title: Defacement (T1491)
id: df00tech-t1491
status: experimental
description: "Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images)."
references:
  - https://attack.mitre.org/techniques/T1491/
  - https://df00tech.com/detections/T1491
author: df00tech
date: 2026/04/13
tags:
  - attack.t1491
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate web application deployments via CI/CD pipelines or deployment tools (Octopus Deploy, Jenkins) that write directly to web roots"
  - System administrators using PowerShell or cmd.exe to manually update web content or static assets during maintenance windows
  - Content management system (CMS) plugins or update processes that use scripting engines to modify HTML/CSS/JS files
  - "IT policy tools (SCCM, Intune, GPO) legitimately modifying logon banners or desktop wallpaper for compliance branding"
  - "Web application frameworks that spawn shells for legitimate tasks (asset compilation, template rendering)"
level: high