T1491

Defacement

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).

Microsoft Sentinel / Defender

kusto

let WebRootPaths = dynamic([
  "\\inetpub\\wwwroot\\", "\\htdocs\\", "\\www\\", "\\public_html\\",
  "\\nginx\\html\\", "\\apache2\\htdocs\\", "/var/www/", "/srv/http/",
  "/usr/share/nginx/", "/home/www/"
]);
let WebFileExtensions = dynamic([
  ".html", ".htm", ".php", ".asp", ".aspx", ".jsp",
  ".js", ".css", ".png", ".jpg", ".gif", ".svg", ".ico"
]);
let SuspiciousWriterProcesses = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe",
  "python.exe", "python3", "perl.exe", "ruby.exe", "bash", "sh"
]);
let RegistryDefacementKeys = dynamic([
  "Wallpaper", "ScreenSaveActive", "SCRNSAVE.EXE",
  "legalnoticecaption", "legalnoticetext"
]);
// Branch 1: Web content file modifications in web root directories
let WebFileDefacement = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebFileExtensions)
| where InitiatingProcessFileName has_any (SuspiciousWriterProcesses)
  or InitiatingProcessParentFileName has_any (SuspiciousWriterProcesses)
| extend DefacementType = "WebContentModification"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DefacementType;
// Branch 2: Registry modifications for internal defacement (wallpaper, logon banner)
let RegistryDefacement = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (
    "\\Control Panel\\Desktop",
    "SYSTEM\\CurrentControlSet\\Control\\Terminal Server",
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
    "SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization"
  )
| where RegistryValueName has_any (RegistryDefacementKeys)
| where InitiatingProcessFileName has_any (SuspiciousWriterProcesses)
  or InitiatingProcessAccountName !in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend DefacementType = "RegistryWallpaperChange"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName=RegistryValueName, FolderPath=RegistryKey,
         ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DefacementType;
// Branch 3: Web server process writing unexpected files (index.html replacement)
let WebServerSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("w3wp.exe", "nginx.exe", "httpd.exe", "apache2", "tomcat")
| where FileName in~ (SuspiciousWriterProcesses)
| extend DefacementType = "WebServerChildProcess"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath="",
         ActionType="ProcessSpawn", InitiatingProcessFileName,
         InitiatingProcessCommandLine=ProcessCommandLine,
         InitiatingProcessParentFileName, DefacementType;
union WebFileDefacement, RegistryDefacement, WebServerSpawn
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Modification File: File Creation Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents DeviceProcessEvents

False Positives

Legitimate web application deployments via CI/CD pipelines or deployment tools (Octopus Deploy, Jenkins) that write directly to web roots
System administrators using PowerShell or cmd.exe to manually update web content or static assets during maintenance windows
Content management system (CMS) plugins or update processes that use scripting engines to modify HTML/CSS/JS files
IT policy tools (SCCM, Intune, GPO) legitimately modifying logon banners or desktop wallpaper for compliance branding
Web application frameworks that spawn shells for legitimate tasks (asset compilation, template rendering)

Splunk

spl

| union
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    | eval FolderPath=lower(TargetFilename)
    | where match(FolderPath, "(\\\\inetpub\\\\wwwroot|\\\\htdocs|\\\\public_html|\\\\nginx\\\\html|\/var\/www\/|\/srv\/http\/|\/usr\/share\/nginx)")
    | where match(FolderPath, "\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$")
    | eval InitProc=lower(Image)
    | where match(InitProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|python\.exe|bash|sh)")
    | eval DefacementType="WebFileModification"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, TargetFilename, DefacementType ],
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14)
    | eval RegPath=lower(TargetObject)
    | where match(RegPath, "(\\\\control panel\\\\desktop|\\\\terminal server\\\\winlogon|\\\\windows nt\\\\currentversion\\\\winlogon|\\\\policies\\\\microsoft\\\\windows\\\\personalization)")
    | where match(RegPath, "(wallpaper|screensaveactive|scrnsave\.exe|legalnoticecaption|legalnoticetext)")
    | eval InitProc=lower(Image)
    | where match(InitProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|bash|sh)")
    | eval DefacementType="RegistryWallpaperChange"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, TargetObject, Details, DefacementType ],
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | eval ParentProc=lower(ParentImage)
    | eval ChildProc=lower(Image)
    | where match(ParentProc, "(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)")
    | where match(ChildProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|bash|sh|python\.exe)")
    | eval DefacementType="WebServerShellSpawn"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DefacementType ]
| eval SeverityScore=case(
    DefacementType="WebServerShellSpawn", 3,
    DefacementType="WebFileModification", 2,
    DefacementType="RegistryWallpaperChange", 1,
    true(), 1)
| sort - SeverityScore, - _time

high severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Modification Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

