T1491.002 Sumo Logic CSE · Sumo

Detect External Defacement in Sumo Logic CSE

Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019.

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Sub-technique
T1491.002 External Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| parse regex "<EventID>(?<EventCode>\d+)<\/EventID>" nodrop
| parse regex "<Data Name='Image'>(?<Image>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='CommandLine'>(?<CommandLine>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='ParentImage'>(?<ParentImage>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='ParentCommandLine'>(?<ParentCommandLine>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='TargetFilename'>(?<TargetFilename>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='User'>(?<User>[^<]+)<\/Data>" nodrop
| parse regex "<Data Name='Computer'>(?<Computer>[^<]+)<\/Data>" nodrop
| where EventCode in ("1", "11")
| where (
    EventCode = "1"
    AND (
      ParentImage matches "*\\w3wp.exe" OR ParentImage matches "*\\httpd.exe" OR
      ParentImage matches "*\\nginx.exe" OR ParentImage matches "*\\php-cgi.exe" OR
      ParentImage matches "*\\php.exe" OR ParentImage matches "*\\apache*.exe" OR
      ParentImage matches "*\\tomcat*.exe" OR ParentImage matches "*\\java.exe"
    )
    AND (
      Image matches "*\\cmd.exe" OR Image matches "*\\powershell.exe" OR
      Image matches "*\\pwsh.exe" OR Image matches "*\\wscript.exe" OR
      Image matches "*\\cscript.exe" OR Image matches "*\\mshta.exe" OR
      Image matches "*\\bash.exe" OR Image matches "*\\sh.exe" OR
      Image matches "*\\python.exe" OR Image matches "*\\perl.exe"
    )
  )
  OR (
    EventCode = "11"
    AND (
      TargetFilename matches "*\\wwwroot\\*" OR TargetFilename matches "*\\inetpub\\*" OR
      TargetFilename matches "*\\htdocs\\*" OR TargetFilename matches "*\\public_html\\*" OR
      TargetFilename matches "*\\webroot\\*"
    )
    AND (
      TargetFilename matches "*.html" OR TargetFilename matches "*.htm" OR
      TargetFilename matches "*.asp" OR TargetFilename matches "*.aspx" OR
      TargetFilename matches "*.php" OR TargetFilename matches "*.js" OR
      TargetFilename matches "*.css" OR TargetFilename matches "*.jsp" OR
      TargetFilename matches "*\\index.*" OR TargetFilename matches "*\\default.*"
    )
    AND NOT (
      Image matches "*\\svchost.exe" OR Image matches "*\\TrustedInstaller.exe" OR
      Image matches "*\\WaAppAgent.exe" OR Image matches "*\\msiexec.exe" OR
      Image matches "*\\WUDFHost.exe" OR Image matches "*\\MicrosoftEdgeUpdate.exe"
    )
  )
| eval DetectionType = if(EventCode = "1", "WebServerSpawnedShell", "WebFileModified")
| eval Severity = if(EventCode = "1", "Critical",
    if(
      Image matches "*\\cmd.exe" OR Image matches "*\\powershell.exe" OR
      Image matches "*\\pwsh.exe" OR Image matches "*\\wscript.exe" OR
      Image matches "*\\cscript.exe",
      "High", "Medium"
    )
  )
| fields _messageTime, Computer, User, TargetFilename, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, Severity
| sort by _messageTime desc
critical severity high confidence

Sumo Logic query detecting T1491.002 External Defacement by parsing Sysmon XML event data ingested via Sumo Logic collectors. Uses regex parse operators to extract process and file fields from Sysmon EventCode 1 (Process Create) and EventCode 11 (File Create) XML records. Detects web server shell spawning and web root content file modification, with dynamic severity assignment based on the spawning or writing process type.

Data Sources

Sumo Logic (Windows Sysmon collector)Sumo Logic Cloud SIEM EnterpriseSumo Logic Installed Collector with Windows Event Log source

Required Tables

Sysmon XML Windows Event Log (_sourceCategory matching *sysmon*)

False Positives & Tuning

  • Web application deployment tools (Ansible playbooks, Puppet manifests, Chef recipes) that run under privileged accounts and write updated web content files to IIS or Apache web root directories during automated change windows
  • Apache mod_cgi or PHP-FPM processes that invoke shell scripts or interpreter processes as part of legitimate CGI request handling for dynamic content generation
  • WordPress, Drupal, or Joomla automatic update processes that rewrite core PHP files (including index.php) when performing minor version upgrades while the web server is running
Download portable Sigma rule (.yml)

Other platforms for T1491.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Replace IIS Default Web Page with Defacement Content

    Expected signal: Sysmon Event ID 11: File Create event with TargetFilename=C:\inetpub\wwwroot\iisstart.htm (or index.html), Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. DeviceFileEvents: ActionType=FileModified, FolderPath=C:\inetpub\wwwroot\, InitiatingProcessFileName=powershell.exe. Security Event ID 4663 if SACL object access auditing is enabled on the inetpub directory.

  2. Test 2Simulate Web Shell Spawning Shell Process on IIS

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Windows\System32\cmd.exe, ParentImage=C:\Windows\System32\taskeng.exe or svchost.exe (Task Scheduler host). CommandLine contains whoami and output redirection. Security Event ID 4688: cmd.exe process creation with full command line (if command line auditing enabled). Security Event ID 4698: Scheduled task created. Note: A real web shell test on a configured IIS server would show ParentImage=C:\Windows\System32\inetsrv\w3wp.exe — the highest-fidelity telemetry for this technique.

  3. Test 3Deface Apache Web Root on Linux

    Expected signal: Linux auditd (if configured with -w /var/www/html -p wa -k webroot-write): syscall audit record for open/write on /var/www/html/index.html with uid of executing user. Sysmon for Linux (if deployed): File creation/modification event for /var/www/html/index.html with process image=/usr/bin/tee and parent=/bin/bash. Syslog entries from sudo invocation in /var/log/auth.log. File metadata change visible via: stat /var/www/html/index.html showing updated Modify and Change timestamps.

  4. Test 4Mass Page Replacement Simulating Automated Hacktivist Defacement

    Expected signal: Sysmon Event ID 11: 8 consecutive File Create events in C:\Temp\argus-webroot-test\ for *.html files with Image=powershell.exe, all within a few seconds. DeviceFileEvents: 8 events ActionType=FileCreated in FolderPath=C:\Temp\argus-webroot-test\. Note: The test uses C:\Temp to avoid requiring IIS installation; for highest-fidelity results, modify testWebRoot to C:\inetpub\wwwroot\argus-test\ to trigger both path-based filters and bulk modification threshold.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1491.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1491Defacement

Related Sub-techniques

T1491.001Internal Defacement

Related Techniques

T1491DefacementT1491.001Internal DefacementT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1059Command and Scripting InterpreterT1078.003Local AccountsT1565.001Stored Data ManipulationT1189Drive-by CompromiseT1071.001Web ProtocolsT1583.001Domains

Same Tactic: Impact

Popular Detections