T1491.001: T1491.001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 20/02/2020 15:31 · Modified 14/04/2026 16:20

Essential information

MITRE technique ID: T1491.001
Confidence: 100/100
Revoked: No
Published: 20/02/2020 15:31
Modified: 14/04/2026 16:20
Author / Source: The MITRE Corporation

Aliases

Internal Defacement

Platforms

windows macos linux ESXi

Description

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

Kill chain phases

Kill chain	Phase
mitre-attack	impact

Marking (TLP)

External references

mitre-attack (T1491.001)
Novetta Blockbuster Destructive Malware
Varonis
Novetta Blockbuster

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (9)

ANTONIO EDUARDO FREDERICO uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
BlackByte uses Hecamede

The MITRE Corporation Confidence 100

[BlackByte](https://attack.mitre.org/groups/G1043) is a ransomware threat actor operating since at least 2021. [BlackByte](https://attack.mitre.org/groups/G1043) is associated with several versions of ransomware also labeled [BlackByte Ransomware](https://attack.mitre.org/software/S1180). [BlackByte](https://attack.mitre.org/groups/G1043) ransomware operations initially used…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
interlock uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
lynx uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lazarus Group uses HIDDEN COBRAGuardians of Peace

The MITRE Corporation Confidence 100

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). (Citation: US-CERT HIDDEN COBRA June 2017) (Citation: Treasury North Korean Cyber…

First seen 01/01/1970 · Last seen 16/11/5138 ·
akira uses GOLD SAHARAPUNK SPIDER

The MITRE Corporation Confidence 100

The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…

First seen 01/01/1970 · Last seen 16/11/5138 ·
play uses

The MITRE Corporation Confidence 100

Initially observed in June 2022, the Play ransomware (a.k.a PlayCrypt) operates through double extortion, targeting numerous organizations in Latin America. Its Initial Access method is quite similar to…

First seen 01/01/1970 · Last seen 16/11/5138 ·

Malware (27)

COROXY uses

Family
Brave Prince - S0252 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Qilin uses

Family
Akira uses

Family
BlackCat uses
Goodgame uses
AnyDesk uses

Family
SystemBC uses

Family
RansomHub uses

Family
Interlock uses

Family
Black Basta uses

Family The MITRE Corporation Confidence 100

[Black Basta](https://attack.mitre.org/software/S1070) is ransomware written in C++ that has been offered within the ransomware-as-a-service (RaaS) model since at least April 2022; there are variants that target Windows and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diavol uses

← Previous

Page / 3

1–12 of 27

Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
59 Victims, Zero Authentication: A ClickFix Campaign Force-Installs … related

20 MITREs 2 Malwares 12 Observables 1 APT
Inside a Multi-Stage Windows Malware Campaign related

26 MITREs 11 Observables
Ransomware Roundup – Lynx related

15 MITREs 2 Malwares 9 Observables 1 APT
Ransomware Roundup - Interlock related

11 MITREs 1 Malware 5 Observables 1 APT
Threat Brief: Understanding Akira Ransomware related

4 CVEs 15 MITREs 1 Malware 3 Observables 1 APT
Unmasking Cronus: How Fake PayPal Documents Execute Fileless … related

11 MITREs 2 Malwares 8 Observables
New Play Ransomware Linux Variant Targets ESXi Shows … related

11 MITREs 1 Malware 2 Observables 1 APT

Vulnerabilities (CVE) (4)

CVE-2019-6693 KEV targets

Fortinet FortiOS contains a use of hard-coded credentials vulnerability that could allow an attacker to cipher sensitive data in FortiOS configuration backup …

Published: 25/06/2025
Modified: 21/12/2025

CVE-2023-20269 KEV targets

5.0 Medium

Cisco Adaptive Security Appliance and Firepower Threat Defense contain an unauthorized access vulnerability that could allow an unauthenticated, remote attacker to conduct …

Attack vector: Network
Published: 13/09/2023
Modified: 21/12/2025

CVE-2021-21972 KEV targets

VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2022-40684 KEV targets

9.8 Critical

Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative …

Attack vector: Network
Published: 11/10/2022
Modified: 14/01/2026

Attack patterns (MITRE) (1)

T1491 subtechnique-of

Defacement MITRE

Tool (1)

Remcos uses

The MITRE Corporation Confidence 100

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in…

Course Of Action (1)

Data Backup mitigates

Contact About Legal notice Privacy policy Terms of use