MITRE ATT&CK Technique
Description
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-20T14:31:34.778Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'An adversary may deface systems internal to an organization '
'in an attempt to intimidate or mislead users, thus '
'discrediting the integrity of the systems. This may take the '
'form of modifications to internal websites or server login '
'messages, or directly to user systems with the replacement of '
'the desktop wallpaper.(Citation: Novetta '
'Blockbuster)(Citation: Varonis) Disturbing or offensive '
'images may be used as a part of [Internal '
'Defacement](https://attack.mitre.org/techniques/T1491/001) in '
'order to cause user discomfort, or to pressure compliance '
'with accompanying messages. Since internally defacing systems '
"exposes an adversary's presence, it often takes place after "
'other intrusion goals have been accomplished.(Citation: '
'Novetta Blockbuster Destructive Malware)',
'external_references': [{'external_id': 'T1491.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1491/001'},
{'description': 'Jason Hill. (2023, February 8). '
'VMware ESXi in the Line of '
'Ransomware Fire. Retrieved March 26, '
'2025.',
'source_name': 'Varonis',
'url': 'https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire'},
{'description': 'Novetta Threat Research Group. '
'(2016, February 24). Operation '
'Blockbuster: Destructive Malware '
'Report. Retrieved November 17, 2024.',
'source_name': 'Novetta Blockbuster Destructive '
'Malware',
'url': 'https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf'},
{'description': 'Novetta Threat Research Group. '
'(2016, February 24). Operation '
'Blockbuster: Unraveling the Long '
'Thread of the Sony Attack. Retrieved '
'February 25, 2016.',
'source_name': 'Novetta Blockbuster',
'url': 'https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf'}],
'id': 'attack-pattern--8c41090b-aa47-4331-986b-8c9a51a91103',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'impact'}],
'modified': '2025-10-24T17:49:05.030Z',
'name': 'Internal Defacement',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_impact_type': ['Integrity'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['ESXi', 'Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.2'}