShell or cmd.exe to perform file copy operations targeting web root directories
- Tomcat or Jetty servlet containers that spawn OS-level processes (bash, sh) as part of JSP compilation, server-side include processing, or custom servlet hooks that interact with the host OS
- Security assessment tools or vulnerability scanners (Nessus, Qualys) that are permitted to write temporary probe files to web-accessible directories to verify file write access as part of credentialed scan checks
Other platforms for T1491.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace IIS Default Web Page with Defacement Content
Expected signal: Sysmon Event ID 11: File Create event with TargetFilename=C:\inetpub\wwwroot\iisstart.htm (or index.html), Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceFileEvents: ActionType=FileModified, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=powershell.exe. Security Event ID 4663 if SACL object access auditing is enabled on the inetpub directory.
- Test 2Simulate Web Shell Spawning Shell Process on IIS
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cmd.exe, ParentImage=C:\Windows\System32\taskeng.exe or svchost.exe (Task Scheduler host). CommandLine contains whoami and output redirection. Security Event ID 4688: cmd.exe process creation with full command line (if command line auditing enabled). Security Event ID 4698: Scheduled task created. Note: A real web shell test on a configured IIS server would show ParentImage=C:\Windows\System32\inetsrv\w3wp.exe — the highest-fidelity telemetry for this technique.
- Test 3Deface Apache Web Root on Linux
Expected signal: Linux auditd (if configured with -w /var/www/html -p wa -k webroot-write): syscall audit record for open/write on /var/www/html/index.html with uid of executing user. Sysmon for Linux (if deployed): File creation/modification event for /var/www/html/index.html with process image=/usr/bin/tee and parent=/bin/bash. Syslog entries from sudo invocation in /var/log/auth.log. File metadata change visible via: stat /var/www/html/index.html showing updated Modify and Change timestamps.
- Test 4Mass Page Replacement Simulating Automated Hacktivist Defacement
Expected signal: Sysmon Event ID 11: 8 consecutive File Create events in C:\Temp\argus-webroot-test\ for *.html files with Image=powershell.exe, all within a few seconds. DeviceFileEvents: 8 events ActionType=FileCreated in FolderPath=C:\Temp\argus-webroot-test\. Note: The test uses C:\Temp to avoid requiring IIS installation; for highest-fidelity results, modify testWebRoot to C:\inetpub\wwwroot\argus-test\ to trigger both path-based filters and bulk modification threshold.
References (10)
- https://attack.mitre.org/techniques/T1491/002/
- https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf
- https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf
- https://web.archive.org/web/20210719110553/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf
- https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.002/T1491.002.md
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Cookie_Attributes
Unlock Pro Content
Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.