CI/CD deployment pipelines using shell commands to deploy web content updates to web root directories
Administrative scripts updating default IIS or Apache landing pages during server provisioning
Centralized IT management tools modifying corporate wallpaper and logon banners via Group Policy or Intune
Web application frameworks (Django, Rails, Node.js) spawning shell processes for asset compilation or task runners
Security scanning tools or web application firewalls writing logs or configuration files to web directories

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.action in ("creation", "overwrite", "rename") and
   (
     file.path : ("*\\inetpub\\wwwroot\\*", "*\\htdocs\\*", "*\\public_html\\*", "*\\nginx\\html\\*", "/var/www/*", "/srv/http/*", "/usr/share/nginx/*") or
     file.path : ("/home/www/*")
   ) and
   file.extension in ("html", "htm", "php", "asp", "aspx", "jsp", "js", "css", "png", "jpg", "gif", "svg", "ico") and
   process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "python.exe", "python3", "perl.exe", "ruby.exe", "bash", "sh")]
OR
any where event.category == "registry" and event.action in ("modification", "creation") and
  registry.path : ("*\\Control Panel\\Desktop\\Wallpaper", "*\\Control Panel\\Desktop\\ScreenSaveActive", "*\\Winlogon\\legalnoticecaption", "*\\Winlogon\\legalnoticetext", "*\\Personalization\\NoChangingWallPaper") and
  process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "bash", "sh")
OR
sequence by host.name with maxspan=30s
  [process where event.type == "start" and
   process.parent.name in~ ("w3wp.exe", "nginx.exe", "httpd.exe", "apache2", "tomcat") and
   process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash", "sh", "python.exe", "python3")]

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with auditd Windows Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate web developers or deployment pipelines (CI/CD) writing files to web root directories using curl, wget, or PowerShell
System administrators changing desktop wallpaper or logon banners via GPO scripts running as SYSTEM or a service account
Web application frameworks (e.g., WordPress, Drupal auto-update) that invoke PHP or shell scripts to update their own web content
Configuration management tools like Ansible or Chef invoking bash/sh to deploy web assets
Developer workstations running local web servers (XAMPP, WAMP) where developers edit files directly

IBM QRadar (AQL)

sql

-- Branch 1: Web file modifications by suspicious processes
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "FILE_PATH" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'WebFileModification' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Sysmon
  AND CATEGORYNAME(category) LIKE '%File%'
  AND (
    "FILE_PATH" ILIKE '%\inetpub\wwwroot%'
    OR "FILE_PATH" ILIKE '%\htdocs%'
    OR "FILE_PATH" ILIKE '%\public_html%'
    OR "FILE_PATH" ILIKE '%/var/www/%'
    OR "FILE_PATH" ILIKE '%/srv/http/%'
    OR "FILE_PATH" ILIKE '%/usr/share/nginx/%'
  )
  AND (
    "FILE_PATH" ILIKE '%.html'
    OR "FILE_PATH" ILIKE '%.htm'
    OR "FILE_PATH" ILIKE '%.php'
    OR "FILE_PATH" ILIKE '%.asp'
    OR "FILE_PATH" ILIKE '%.aspx'
    OR "FILE_PATH" ILIKE '%.jsp'
  )
  AND (
    LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','curl.exe','wget.exe','certutil.exe','python.exe','bash','sh')
  )
  AND starttime > NOW() - 24 HOURS
UNION ALL
-- Branch 2: Registry defacement (wallpaper / logon banner)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "REGISTRY_KEY" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'RegistryWallpaperChange' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) LIKE '%Registry%'
  AND (
    LOWER("REGISTRY_KEY") LIKE '%control panel\desktop%'
    OR LOWER("REGISTRY_KEY") LIKE '%winlogon%legalnotice%'
    OR LOWER("REGISTRY_KEY") LIKE '%personalization%'
  )
  AND (
    LOWER("REGISTRY_VALUE_NAME") IN ('wallpaper','screensaveactive','scrnsave.exe','legalnoticecaption','legalnoticetext')
  )
  AND LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','python.exe','bash','sh')
  AND starttime > NOW() - 24 HOURS
UNION ALL
-- Branch 3: Web server spawning shell/script child process
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "PARENT_PROCESS_NAME" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'WebServerShellSpawn' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) LIKE '%Process%'
  AND LOWER("PARENT_PROCESS_NAME") IN ('w3wp.exe','nginx.exe','httpd.exe','apache2','tomcat')
  AND LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','bash','sh','python.exe')
  AND starttime > NOW() - 24 HOURS
ORDER BY event_time DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon logs forwarded to QRadar Windows Security Event logs

