Replacement

In the Impact phase, attackers may engage in website or application defacement through content replacement, which involves unauthorized modification or substitution of legitimate web content with attacker-controlled material. This sub-technique of Defacement occurs when adversaries gain sufficient write permissions to overwrite existing files on web servers, manipulate content management systems, or compromise deployment pipelines. Unlike injection-based defacement which adds malicious content while preserving original structures, replacement completely substitutes original files, directories, or entire websites with alternative content that often contains propaganda, political messages, or demonstrations of the attacker's capabilities. The severity varies from cosmetic changes to complete loss of service, particularly when critical application files are replaced with non-functional alternatives. Attackers typically leverage previously established unauthorized access obtained through credential theft, exploitation of web vulnerabilities, or compromise of the software supply chain to execute replacements that can affect brand reputation, user trust, and potentially disrupt business operations.