Which SIEM platforms have a T1491 detection rule?

df00tech provides T1491 (Defacement) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1491 detection?

The T1491 detection is rated high severity with medium confidence.

What are common false positives for T1491?

Common false positives for T1491 include: Legitimate web application deployments via CI/CD pipelines or deployment tools (Octopus Deploy, Jenkins) that write directly to web roots; System administrators using PowerShell or cmd.exe to manually update web content or static assets during maintenance windows; Content management system (CMS) plugins or update processes that use scripting engines to modify HTML/CSS/JS files.

T1491

Defacement

Q: What data sources are required to detect Defacement (T1491)?

Detecting Defacement requires the following data sources: File: File Modification, File: File Creation, Process: Process Creation, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint.

Impact Last updated: April 13, 2026

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).

What is T1491 Defacement?

Defacement (T1491) maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data in MITRE ATT&CK.

This page provides production-ready detection logic for Defacement, covering the data sources and telemetry it touches: File: File Modification, File: File Creation, Process: Process Creation, Windows Registry: Windows Registry Key Modification, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Impact
Technique: T1491 Defacement
Canonical reference: https://attack.mitre.org/techniques/T1491/

Microsoft Sentinel / Defender

kusto

let WebRootPaths = dynamic([
  "\\inetpub\\wwwroot\\", "\\htdocs\\", "\\www\\", "\\public_html\\",
  "\\nginx\\html\\", "\\apache2\\htdocs\\", "/var/www/", "/srv/http/",
  "/usr/share/nginx/", "/home/www/"
]);
let WebFileExtensions = dynamic([
  ".html", ".htm", ".php", ".asp", ".aspx", ".jsp",
  ".js", ".css", ".png", ".jpg", ".gif", ".svg", ".ico"
]);
let SuspiciousWriterProcesses = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe",
  "python.exe", "python3", "perl.exe", "ruby.exe", "bash", "sh"
]);
let RegistryDefacementKeys = dynamic([
  "Wallpaper", "ScreenSaveActive", "SCRNSAVE.EXE",
  "legalnoticecaption", "legalnoticetext"
]);
// Branch 1: Web content file modifications in web root directories
let WebFileDefacement = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebFileExtensions)
| where InitiatingProcessFileName has_any (SuspiciousWriterProcesses)
  or InitiatingProcessParentFileName has_any (SuspiciousWriterProcesses)
| extend DefacementType = "WebContentModification"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DefacementType;
// Branch 2: Registry modifications for internal defacement (wallpaper, logon banner)
let RegistryDefacement = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (
    "\\Control Panel\\Desktop",
    "SYSTEM\\CurrentControlSet\\Control\\Terminal Server",
    "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
    "SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization"
  )
| where RegistryValueName has_any (RegistryDefacementKeys)
| where InitiatingProcessFileName has_any (SuspiciousWriterProcesses)
  or InitiatingProcessAccountName !in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend DefacementType = "RegistryWallpaperChange"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
         FileName=RegistryValueName, FolderPath=RegistryKey,
         ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessParentFileName, DefacementType;
// Branch 3: Web server process writing unexpected files (index.html replacement)
let WebServerSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("w3wp.exe", "nginx.exe", "httpd.exe", "apache2", "tomcat")
| where FileName in~ (SuspiciousWriterProcesses)
| extend DefacementType = "WebServerChildProcess"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath="",
         ActionType="ProcessSpawn", InitiatingProcessFileName,
         InitiatingProcessCommandLine=ProcessCommandLine,
         InitiatingProcessParentFileName, DefacementType;
union WebFileDefacement, RegistryDefacement, WebServerSpawn
| sort by Timestamp desc

Detects web content defacement and internal defacement activity across three signal branches. Branch 1 monitors file creation/modification events in web root directories (IIS wwwroot, Apache htdocs, nginx html, PHP public_html) initiated by shells or scripting engines rather than legitimate web processes. Branch 2 detects registry modifications to wallpaper, screensaver, and Windows logon notice keys initiated by suspicious processes — a pattern used in internal defacement campaigns. Branch 3 identifies web server worker processes (IIS w3wp.exe, nginx, Apache httpd) spawning command shells or scripting engines, indicating web shell execution that may precede or constitute defacement. Uses DeviceFileEvents, DeviceRegistryEvents, and DeviceProcessEvents from Microsoft Defender for Endpoint.