Required Tables

events

False Positives

Automated deployment scripts using PowerShell or curl writing updated web content as part of a CI/CD pipeline
GPO scripts modifying desktop wallpaper or logon notice text during domain policy refresh cycles
Legitimate web server maintenance where httpd/nginx processes invoke shell scripts to rotate logs or update configurations
Security scanning tools that enumerate web server processes and may appear as child processes of web services
Web application self-update mechanisms (WordPress auto-update) that spawn PHP subprocesses to patch files in place

Sumo Logic CSE

sql

// Branch 1: Web file write by suspicious process
(_sourceCategory=*sysmon* OR _sourceCategory=*windows*)
| where EventID = "11"
| parse field=TargetFilename "*" as file_path nodrop
| where TargetFilename matches "*\\inetpub\\wwwroot*"
  OR TargetFilename matches "*\\htdocs*"
  OR TargetFilename matches "*\\public_html*"
  OR TargetFilename matches "*\\nginx\\html*"
  OR TargetFilename matches "*/var/www/*"
  OR TargetFilename matches "*/srv/http/*"
  OR TargetFilename matches "*/usr/share/nginx/*"
| where TargetFilename matches "*.html"
  OR TargetFilename matches "*.htm"
  OR TargetFilename matches "*.php"
  OR TargetFilename matches "*.asp"
  OR TargetFilename matches "*.aspx"
  OR TargetFilename matches "*.jsp"
  OR TargetFilename matches "*.js"
  OR TargetFilename matches "*.css"
| where Image matches "*cmd.exe"
  OR Image matches "*powershell.exe"
  OR Image matches "*pwsh.exe"
  OR Image matches "*wscript.exe"
  OR Image matches "*cscript.exe"
  OR Image matches "*mshta.exe"
  OR Image matches "*curl.exe"
  OR Image matches "*wget.exe"
  OR Image matches "*certutil.exe"
  OR Image matches "*python.exe"
  OR Image matches "*bash"
  OR Image matches "*sh"
| eval defacement_type="WebFileModification"
| eval severity_score=2
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, defacement_type, severity_score

// Run separately for Branch 2: Registry defacement
// (_sourceCategory=*sysmon*)
// | where EventID in ("12","13","14")
// | where TargetObject matches "*Control Panel\\Desktop*"
//   OR TargetObject matches "*Winlogon*legalnotice*"
//   OR TargetObject matches "*Personalization*"
// | where TargetObject matches "*Wallpaper*"
//   OR TargetObject matches "*ScreenSaveActive*"
//   OR TargetObject matches "*legalnoticecaption*"
//   OR TargetObject matches "*legalnoticetext*"
// | where Image matches "*cmd.exe" OR Image matches "*powershell.exe" OR Image matches "*python.exe" OR Image matches "*bash"
// | eval defacement_type="RegistryWallpaperChange", severity_score=1
// | fields _messageTime, Computer, User, Image, CommandLine, TargetObject, Details, defacement_type, severity_score

// Run separately for Branch 3: Web server child shell
// (_sourceCategory=*sysmon*)
// | where EventID = "1"
// | where ParentImage matches "*w3wp.exe" OR ParentImage matches "*nginx.exe" OR ParentImage matches "*httpd.exe" OR ParentImage matches "*apache2" OR ParentImage matches "*tomcat"
// | where Image matches "*cmd.exe" OR Image matches "*powershell.exe" OR Image matches "*bash" OR Image matches "*sh" OR Image matches "*python.exe"
// | eval defacement_type="WebServerShellSpawn", severity_score=3
// | fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, defacement_type, severity_score

| sort by severity_score desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon logs via Sumo Logic Installed Collector Windows Event Logs

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*windows*

False Positives

Web deployment automation using curl or PowerShell to push new content to web server directories as part of regular release cycles
Group Policy applying wallpaper changes across the enterprise via logon scripts that run cmd.exe or PowerShell
IIS application pools (w3wp.exe) executing managed code that shells out to script interpreters for legitimate application logic
Content management systems that use background PHP or Python workers to process and write media files to the web root
Security tools performing scheduled web content integrity checks that read and temporarily modify web files

