Detect External Defacement in Splunk
Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Sub-technique
- T1491.002 External Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/002/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=11)
| eval IsWebServerShell=if(
EventCode=1
AND (like(ParentImage, "%\\w3wp.exe") OR like(ParentImage, "%\\httpd.exe") OR like(ParentImage, "%\\nginx.exe") OR like(ParentImage, "%\\php-cgi.exe") OR like(ParentImage, "%\\php.exe") OR like(ParentImage, "%\\apache%.exe") OR like(ParentImage, "%\\tomcat%.exe"))
AND (like(Image, "%\\cmd.exe") OR like(Image, "%\\powershell.exe") OR like(Image, "%\\pwsh.exe") OR like(Image, "%\\wscript.exe") OR like(Image, "%\\cscript.exe") OR like(Image, "%\\mshta.exe") OR like(Image, "%\\bash.exe") OR like(Image, "%\\sh.exe")),
1, 0)
| eval IsWebFileModified=if(
EventCode=11
AND (like(TargetFilename, "%\\wwwroot\\%") OR like(TargetFilename, "%\\inetpub\\%") OR like(TargetFilename, "%\\htdocs\\%") OR like(TargetFilename, "%\\public_html\\%") OR like(TargetFilename, "%\\webroot\\%"))
AND (like(TargetFilename, "%.html") OR like(TargetFilename, "%.htm") OR like(TargetFilename, "%.asp") OR like(TargetFilename, "%.aspx") OR like(TargetFilename, "%.php") OR like(TargetFilename, "%.js") OR like(TargetFilename, "%index.%") OR like(TargetFilename, "%default.%"))
AND NOT (like(Image, "%\\svchost.exe") OR like(Image, "%\\TrustedInstaller.exe") OR like(Image, "%\\WaAppAgent.exe") OR like(Image, "%\\msiexec.exe") OR like(Image, "%\\WUDFHost.exe")),
1, 0)
| where IsWebServerShell=1 OR IsWebFileModified=1
| eval DetectionType=case(IsWebServerShell=1, "WebServerSpawnedShell", IsWebFileModified=1, "WebFileModified", true(), "Unknown")
| eval Severity=case(
IsWebServerShell=1, "Critical",
IsWebFileModified=1 AND (like(Image, "%\\cmd.exe") OR like(Image, "%\\powershell.exe") OR like(Image, "%\\pwsh.exe") OR like(Image, "%\\wscript.exe") OR like(Image, "%\\cscript.exe")), "High",
true(), "Medium")
| eval AffectedFile=coalesce(TargetFilename, "")
| table _time, host, User, AffectedFile, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, Severity
| sort - _timeDetects external defacement using Sysmon Event ID 1 (Process Create) and Event ID 11 (File Create) via a combined search with eval-based filtering. IsWebServerShell=1 fires Critical when web server processes spawn interactive shells indicating active exploitation. IsWebFileModified=1 fires on unauthorized writes to web root directories for HTML/PHP/ASP content files, with High severity escalation when the modifying process is itself a shell interpreter. The eval+where approach ensures correct boolean scoping for both detection branches without SPL operator ambiguity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- CI/CD pipeline deployment agents writing HTML/PHP content to web root directories as part of scheduled deployments
- CMS platforms (WordPress, Drupal, Joomla) auto-updating core files or plugins via their internal HTTP-based updaters, which trigger the web server process to write files
- Web developers editing files directly on development servers using editors (code.exe, notepad++.exe) that should be added to the Image exclusion list
- IIS application pool recycle events or custom startup executables configured in IIS that may appear as cmd.exe children of w3wp.exe
- Content syndication or CDN origin pull agents that write cached or translated content files to the web root on a schedule
Other platforms for T1491.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace IIS Default Web Page with Defacement Content
Expected signal: Sysmon Event ID 11: File Create event with TargetFilename=C:\inetpub\wwwroot\iisstart.htm (or index.html), Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceFileEvents: ActionType=FileModified, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=powershell.exe. Security Event ID 4663 if SACL object access auditing is enabled on the inetpub directory.
- Test 2Simulate Web Shell Spawning Shell Process on IIS
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cmd.exe, ParentImage=C:\Windows\System32\taskeng.exe or svchost.exe (Task Scheduler host). CommandLine contains whoami and output redirection. Security Event ID 4688: cmd.exe process creation with full command line (if command line auditing enabled). Security Event ID 4698: Scheduled task created. Note: A real web shell test on a configured IIS server would show ParentImage=C:\Windows\System32\inetsrv\w3wp.exe — the highest-fidelity telemetry for this technique.
- Test 3Deface Apache Web Root on Linux
Expected signal: Linux auditd (if configured with -w /var/www/html -p wa -k webroot-write): syscall audit record for open/write on /var/www/html/index.html with uid of executing user. Sysmon for Linux (if deployed): File creation/modification event for /var/www/html/index.html with process image=/usr/bin/tee and parent=/bin/bash. Syslog entries from sudo invocation in /var/log/auth.log. File metadata change visible via: stat /var/www/html/index.html showing updated Modify and Change timestamps.
- Test 4Mass Page Replacement Simulating Automated Hacktivist Defacement
Expected signal: Sysmon Event ID 11: 8 consecutive File Create events in C:\Temp\argus-webroot-test\ for *.html files with Image=powershell.exe, all within a few seconds. DeviceFileEvents: 8 events ActionType=FileCreated in FolderPath=C:\Temp\argus-webroot-test\. Note: The test uses C:\Temp to avoid requiring IIS installation; for highest-fidelity results, modify testWebRoot to C:\inetpub\wwwroot\argus-test\ to trigger both path-based filters and bulk modification threshold.
References (10)
- https://attack.mitre.org/techniques/T1491/002/
- https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf
- https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf
- https://web.archive.org/web/20210719110553/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf
- https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.002/T1491.002.md
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/01-Testing_for_Cookie_Attributes
Unlock Pro Content
Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.