high severity medium confidence

Data Sources

File: File Modification File: File Creation Process: Process Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceRegistryEvents DeviceProcessEvents

False Positives

Legitimate web application deployments via CI/CD pipelines or deployment tools (Octopus Deploy, Jenkins) that write directly to web roots
System administrators using PowerShell or cmd.exe to manually update web content or static assets during maintenance windows
Content management system (CMS) plugins or update processes that use scripting engines to modify HTML/CSS/JS files
IT policy tools (SCCM, Intune, GPO) legitimately modifying logon banners or desktop wallpaper for compliance branding
Web application frameworks that spawn shells for legitimate tasks (asset compilation, template rendering)

Splunk

spl

| union
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    | eval FolderPath=lower(TargetFilename)
    | where match(FolderPath, "(\\\\inetpub\\\\wwwroot|\\\\htdocs|\\\\public_html|\\\\nginx\\\\html|\/var\/www\/|\/srv\/http\/|\/usr\/share\/nginx)")
    | where match(FolderPath, "\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$")
    | eval InitProc=lower(Image)
    | where match(InitProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|python\.exe|bash|sh)")
    | eval DefacementType="WebFileModification"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, TargetFilename, DefacementType ],
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14)
    | eval RegPath=lower(TargetObject)
    | where match(RegPath, "(\\\\control panel\\\\desktop|\\\\terminal server\\\\winlogon|\\\\windows nt\\\\currentversion\\\\winlogon|\\\\policies\\\\microsoft\\\\windows\\\\personalization)")
    | where match(RegPath, "(wallpaper|screensaveactive|scrnsave\.exe|legalnoticecaption|legalnoticetext)")
    | eval InitProc=lower(Image)
    | where match(InitProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|bash|sh)")
    | eval DefacementType="RegistryWallpaperChange"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, TargetObject, Details, DefacementType ],
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | eval ParentProc=lower(ParentImage)
    | eval ChildProc=lower(Image)
    | where match(ParentProc, "(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)")
    | where match(ChildProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|bash|sh|python\.exe)")
    | eval DefacementType="WebServerShellSpawn"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DefacementType ]
| eval SeverityScore=case(
    DefacementType="WebServerShellSpawn", 3,
    DefacementType="WebFileModification", 2,
    DefacementType="RegistryWallpaperChange", 1,
    true(), 1)
| sort - SeverityScore, - _time

Detects defacement activity across three branches using Sysmon operational logs. Branch 1 uses Event ID 11 (FileCreate) to catch shells and scripting engines writing web content files (HTML, PHP, ASP, JSP, CSS) directly into web root directories. Branch 2 uses Event IDs 12/13/14 (Registry create/set/delete) to identify suspicious modification of Windows wallpaper and logon banner registry keys used in internal defacement. Branch 3 uses Event ID 1 (Process Create) to detect web server processes (IIS w3wp, nginx, Apache) spawning command shells — a strong indicator of web shell execution that often precedes or constitutes defacement. Results are ranked by a SeverityScore with web shell spawns rated highest.

high severity medium confidence

Data Sources

File: File Creation Windows Registry: Windows Registry Key Modification Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11 Sysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

CI/CD deployment pipelines using shell commands to deploy web content updates to web root directories
Administrative scripts updating default IIS or Apache landing pages during server provisioning
Centralized IT management tools modifying corporate wallpaper and logon banners via Group Policy or Intune
Web application frameworks (Django, Rails, Node.js) spawning shell processes for asset compilation or task runners
Security scanning tools or web application firewalls writing logs or configuration files to web directories

