毁损

对手可能会修改企业网络内部或外部可用的视觉内容。毁损的原因包括传递消息，恐吓或要求入侵（可能是虚假的）信用。

Defacement

Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion.

内部

攻击者可能破坏组织内部的系统，以恐吓或误导用户。这可以采取对内部网站进行修改的形式，或者直接对用户系统进行修改（替换桌面墙纸）的形式。破坏性图像或冒犯性图像可能会被用作“毁损”的一部分，以使用户感到不适或迫使其遵守随附的消息。尽管内部破坏系统暴露了对手的存在，但它通常是在实现其他入侵目标之后进行的

Internal

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.[1] Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. While internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.

外部

网站是毁损的常见受害者，通常是敌人和黑客主义者团体的目标，目的是发布政治信息或传播宣传。损坏可被用作触发事件的催化剂，或作为对组织或政府采取的行动的回应。类似地，网站毁损还可以用作设置或先驱，以应对未来的攻击。

External

Websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.[3][4][5] Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as Drive-by Compromise.[6]

标签

编号： T1491

策略： 影响

平台： Linux，macOS，Windows

数据源： 数据包捕获，Web应用程序防火墙日志，Web日志，数据包捕获

影响类型： 完整性

缓解措施

缓解	描述
数据备份	考虑实施IT灾难恢复计划，其中包含用于进行可用于还原组织数据的常规数据备份的过程。确保备份存储在系统之外，并且免受攻击者可能用来获取访问权限并破坏备份以防止恢复的常见方法的攻击。

Mitigation	Description
Data Backup	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

检测

检测内部和外部网站上计划外的内容更改。检测应用程序日志中是否有异常行为，这些异常行为可能表明尝试或成功利用。使用深度数据包检查来查找常见漏洞利用流量的工件，例如SQL注入。Web应用程序防火墙可能会检测到试图利用的不正确输入。

Monitor internal and external websites for unplanned content changes. Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.

- 译者: 林妙倩、戴亦仑 . source:cve.scap.org.cn