T1491.002 IBM QRadar · QRadar

Detect External Defacement in IBM QRadar

Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Sub-technique
T1491.002 External Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  CATEGORYNAME(category) AS Category,
  username AS User,
  "Image",
  "CommandLine",
  "ParentImage",
  "ParentCommandLine",
  "TargetFilename",
  CASE
    WHEN QIDNAME(qid) ILIKE '%Process Create%'
      AND (
        "ParentImage" ILIKE '%\\w3wp.exe' OR "ParentImage" ILIKE '%\\httpd.exe' OR
        "ParentImage" ILIKE '%\\nginx.exe' OR "ParentImage" ILIKE '%\\php-cgi.exe' OR
        "ParentImage" ILIKE '%\\php.exe' OR "ParentImage" ILIKE '%\\apache%.exe' OR
        "ParentImage" ILIKE '%\\tomcat%.exe'
      )
    THEN 'WebServerSpawnedShell'
    WHEN QIDNAME(qid) ILIKE '%File Create%'
      AND (
        "TargetFilename" ILIKE '%\\wwwroot\\%' OR "TargetFilename" ILIKE '%\\inetpub\\%' OR
        "TargetFilename" ILIKE '%\\htdocs\\%' OR "TargetFilename" ILIKE '%\\public_html\\%' OR
        "TargetFilename" ILIKE '%\\webroot\\%'
      )
    THEN 'WebFileModified'
    ELSE 'Unknown'
  END AS DetectionType,
  CASE
    WHEN "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR "Image" ILIKE '%\\pwsh.exe'
      AND QIDNAME(qid) ILIKE '%Process Create%'
    THEN 'Critical'
    WHEN "Image" ILIKE '%\\wscript.exe' OR "Image" ILIKE '%\\cscript.exe' OR "Image" ILIKE '%\\mshta.exe'
      AND QIDNAME(qid) ILIKE '%Process Create%'
    THEN 'High'
    WHEN QIDNAME(qid) ILIKE '%File Create%'
      AND (
        "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR "Image" ILIKE '%\\pwsh.exe'
      )
    THEN 'High'
    ELSE 'Medium'
  END AS Severity
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) ILIKE '%Sysmon%'
  AND starttime > NOW() - 86400000
  AND (
    (
      QIDNAME(qid) ILIKE '%Process Create%'
      AND (
        "ParentImage" ILIKE '%\\w3wp.exe' OR "ParentImage" ILIKE '%\\httpd.exe' OR
        "ParentImage" ILIKE '%\\nginx.exe' OR "ParentImage" ILIKE '%\\php-cgi.exe' OR
        "ParentImage" ILIKE '%\\php.exe' OR "ParentImage" ILIKE '%\\apache%.exe' OR
        "ParentImage" ILIKE '%\\tomcat%.exe'
      )
      AND (
        "Image" ILIKE '%\\cmd.exe' OR "Image" ILIKE '%\\powershell.exe' OR
        "Image" ILIKE '%\\pwsh.exe' OR "Image" ILIKE '%\\wscript.exe' OR
        "Image" ILIKE '%\\cscript.exe' OR "Image" ILIKE '%\\mshta.exe' OR
        "Image" ILIKE '%\\bash.exe' OR "Image" ILIKE '%\\sh.exe' OR
        "Image" ILIKE '%\\python.exe' OR "Image" ILIKE '%\\perl.exe'
      )
    )
    OR (
      QIDNAME(qid) ILIKE '%File Create%'
      AND (
        "TargetFilename" ILIKE '%\\wwwroot\\%' OR "TargetFilename" ILIKE '%\\inetpub\\%' OR
        "TargetFilename" ILIKE '%\\htdocs\\%' OR "TargetFilename" ILIKE '%\\public_html\\%' OR
        "TargetFilename" ILIKE '%\\webroot\\%'
      )
      AND (
        "TargetFilename" ILIKE '%.html' OR "TargetFilename" ILIKE '%.htm' OR
        "TargetFilename" ILIKE '%.asp' OR "TargetFilename" ILIKE '%.aspx' OR
        "TargetFilename" ILIKE '%.php' OR "TargetFilename" ILIKE '%.js' OR
        "TargetFilename" ILIKE '%.css' OR "TargetFilename" ILIKE '%.jsp' OR
        "TargetFilename" ILIKE '%\\index.%' OR "TargetFilename" ILIKE '%\\default.%'
      )
      AND NOT (
        "Image" ILIKE '%\\svchost.exe' OR "Image" ILIKE '%\\TrustedInstaller.exe' OR
        "Image" ILIKE '%\\WaAppAgent.exe' OR "Image" ILIKE '%\\msiexec.exe' OR
        "Image" ILIKE '%\\WUDFHost.exe'
      )
    )
  )
ORDER BY starttime DESC
critical severity high confidence

