Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Impact
  4. >ATTACK-T1491.001
ATTACK-T1491.001Active

Internal Defacement

Statement

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

Location

Tactic
Impact

Technique Details

Identifier
ATTACK-T1491.001
Parent Technique
ATTACK-T1491
ATT&CK Page
View on MITRE

Tactics

Impact

Platforms

ESXiLinuxmacOSWindows

Detection

Internal Website and System Content Defacement via UI or Messaging Modifications

Mitigations

Data Backup: Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents. This mitigation can be implemented through the following measures:

Regular Backup Scheduling:

  • Use Case: Ensure timely and consistent backups of critical data.
  • Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.

Immutable Backups:

  • Use Case: Protect backups from modification or deletion, even by attackers.
  • Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.

Backup Encryption:

  • Use Case: Protect data integrity and confidentiality during transit and storage.
  • Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.

Offsite Backup Storage:

  • Use Case: Ensure data availability during physical disasters or onsite breaches.
  • Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.

Backup Testing:

  • Use Case: Validate backup integrity and ensure recoverability.
  • Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.
SP 800-53
SP800-53-AC-3relatedvia ctid-attack-to-sp800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
SP800-53-CM-2relatedvia ctid-attack-to-sp800-53
SP800-53-CP-10relatedvia ctid-attack-to-sp800-53
SP800-53-CP-2relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Impact
Impact33 controls
ATTACK-T1485Data DestructionATTACK-T1485.001Lifecycle-Triggered DeletionATTACK-T1486Data Encrypted for ImpactATTACK-T1489Service StopATTACK-T1490Inhibit System RecoveryATTACK-T1491DefacementATTACK-T1491.001Internal DefacementATTACK-T1491.002External DefacementATTACK-T1495Firmware CorruptionATTACK-T1496Resource HijackingATTACK-T1496.001Compute HijackingATTACK-T1496.002Bandwidth HijackingATTACK-T1496.003SMS PumpingATTACK-T1496.004Cloud Service HijackingATTACK-T1498Network Denial of ServiceATTACK-T1498.001Direct Network FloodATTACK-T1498.002Reflection AmplificationATTACK-T1499Endpoint Denial of ServiceATTACK-T1499.001OS Exhaustion FloodATTACK-T1499.002Service Exhaustion FloodATTACK-T1499.003Application Exhaustion FloodATTACK-T1499.004Application or System ExploitationATTACK-T1529System Shutdown/RebootATTACK-T1531Account Access RemovalATTACK-T1561Disk WipeATTACK-T1561.001Disk Content WipeATTACK-T1561.002Disk Structure WipeATTACK-T1565Data ManipulationATTACK-T1565.001Stored Data ManipulationATTACK-T1565.002Transmitted Data ManipulationATTACK-T1565.003Runtime Data ManipulationATTACK-T1657Financial TheftATTACK-T1667Email Bombing