Google Chronicle / SecOps

yaral

rule t1491_defacement_web_file_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1491 Defacement - suspicious process writing web content files to web server directories"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491"
    severity = "HIGH"
    priority = "HIGH"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    (
      re.regex($e.target.file.full_path, `(?i)(\\inetpub\\wwwroot|\\htdocs|\\public_html|\\nginx\\html|/var/www/|/srv/http/|/usr/share/nginx/)`) or
      re.regex($e.target.file.full_path, `(?i)/home/www/`)
    )
    re.regex($e.target.file.full_path, `(?i)\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$`)
    re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|python[23]?\.exe|perl\.exe|ruby\.exe|/bash$|/sh$)`)

  condition:
    $e
}

rule t1491_defacement_registry_wallpaper {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1491 Internal Defacement - registry modifications targeting wallpaper, screensaver, and logon banner keys by suspicious processes"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.001"
    severity = "MEDIUM"
    priority = "MEDIUM"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)(\\Control Panel\\Desktop|\\Terminal Server\\Winlogon|\\Windows NT\\CurrentVersion\\Winlogon|\\Policies\\Microsoft\\Windows\\Personalization)`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(Wallpaper|ScreenSaveActive|SCRNSAVE\.EXE|legalnoticecaption|legalnoticetext)`)
    )
    re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|/bash$|/sh$)`)

  condition:
    $e
}

rule t1491_defacement_webserver_shell_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1491 Defacement - web server process spawning shell or script interpreter, indicating possible webshell execution"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.002"
    severity = "CRITICAL"
    priority = "CRITICAL"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path, `(?i)(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)`)
    re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|/bash$|/sh$|python[23]?\.exe|perl\.exe)`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM ingestion from Windows Sysmon Chronicle UDM ingestion from CrowdStrike Falcon Chronicle UDM ingestion from Carbon Black

Required Tables

UDM Events (FILE_CREATION) UDM Events (REGISTRY_MODIFICATION) UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate automated deployments by CI/CD systems writing HTML, PHP, or asset files to web roots using curl or PowerShell scripts
Enterprise desktop policy enforcement scripts that set wallpaper images or logon banners as part of onboarding or compliance workflows
Web servers (Apache, Nginx) that legitimately invoke shell scripts as CGI handlers or maintenance hooks
Content management systems with auto-update capabilities that write PHP or JS files as part of plugin or theme updates
Penetration testing or red team exercises targeting web infrastructure with explicit change management approval

CrowdStrike LogScale (CQL)

cql

// Branch 1: Web file write by suspicious process (Sysmon-style via Falcon file events)
#event_simpleName=WriteFile
| ComputerName=*
| TargetFileName=/(?i)(\\inetpub\\wwwroot|\\htdocs|\\public_html|\\nginx\\html|\/var\/www\/|\/srv\/http\/|\/usr\/share\/nginx\/)/
| TargetFileName=/(?i)\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$/
| ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|python[23]?\.exe|perl\.exe|ruby\.exe|\/bash$|\/sh$)/
| eval DefacementType="WebFileModification"
| eval SeverityScore=2
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, DefacementType, SeverityScore])

// Branch 2: Web server spawning shell child process
// #event_simpleName=ProcessRollup2
// | ParentBaseFileName=/(?i)(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)/
// | ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|\/bash$|\/sh$|python[23]?\.exe|perl\.exe)/
// | eval DefacementType="WebServerShellSpawn"
// | eval SeverityScore=3
// | table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DefacementType, SeverityScore])

// Branch 3: Registry wallpaper / logon banner modification
// #event_simpleName=RegGenericValueUpdate
// | RegObjectName=/(?i)(\\Control Panel\\Desktop|\\Winlogon|\\Personalization)/
// | RegValueName=/(?i)(Wallpaper|ScreenSaveActive|SCRNSAVE\.EXE|legalnoticecaption|legalnoticetext)/
// | ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|\/bash$|\/sh$)/
// | eval DefacementType="RegistryWallpaperChange"
// | eval SeverityScore=1
// | table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RegObjectName, RegValueName, DefacementType, SeverityScore])

| sort(SeverityScore, order=desc)
| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Insight XDR

Required Tables

WriteFile events (#event_simpleName=WriteFile) ProcessRollup2 events (#event_simpleName=ProcessRollup2) RegGenericValueUpdate events (#event_simpleName=RegGenericValueUpdate)

False Positives

Automated software deployment pipelines using PowerShell or curl to update web application files in IIS or Apache web roots
CrowdStrike sensor itself or other endpoint agents that write files to monitored directories as part of update or scan operations
Web application frameworks performing self-update routines that invoke scripting engines to patch web content files in place
System administrators remotely deploying web content using WinRM or SSH sessions that invoke PowerShell or bash
WordPress, Drupal, or Joomla auto-update mechanisms that download and write plugin or theme files directly to the web root

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Defacement

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Impact

Popular Detections