Detect External Defacement in Microsoft Sentinel
Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Sub-technique
- T1491.002 External Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/002/
KQL Detection Query
let WebServerProcesses = dynamic(["w3wp.exe", "httpd.exe", "nginx.exe", "php-cgi.exe", "php.exe", "tomcat.exe", "java.exe", "apache.exe"]);
let ShellProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash", "sh", "python.exe", "python3", "perl.exe", "mshta.exe"]);
let WebRootPaths = dynamic(["\\inetpub\\wwwroot\\", "\\wwwroot\\", "\\htdocs\\", "\\public_html\\", "\\web\\", "\\webroot\\"]);
let WebFileExtensions = dynamic([".html", ".htm", ".asp", ".aspx", ".php", ".js", ".css", ".jsp"]);
// Branch 1: Web server processes spawning shells (indicates RCE/web shell exploitation)
let WebShellBranch = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (WebServerProcesses)
| where FileName has_any (ShellProcesses)
| extend DetectionType = "WebServerSpawnedShell"
| extend Severity = "Critical"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath = "",
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, Severity;
// Branch 2: Non-standard processes modifying web root content files
let FileModBranch = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebFileExtensions)
or FileName in~ ("index.html", "index.php", "index.asp", "index.aspx",
"default.htm", "default.asp", "default.aspx", "home.html")
| where InitiatingProcessFileName !in~ ("svchost.exe", "TrustedInstaller.exe",
"WaAppAgent.exe", "msiexec.exe", "WUDFHost.exe", "MicrosoftEdgeUpdate.exe")
| extend DetectionType = "WebFileModified"
| extend Severity = iff(InitiatingProcessFileName has_any (ShellProcesses), "High", "Medium")
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
FileName, FolderPath, ProcessCommandLine = InitiatingProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionType, Severity;
WebShellBranch
| union FileModBranch
| sort by Timestamp descDetects external defacement activity using two complementary branches targeting Microsoft Defender for Endpoint telemetry. Branch 1 fires Critical-severity alerts when web server worker processes (IIS w3wp.exe, Apache httpd, Nginx, PHP-CGI) spawn interactive shell processes — a reliable indicator that an attacker has exploited a web vulnerability (RCE, file upload, web shell) and is executing commands to deface content. Branch 2 fires on unauthorized file modifications in web root directories for HTML, ASP, PHP, and other web-serving file types by processes not associated with legitimate Windows update or deployment activity. The union approach provides broad coverage across both the exploitation path and the defacement artifact.
Data Sources
Required Tables
False Positives & Tuning
- CI/CD deployment agents (Jenkins agents, GitHub Actions runners, Azure DevOps build agents) writing updated web content to wwwroot as part of legitimate deployments
- CMS auto-update processes — WordPress, Drupal, and Joomla modify PHP and HTML files during plugin, theme, or core updates, often via the same httpd or php-fpm worker process
- Web developers directly editing files on development or staging servers via SSH, FTP, or mounted network shares, where the modifying process is an editor (code.exe, notepad++.exe) that is excluded
- IIS Application Initialization Module or health-check handlers causing w3wp.exe to spawn cmd.exe for application warmup or custom startup scripts
- Monitoring and observability agents (Datadog agent, New Relic, Dynatrace OneAgent) that instrument web server processes and may appear as unexpected child processes of w3wp.exe or httpd
Other platforms for T1491.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace IIS Default Web Page with Defacement Content
Expected signal: Sysmon Event ID 11: File Create event with TargetFilename=C:\inetpub\wwwroot\iisstart.htm (or index.html), Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceFileEvents: ActionType=FileModified, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=powershell.exe. Security Event ID 4663 if SACL object access auditing is enabled on the inetpub directory.
- Test 2Simulate Web Shell Spawning Shell Process on IIS
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cmd.exe, ParentImage=C:\Windows\System32\taskeng.exe or svchost.exe (Task Scheduler host). CommandLine contains whoami and output redirection. Security Event ID 4688: cmd.exe process creation with full command line (if command line auditing enabled). Security Event ID 4698: Scheduled task created. Note: A real web shell test on a configured IIS server would show ParentImage=C:\Windows\System32\inetsrv\w3wp.exe — the highest-fidelity telemetry for this technique.
- Test 3Deface Apache Web Root on Linux
Expected signal: Linux auditd (if configured with -w /var/www/html -p wa -k webroot-write): syscall audit record for open/write on /var/www/html/index.html with uid of executing user. Sysmon for Linux (if deployed): File creation/modification event for /var/www/html/index.html with process image=/usr/bin/tee and parent=/bin/bash. Syslog entries from sudo invocation in /var/log/auth.log. File metadata change visible via: stat /var/www/html/index.html showing updated Modify and Change timestamps.
- Test 4Mass Page Replacement Simulating Automated Hacktivist Defacement
Expected signal: Sysmon Event ID 11: 8 consecutive File Create events in C:\Temp\argus-webroot-test\ for *.html files with Image=powershell.exe, all within a few seconds. DeviceFileEvents: 8 events ActionType=FileCreated in FolderPath=C:\Temp\argus-webroot-test\. Note: The test uses C:\Temp to avoid requiring IIS installation; for highest-fidelity results, modify testWebRoot to C:\inetpub\wwwroot\argus-test\ to trigger both path-based filters and bulk modification threshold.
References (10)
- https://attack.mitre.org/techniques/T1491/002/
- https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf
- https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf
- https://web.archive.org/web/20210719110553/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf
- https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.002/T1491.002.md
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Cookie_Attributes
Unlock Pro Content
Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.