title: External Defacement (T1491.002)
id: df00tech-t1491-002
status: experimental
description: "Adversaries may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system's integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise. Notable examples include Ember Bear's defacement of Ukrainian organization websites and Sandworm Team's defacement of approximately 15,000 Georgian government and private sector websites in 2019."
references:
  - https://attack.mitre.org/techniques/T1491/002/
  - https://df00tech.com/detections/T1491.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1491.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "CI/CD deployment agents (Jenkins agents, GitHub Actions runners, Azure DevOps build agents) writing updated web content to wwwroot as part of legitimate deployments"
  - "CMS auto-update processes — WordPress, Drupal, and Joomla modify PHP and HTML files during plugin, theme, or core updates, often via the same httpd or php-fpm worker process"
  - "Web developers directly editing files on development or staging servers via SSH, FTP, or mounted network shares, where the modifying process is an editor (code.exe, notepad++.exe) that is excluded"
  - IIS Application Initialization Module or health-check handlers causing w3wp.exe to spawn cmd.exe for application warmup or custom startup scripts
  - "Monitoring and observability agents (Datadog agent, New Relic, Dynatrace OneAgent) that instrument web server processes and may appear as unexpected child processes of w3wp.exe or httpd"
level: high