Defacement: Internal Defacement

ID Name
T1491.001 Internal Defacement
T1491.002 External Defacement

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.[1] Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.[2]

ID: T1491.001
Sub-technique of:  T1491
Tactic: Impact
Platforms: Linux, Windows, macOS
Impact Type: Integrity
Version: 1.1
Created: 20 February 2020
Last Modified: 28 July 2022

Procedure Examples

ID Name Description
S1070 Black Basta

Black Basta has set the desktop wallpaper on victims' machines to display a ransom note.[3][4][5][6][7][8][9][10][11]

S1068 BlackCat

BlackCat can change the desktop wallpaper on compromised hosts.[12][13]

S0659 Diavol

After encryption, Diavol will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text "All your files are encrypted! For more information see "README-FOR-DECRYPT.txt".[14]

G0047 Gamaredon Group

Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access.[15]

G0032 Lazarus Group

Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe.[2]

S0688 Meteor

Meteor can change both the desktop wallpaper and the lock screen image to a custom image.[16]


ID Mitigation Description
M1053 Data Backup

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.[17] Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.


ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems internal to an organization in an attempt to intimidate or mislead users.

DS0022 File File Creation

Monitor for newly constructed files that may deface systems internal to an organization in an attempt to intimidate or mislead users.

File Modification

Monitor internal and websites for unplanned content changes.

DS0029 Network Traffic Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).