Last reviewed:
T1491.002 covers defacement of public-facing content: a replaced homepage, a vandalised S3-hosted static site, an altered CDN origin. The damage is reputational and immediate even when nothing else is touched. DCV approaches it through GuardDuty's S3 finding families: UnauthorizedAccess:S3/MaliciousIPCaller.Custom and TorIPCaller for writes arriving from hostile infrastructure, and the PenTest:S3 series for offensive tooling fingerprints. Most real defacement incidents trace back to a leaked access key holding s3:PutObject on the web bucket.
An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. External Defacement may ultimately cause users to distrust the systems and to question/discredit the system’s integrity. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda. External Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.
Platforms: Windows, IaaS, Linux, macOS.
DCV maps 8 detections across 1 cloud provider to T1491.002. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 8 | 0.85 |
CloudSigma has coverage metadata for 8 T1491.002 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1491.002, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
T1491.002 covers defacement of public-facing content: a replaced homepage, a vandalised S3-hosted static site, an altered CDN origin. The damage is reputational and immediate even when nothing else is touched. DCV approaches it through GuardDuty's S3 finding families: UnauthorizedAccess:S3/MaliciousIPCaller.Custom and TorIPCaller for writes arriving from hostile infrastructure, and the PenTest:S3 series for offensive tooling fingerprints. Most real defacement incidents trace back to a leaked access key holding s3:PutObject on the web bucket.
DCV maps 8 cloud-native detections to T1491.002 across 1 cloud providers, drawn from AWS GuardDuty.
T1491.002 is part of MITRE ATT&CK TA0040 Impact: How adversaries disrupt or destroy systems and data.
CloudSigma ships 3 validated Sigma rules for T1491.002 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.