Last reviewed:
T1491 is web-asset defacement, often as a hacktivism statement or as the visible part of a broader compromise. In cloud environments this typically manifests as object replacement in static-hosting buckets or compromised CDN behaviors. DCV's T1491 mapping is S3-centric (six GuardDuty Impact/Exfiltration findings) with GCP EXFILTRATION_TO_CLOUD_STORAGE; the remediation template calls out S3 Object Lock in GOVERNANCE mode as the preventive control that survives elevated permissions.
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Platforms: Windows, IaaS, Linux, macOS, ESXi.
DCV maps 25 detections across 2 cloud providers to T1491. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 16 | 0.80 |
| AWS GuardDuty | AWS | 8 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 25 T1491 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1491, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1491 is web-asset defacement, often as a hacktivism statement or as the visible part of a broader compromise. In cloud environments this typically manifests as object replacement in static-hosting buckets or compromised CDN behaviors. DCV's T1491 mapping is S3-centric (six GuardDuty Impact/Exfiltration findings) with GCP EXFILTRATION_TO_CLOUD_STORAGE; the remediation template calls out S3 Object Lock in GOVERNANCE mode as the preventive control that survives elevated permissions.
DCV maps 25 cloud-native detections to T1491 across 2 cloud providers, drawn from AWS Config Rules, AWS GuardDuty and GCP Chronicle.
T1491 is part of MITRE ATT&CK TA0040 Impact: How adversaries disrupt or destroy systems and data.
CloudSigma ships 3 validated Sigma rules for T1491 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.