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [file where event.action in ("creation", "overwrite", "rename") and
   (
     file.path : ("*\\inetpub\\wwwroot\\*", "*\\htdocs\\*", "*\\public_html\\*", "*\\nginx\\html\\*", "/var/www/*", "/srv/http/*", "/usr/share/nginx/*") or
     file.path : ("/home/www/*")
   ) and
   file.extension in ("html", "htm", "php", "asp", "aspx", "jsp", "js", "css", "png", "jpg", "gif", "svg", "ico") and
   process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "python.exe", "python3", "perl.exe", "ruby.exe", "bash", "sh")]
OR
any where event.category == "registry" and event.action in ("modification", "creation") and
  registry.path : ("*\\Control Panel\\Desktop\\Wallpaper", "*\\Control Panel\\Desktop\\ScreenSaveActive", "*\\Winlogon\\legalnoticecaption", "*\\Winlogon\\legalnoticetext", "*\\Personalization\\NoChangingWallPaper") and
  process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "bash", "sh")
OR
sequence by host.name with maxspan=30s
  [process where event.type == "start" and
   process.parent.name in~ ("w3wp.exe", "nginx.exe", "httpd.exe", "apache2", "tomcat") and
   process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash", "sh", "python.exe", "python3")]

Detects T1491 Defacement via three branches: (1) web content files written by suspicious processes in web root directories, (2) registry modifications targeting wallpaper and logon banner keys, (3) web server processes spawning shell/script interpreters as child processes indicating potential webshell execution or active compromise.

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent with auditd Windows Sysmon via Elastic Agent

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate web developers or deployment pipelines (CI/CD) writing files to web root directories using curl, wget, or PowerShell
System administrators changing desktop wallpaper or logon banners via GPO scripts running as SYSTEM or a service account
Web application frameworks (e.g., WordPress, Drupal auto-update) that invoke PHP or shell scripts to update their own web content
Configuration management tools like Ansible or Chef invoking bash/sh to deploy web assets
Developer workstations running local web servers (XAMPP, WAMP) where developers edit files directly

IBM QRadar (AQL)

sql

-- Branch 1: Web file modifications by suspicious processes
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "FILE_PATH" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'WebFileModification' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Sysmon
  AND CATEGORYNAME(category) LIKE '%File%'
  AND (
    "FILE_PATH" ILIKE '%\inetpub\wwwroot%'
    OR "FILE_PATH" ILIKE '%\htdocs%'
    OR "FILE_PATH" ILIKE '%\public_html%'
    OR "FILE_PATH" ILIKE '%/var/www/%'
    OR "FILE_PATH" ILIKE '%/srv/http/%'
    OR "FILE_PATH" ILIKE '%/usr/share/nginx/%'
  )
  AND (
    "FILE_PATH" ILIKE '%.html'
    OR "FILE_PATH" ILIKE '%.htm'
    OR "FILE_PATH" ILIKE '%.php'
    OR "FILE_PATH" ILIKE '%.asp'
    OR "FILE_PATH" ILIKE '%.aspx'
    OR "FILE_PATH" ILIKE '%.jsp'
  )
  AND (
    LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','curl.exe','wget.exe','certutil.exe','python.exe','bash','sh')
  )
  AND starttime > NOW() - 24 HOURS
UNION ALL
-- Branch 2: Registry defacement (wallpaper / logon banner)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "REGISTRY_KEY" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'RegistryWallpaperChange' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) LIKE '%Registry%'
  AND (
    LOWER("REGISTRY_KEY") LIKE '%control panel\desktop%'
    OR LOWER("REGISTRY_KEY") LIKE '%winlogon%legalnotice%'
    OR LOWER("REGISTRY_KEY") LIKE '%personalization%'
  )
  AND (
    LOWER("REGISTRY_VALUE_NAME") IN ('wallpaper','screensaveactive','scrnsave.exe','legalnoticecaption','legalnoticetext')
  )
  AND LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','python.exe','bash','sh')
  AND starttime > NOW() - 24 HOURS
UNION ALL
-- Branch 3: Web server spawning shell/script child process
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "PARENT_PROCESS_NAME" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'WebServerShellSpawn' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) LIKE '%Process%'
  AND LOWER("PARENT_PROCESS_NAME") IN ('w3wp.exe','nginx.exe','httpd.exe','apache2','tomcat')
  AND LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','bash','sh','python.exe')
  AND starttime > NOW() - 24 HOURS
ORDER BY event_time DESC