IBM QRadar AQL query detecting T1491.002 External Defacement against Sysmon log sources. Correlates Sysmon Process Create (EventCode 1) events where known web server parent processes spawn shell interpreters with Sysmon File Create (EventCode 11) events where non-system processes write web content files to standard web root directories. Severity is computed based on the spawned process type.

Data Sources

IBM QRadar SIEMMicrosoft Sysmon via QRadar Windows DSMQRadar Universal DSM for Sysmon XML

Required Tables

events

False Positives & Tuning

  • Automated software deployment pipelines (TeamCity, GitLab CI, Bamboo) that invoke PowerShell or cmd.exe under the context of IIS application pool accounts to stage updated web content
  • Web server CGI or FastCGI handlers that spawn Python, Perl, or shell interpreters as child processes to process legitimate HTTP requests
  • IT asset management or remote monitoring agents (e.g., Tanium, BigFix) that are whitelisted at the process level but interact with web root directories during compliance scans
Download portable Sigma rule (.yml)

Other platforms for T1491.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Replace IIS Default Web Page with Defacement Content

    Expected signal: Sysmon Event ID 11: File Create event with TargetFilename=C:\inetpub\wwwroot\iisstart.htm (or index.html), Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceFileEvents: ActionType=FileModified, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=powershell.exe. Security Event ID 4663 if SACL object access auditing is enabled on the inetpub directory.

  2. Test 2Simulate Web Shell Spawning Shell Process on IIS

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cmd.exe, ParentImage=C:\Windows\System32\taskeng.exe or svchost.exe (Task Scheduler host). CommandLine contains whoami and output redirection. Security Event ID 4688: cmd.exe process creation with full command line (if command line auditing enabled). Security Event ID 4698: Scheduled task created. Note: A real web shell test on a configured IIS server would show ParentImage=C:\Windows\System32\inetsrv\w3wp.exe — the highest-fidelity telemetry for this technique.

  3. Test 3Deface Apache Web Root on Linux

    Expected signal: Linux auditd (if configured with -w /var/www/html -p wa -k webroot-write): syscall audit record for open/write on /var/www/html/index.html with uid of executing user. Sysmon for Linux (if deployed): File creation/modification event for /var/www/html/index.html with process image=/usr/bin/tee and parent=/bin/bash. Syslog entries from sudo invocation in /var/log/auth.log. File metadata change visible via: stat /var/www/html/index.html showing updated Modify and Change timestamps.

  4. Test 4Mass Page Replacement Simulating Automated Hacktivist Defacement

    Expected signal: Sysmon Event ID 11: 8 consecutive File Create events in C:\Temp\argus-webroot-test\ for *.html files with Image=powershell.exe, all within a few seconds. DeviceFileEvents: 8 events ActionType=FileCreated in FolderPath=C:\Temp\argus-webroot-test\. Note: The test uses C:\Temp to avoid requiring IIS installation; for highest-fidelity results, modify testWebRoot to C:\inetpub\wwwroot\argus-test\ to trigger both path-based filters and bulk modification threshold.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1491Defacement

Related Sub-techniques

T1491.001Internal Defacement

Related Techniques

T1491DefacementT1491.001Internal DefacementT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059Command and Scripting InterpreterT1078.003Local AccountsT1565.001Stored Data ManipulationT1189Drive-by CompromiseT1071.001Web ProtocolsT1583.001Domains

Same Tactic: Impact

Popular Detections