QRadar AQL detection for T1491 Defacement covering three branches: suspicious process writing web files to web root directories, registry modifications for wallpaper and logon banners, and web server processes spawning interactive shells. Uses LOGSOURCETYPEID 12 for Sysmon log sources and AQL UNION to combine all three detection branches into a single result set ordered by time.

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon logs forwarded to QRadar Windows Security Event logs

Required Tables

events

False Positives

Automated deployment scripts using PowerShell or curl writing updated web content as part of a CI/CD pipeline
GPO scripts modifying desktop wallpaper or logon notice text during domain policy refresh cycles
Legitimate web server maintenance where httpd/nginx processes invoke shell scripts to rotate logs or update configurations
Security scanning tools that enumerate web server processes and may appear as child processes of web services
Web application self-update mechanisms (WordPress auto-update) that spawn PHP subprocesses to patch files in place

Sumo Logic CSE

sql

// Branch 1: Web file write by suspicious process
(_sourceCategory=*sysmon* OR _sourceCategory=*windows*)
| where EventID = "11"
| parse field=TargetFilename "*" as file_path nodrop
| where TargetFilename matches "*\\inetpub\\wwwroot*"
  OR TargetFilename matches "*\\htdocs*"
  OR TargetFilename matches "*\\public_html*"
  OR TargetFilename matches "*\\nginx\\html*"
  OR TargetFilename matches "*/var/www/*"
  OR TargetFilename matches "*/srv/http/*"
  OR TargetFilename matches "*/usr/share/nginx/*"
| where TargetFilename matches "*.html"
  OR TargetFilename matches "*.htm"
  OR TargetFilename matches "*.php"
  OR TargetFilename matches "*.asp"
  OR TargetFilename matches "*.aspx"
  OR TargetFilename matches "*.jsp"
  OR TargetFilename matches "*.js"
  OR TargetFilename matches "*.css"
| where Image matches "*cmd.exe"
  OR Image matches "*powershell.exe"
  OR Image matches "*pwsh.exe"
  OR Image matches "*wscript.exe"
  OR Image matches "*cscript.exe"
  OR Image matches "*mshta.exe"
  OR Image matches "*curl.exe"
  OR Image matches "*wget.exe"
  OR Image matches "*certutil.exe"
  OR Image matches "*python.exe"
  OR Image matches "*bash"
  OR Image matches "*sh"
| eval defacement_type="WebFileModification"
| eval severity_score=2
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, defacement_type, severity_score

// Run separately for Branch 2: Registry defacement
// (_sourceCategory=*sysmon*)
// | where EventID in ("12","13","14")
// | where TargetObject matches "*Control Panel\\Desktop*"
//   OR TargetObject matches "*Winlogon*legalnotice*"
//   OR TargetObject matches "*Personalization*"
// | where TargetObject matches "*Wallpaper*"
//   OR TargetObject matches "*ScreenSaveActive*"
//   OR TargetObject matches "*legalnoticecaption*"
//   OR TargetObject matches "*legalnoticetext*"
// | where Image matches "*cmd.exe" OR Image matches "*powershell.exe" OR Image matches "*python.exe" OR Image matches "*bash"
// | eval defacement_type="RegistryWallpaperChange", severity_score=1
// | fields _messageTime, Computer, User, Image, CommandLine, TargetObject, Details, defacement_type, severity_score

// Run separately for Branch 3: Web server child shell
// (_sourceCategory=*sysmon*)
// | where EventID = "1"
// | where ParentImage matches "*w3wp.exe" OR ParentImage matches "*nginx.exe" OR ParentImage matches "*httpd.exe" OR ParentImage matches "*apache2" OR ParentImage matches "*tomcat"
// | where Image matches "*cmd.exe" OR Image matches "*powershell.exe" OR Image matches "*bash" OR Image matches "*sh" OR Image matches "*python.exe"
// | eval defacement_type="WebServerShellSpawn", severity_score=3
// | fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, defacement_type, severity_score

| sort by severity_score desc, _messageTime desc

Sumo Logic CSE detection for T1491 Defacement. Branch 1 shown inline — uses Sysmon EventID 11 (File Create) to find web content files written to web root paths by suspicious script/shell processes. Branches 2 (registry wallpaper/logon banner changes) and 3 (web server spawning shells) are provided as commented queries to run separately due to Sumo Logic query language limitations with multi-branch union searches. All branches use real Sysmon source categories and field names.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon logs via Sumo Logic Installed Collector Windows Event Logs

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*windows*

False Positives

Web deployment automation using curl or PowerShell to push new content to web server directories as part of regular release cycles
Group Policy applying wallpaper changes across the enterprise via logon scripts that run cmd.exe or PowerShell
IIS application pools (w3wp.exe) executing managed code that shells out to script interpreters for legitimate application logic
Content management systems that use background PHP or Python workers to process and write media files to the web root
Security tools performing scheduled web content integrity checks that read and temporarily modify web files

Google Chronicle / SecOps

yaral

rule t1491_defacement_web_file_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1491 Defacement - suspicious process writing web content files to web server directories"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491"
    severity = "HIGH"
    priority = "HIGH"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    (
      re.regex($e.target.file.full_path, `(?i)(\\inetpub\\wwwroot|\\htdocs|\\public_html|\\nginx\\html|/var/www/|/srv/http/|/usr/share/nginx/)`) or
      re.regex($e.target.file.full_path, `(?i)/home/www/`)
    )
    re.regex($e.target.file.full_path, `(?i)\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$`)
    re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|python[23]?\.exe|perl\.exe|ruby\.exe|/bash$|/sh$)`)

  condition:
    $e
}

rule t1491_defacement_registry_wallpaper {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1491 Internal Defacement - registry modifications targeting wallpaper, screensaver, and logon banner keys by suspicious processes"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.001"
    severity = "MEDIUM"
    priority = "MEDIUM"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "REGISTRY_MODIFICATION"
    (
      re.regex($e.target.registry.registry_key, `(?i)(\\Control Panel\\Desktop|\\Terminal Server\\Winlogon|\\Windows NT\\CurrentVersion\\Winlogon|\\Policies\\Microsoft\\Windows\\Personalization)`) and
      re.regex($e.target.registry.registry_value_name, `(?i)(Wallpaper|ScreenSaveActive|SCRNSAVE\.EXE|legalnoticecaption|legalnoticetext)`)
    )
    re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|/bash$|/sh$)`)

  condition:
    $e
}

rule t1491_defacement_webserver_shell_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1491 Defacement - web server process spawning shell or script interpreter, indicating possible webshell execution"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.002"
    severity = "CRITICAL"
    priority = "CRITICAL"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path, `(?i)(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)`)
    re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|/bash$|/sh$|python[23]?\.exe|perl\.exe)`)

  condition:
    $e
}

Three Chronicle YARA-L 2.0 rules covering all T1491 Defacement branches: (1) suspicious processes writing web content files to web root paths, (2) registry wallpaper and logon banner key modifications by scripting tools, (3) web server processes spawning shell or interpreter children indicating webshell compromise. Uses UDM event types FILE_CREATION, REGISTRY_MODIFICATION, and PROCESS_LAUNCH with regex matching on full paths and process names via ECS-compatible UDM field model.

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle UDM ingestion from Windows Sysmon Chronicle UDM ingestion from CrowdStrike Falcon Chronicle UDM ingestion from Carbon Black

Required Tables

UDM Events (FILE_CREATION) UDM Events (REGISTRY_MODIFICATION) UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate automated deployments by CI/CD systems writing HTML, PHP, or asset files to web roots using curl or PowerShell scripts
Enterprise desktop policy enforcement scripts that set wallpaper images or logon banners as part of onboarding or compliance workflows
Web servers (Apache, Nginx) that legitimately invoke shell scripts as CGI handlers or maintenance hooks
Content management systems with auto-update capabilities that write PHP or JS files as part of plugin or theme updates
Penetration testing or red team exercises targeting web infrastructure with explicit change management approval

CrowdStrike LogScale (CQL)

cql

// Branch 1: Web file write by suspicious process (Sysmon-style via Falcon file events)
#event_simpleName=WriteFile
| ComputerName=*
| TargetFileName=/(?i)(\\inetpub\\wwwroot|\\htdocs|\\public_html|\\nginx\\html|\/var\/www\/|\/srv\/http\/|\/usr\/share\/nginx\/)/
| TargetFileName=/(?i)\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$/
| ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|python[23]?\.exe|perl\.exe|ruby\.exe|\/bash$|\/sh$)/
| eval DefacementType="WebFileModification"
| eval SeverityScore=2
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, DefacementType, SeverityScore])

// Branch 2: Web server spawning shell child process
// #event_simpleName=ProcessRollup2
// | ParentBaseFileName=/(?i)(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)/
// | ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|\/bash$|\/sh$|python[23]?\.exe|perl\.exe)/
// | eval DefacementType="WebServerShellSpawn"
// | eval SeverityScore=3
// | table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DefacementType, SeverityScore])

// Branch 3: Registry wallpaper / logon banner modification
// #event_simpleName=RegGenericValueUpdate
// | RegObjectName=/(?i)(\\Control Panel\\Desktop|\\Winlogon|\\Personalization)/
// | RegValueName=/(?i)(Wallpaper|ScreenSaveActive|SCRNSAVE\.EXE|legalnoticecaption|legalnoticetext)/
// | ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|\/bash$|\/sh$)/
// | eval DefacementType="RegistryWallpaperChange"
// | eval SeverityScore=1
// | table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RegObjectName, RegValueName, DefacementType, SeverityScore])

| sort(SeverityScore, order=desc)
| sort(@timestamp, order=desc)

CrowdStrike LogScale (Falcon) detection for T1491 Defacement using Falcon telemetry event types. Branch 1 (active) uses WriteFile events to detect suspicious processes writing web content files to web root paths. Branches 2 and 3 are provided as commented queries using ProcessRollup2 (web server shell spawn) and RegGenericValueUpdate (registry wallpaper/logon banner changes). All branches use real LogScale CQL syntax with regex matching on Falcon ECS-compatible field names including #event_simpleName, ImageFileName, TargetFileName, and ParentBaseFileName.

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike LogScale (Humio) Falcon Insight XDR

Required Tables

WriteFile events (#event_simpleName=WriteFile) ProcessRollup2 events (#event_simpleName=ProcessRollup2) RegGenericValueUpdate events (#event_simpleName=RegGenericValueUpdate)

False Positives

Automated software deployment pipelines using PowerShell or curl to update web application files in IIS or Apache web roots
CrowdStrike sensor itself or other endpoint agents that write files to monitored directories as part of update or scan operations
Web application frameworks performing self-update routines that invoke scripting engines to patch web content files in place
System administrators remotely deploying web content using WinRM or SSH sessions that invoke PowerShell or bash
WordPress, Drupal, or Joomla auto-update mechanisms that download and write plugin or theme files directly to the web root

Sigma rule & cross-platform mapping

The detection logic for Defacement (T1491) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1491 Sigma rules on detection.fyi

Platform-specific guides for T1491

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (6)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Replace Web Server Default Page (Windows IIS)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).
Test 2Internal Defacement via Wallpaper Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.
Test 3Web Shell Simulation — Web Server Spawning Command Shell
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.
Test 4Linux Web Root File Replacement via Bash
Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.
Test 5Mass Internal Defacement via Logon Banner Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Defacement

What is T1491 Defacement?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1491

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Impact

Popular Detections

What is T1491 Defacement?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1491

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (2)

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox