T1491.001

Internal Defacement

Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.

Microsoft Sentinel / Defender

kusto

let LegitWallpaperProcs = dynamic(["explorer.exe", "SystemSettings.exe", "SystemSettingsBroker.exe", "dllhost.exe", "winlogon.exe"]);
let RansomNoteKeywords = dynamic(["README", "DECRYPT", "HOW_TO", "RESTORE_FILES", "YOUR_FILES", "RANSOM", "HELP_DECRYPT", "HOW-TO-DECRYPT", "FILES_ENCRYPTED", "RECOVER_FILES", "IMPORTANT_READ", "!!!READ", "RECOVERY_KEY", "LOCKED"]);
// Branch 1: Desktop wallpaper, lock screen, and logon message registry changes from non-standard processes
let WallpaperRegistryChanges = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where (RegistryKey has "Control Panel\\Desktop" and RegistryValueName =~ "Wallpaper")
    or (RegistryKey has "PersonalizationCSP" and RegistryValueName in~ ("DesktopImagePath", "LockScreenImagePath", "DesktopImageStatus", "LockScreenImageStatus"))
    or (RegistryKey has "Winlogon" and RegistryValueName in~ ("LegalNoticeText", "LegalNoticeCaption"))
| where InitiatingProcessFileName !in~ (LegitWallpaperProcs)
| extend DefacementType = case(
    RegistryValueName =~ "Wallpaper" or RegistryValueName has "DesktopImage", "WallpaperChange",
    RegistryValueName has "LockScreen", "LockScreenChange",
    RegistryValueName in~ ("LegalNoticeText", "LegalNoticeCaption"), "LogonMessageChange",
    "RegistryDefacement"
  )
| extend IndicatorDetail = strcat("Key: ", RegistryKey, " | Value: ", RegistryValueName, " | Data: ", RegistryValueData)
| project Timestamp, DeviceName, InitiatingProcessAccountName, DefacementType, IndicatorDetail,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 2: Ransom note and defacement file creation
let RansomNoteCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName has_any (RansomNoteKeywords)
| where FileName endswith ".txt" or FileName endswith ".html" or FileName endswith ".hta"
    or FileName endswith ".bmp" or FileName endswith ".jpg" or FileName endswith ".png"
| extend DefacementType = "RansomNoteDropped"
| extend IndicatorDetail = strcat("File: ", FolderPath, "\\", FileName)
| project Timestamp, DeviceName, InitiatingProcessAccountName, DefacementType, IndicatorDetail,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 3: Disk volume label modification (ShrinkLocker ransomware pattern)
let DiskLabelChanges = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine matches regex @"(?i)\blabel\s+[a-zA-Z]:"
| extend DefacementType = "DiskLabelModified"
| extend IndicatorDetail = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, DefacementType, IndicatorDetail,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 4: PowerShell-based wallpaper change via SystemParametersInfo API
let PSWallpaperSet = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("SystemParametersInfo", "SPI_SETDESKWALLPAPER", "SetWallpaper", "DesktopWallpaper")
    or (ProcessCommandLine has "0x14" and ProcessCommandLine has "SystemParametersInfo")
| extend DefacementType = "PSWallpaperSet"
| extend IndicatorDetail = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, DefacementType, IndicatorDetail,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
union WallpaperRegistryChanges, RansomNoteCreation, DiskLabelChanges, PSWallpaperSet
| sort by Timestamp desc

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceRegistryEvents DeviceFileEvents DeviceProcessEvents

False Positives

Group Policy or Microsoft Intune/MDM solutions deploying corporate desktop wallpaper or compliance logon banners — these originate from gpsvc.exe, deviceenrollmentactivity.exe, or MDM management agents rather than ransomware processes, and occur in batches across many devices simultaneously
IT administrators manually configuring Windows logon legal notice text via reg.exe or PowerShell for CIS Benchmark, NIST, or STIG compliance requirements — review change tickets and originating workstation (should be a PAW or jump server)
Disk management during system provisioning, OS imaging, or storage configuration scripts that include volume labeling as part of build automation
Security or deployment tooling that drops README or documentation files during software installation — these typically originate from msiexec.exe or a known installer process and target software installation directories

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (EventCode=13
    (TargetObject="*\\Control Panel\\Desktop\\Wallpaper"
     OR TargetObject="*\\PersonalizationCSP\\DesktopImagePath"
     OR TargetObject="*\\PersonalizationCSP\\LockScreenImagePath"
     OR TargetObject="*\\PersonalizationCSP\\DesktopImageStatus"
     OR TargetObject="*\\Winlogon\\LegalNoticeText"
     OR TargetObject="*\\Winlogon\\LegalNoticeCaption"))
  OR
  (EventCode=11
    (TargetFilename="*README*" OR TargetFilename="*DECRYPT*" OR TargetFilename="*HOW_TO*"
     OR TargetFilename="*RESTORE_FILES*" OR TargetFilename="*YOUR_FILES*"
     OR TargetFilename="*RANSOM*" OR TargetFilename="*RECOVER_FILES*"
     OR TargetFilename="*FILES_ENCRYPTED*" OR TargetFilename="*HELP_DECRYPT*"
     OR TargetFilename="*HOW-TO-DECRYPT*" OR TargetFilename="*IMPORTANT_READ*")
    (TargetFilename="*.txt" OR TargetFilename="*.html" OR TargetFilename="*.hta"
     OR TargetFilename="*.bmp" OR TargetFilename="*.jpg" OR TargetFilename="*.png"))
  OR
  (EventCode=1
    (Image="*\\cmd.exe")
    CommandLine="*label *:*")
  OR
  (EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    (CommandLine="*SystemParametersInfo*" OR CommandLine="*SPI_SETDESKWALLPAPER*"
     OR CommandLine="*SetWallpaper*" OR CommandLine="*DesktopWallpaper*"))
)
| eval DefacementType=case(
    EventCode=13 AND match(TargetObject, "(?i)(Wallpaper|DesktopImagePath|DesktopImageStatus)"), "WallpaperChange",
    EventCode=13 AND match(TargetObject, "(?i)(LockScreen)"), "LockScreenChange",
    EventCode=13 AND match(TargetObject, "(?i)(LegalNotice)"), "LogonMessageChange",
    EventCode=11, "RansomNoteDropped",
    EventCode=1 AND match(CommandLine, "(?i)label\s+[a-zA-Z]:"), "DiskLabelModified",
    EventCode=1 AND (match(Image, "(?i)(powershell|pwsh)") OR match(CommandLine, "(?i)(SystemParametersInfo|SetWallpaper|DesktopWallpaper)")), "PSWallpaperSet",
    true(), "Defacement"
  )
| eval IndicatorValue=coalesce(TargetObject, TargetFilename, CommandLine, "-")
| eval InitiatingProcess=coalesce(Image, "-")
| eval NotLegitProc=if(match(Image, "(?i)(explorer|SystemSettings|SystemSettingsBroker|dllhost|winlogon)"), 0, 1)
| where DefacementType != "Defacement"
| where EventCode != 13 OR NotLegitProc=1
| table _time, host, User, DefacementType, IndicatorValue, InitiatingProcess, CommandLine
| sort - _time

high severity high confidence

Data Sources

Windows Registry: Registry Key Modification File: File Creation Process: Process Creation Sysmon Event ID 1, 11, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Group Policy applying corporate wallpaper or logon banners via gpsvc.exe — registry changes appear from SYSTEM context and match affected policy registry paths; correlate with Event ID 5136 in Security log for authorized GPO changes
IT administrators setting LegalNoticeText/Caption for compliance baselines using reg.exe or PowerShell from a known administrative workstation — review against change management records
Software installers creating README or documentation files during package installation — typically originate from msiexec.exe, setup.exe, or a known installer image path targeting program directory subdirectories
Disk provisioning or storage automation scripts labeling volumes during system build — should be traceable to an approved provisioning account and imaging workflow timeframe

Elastic Security (EQL)

eql

any where
(
  (
    event.category == "registry" and event.type == "change" and
    (
      registry.path like "*\\Control Panel\\Desktop\\Wallpaper" or
      registry.path like "*\\PersonalizationCSP\\DesktopImagePath" or
      registry.path like "*\\PersonalizationCSP\\LockScreenImagePath" or
      registry.path like "*\\PersonalizationCSP\\DesktopImageStatus" or
      registry.path like "*\\PersonalizationCSP\\LockScreenImageStatus" or
      registry.path like "*\\Winlogon\\LegalNoticeText" or
      registry.path like "*\\Winlogon\\LegalNoticeCaption"
    ) and
    not process.name in~ ("explorer.exe", "SystemSettings.exe", "SystemSettingsBroker.exe", "dllhost.exe", "winlogon.exe")
  ) or
  (
    event.category == "file" and event.type == "creation" and
    (
      file.name like~ "*README*" or file.name like~ "*DECRYPT*" or
      file.name like~ "*HOW_TO*" or file.name like~ "*RESTORE_FILES*" or
      file.name like~ "*YOUR_FILES*" or file.name like~ "*RANSOM*" or
      file.name like~ "*RECOVER_FILES*" or file.name like~ "*FILES_ENCRYPTED*" or
      file.name like~ "*HELP_DECRYPT*" or file.name like~ "*HOW-TO-DECRYPT*" or
      file.name like~ "*IMPORTANT_READ*" or file.name like~ "*!!!READ*" or
      file.name like~ "*RECOVERY_KEY*" or file.name like~ "*LOCKED*"
    ) and
    file.extension in~ ("txt", "html", "hta", "bmp", "jpg", "png")
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.name like~ "cmd.exe" and
    process.command_line like~ "*label *:*"
  ) or
  (
    event.category == "process" and event.type == "start" and
    process.name in~ ("powershell.exe", "pwsh.exe") and
    (
      process.command_line like~ "*SystemParametersInfo*" or
      process.command_line like~ "*SPI_SETDESKWALLPAPER*" or
      process.command_line like~ "*SetWallpaper*" or
      process.command_line like~ "*DesktopWallpaper*"
    )
  )
)

critical severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Winlogbeat with Sysmon (Microsoft-Windows-Sysmon/Operational)

Required Tables

logs-endpoint.events.registry-* logs-endpoint.events.file-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Enterprise desktop management tools such as SCCM or Microsoft Intune applying GPO-enforced corporate wallpapers or legal notice banners via PersonalizationCSP or Winlogon registry keys using service or deployment agent processes not in the exclusion list
IT helpdesk or remote management agents (ConnectWise, Kaseya, NinjaRMM) running PowerShell provisioning scripts that set branded wallpapers using SystemParametersInfo as part of onboarding automation
Security awareness training platforms or authorized red team exercises using ransomware simulation toolkits that create files named README_DECRYPT or HOW_TO_RESTORE as benign test artifacts

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  devicename AS HostName,
  username AS User,
  CASE
    WHEN eventid = 13 AND ("TargetObject" LIKE '%\\Control Panel\\Desktop\\Wallpaper'
      OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImagePath'
      OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImageStatus') THEN 'WallpaperChange'
    WHEN eventid = 13 AND "TargetObject" LIKE '%PersonalizationCSP\\LockScreen%' THEN 'LockScreenChange'
    WHEN eventid = 13 AND "TargetObject" LIKE '%Winlogon\\LegalNotice%' THEN 'LogonMessageChange'
    WHEN eventid = 11 THEN 'RansomNoteDropped'
    WHEN eventid = 1 AND "CommandLine" LIKE '%label %:%' THEN 'DiskLabelModified'
    WHEN eventid = 1 AND ("Image" LIKE '%\\powershell.exe' OR "Image" LIKE '%\\pwsh.exe') THEN 'PSWallpaperSet'
    ELSE 'UnknownDefacement'
  END AS DefacementType,
  "TargetObject" AS RegistryTarget,
  "TargetFilename" AS DroppedFile,
  "CommandLine" AS CommandLine,
  "Image" AS InitiatingProcess
FROM events
WHERE LOGSOURCETYPENAME(devicetype) LIKE '%Windows%'
  AND (
    (
      eventid = 13
      AND (
        "TargetObject" LIKE '%\\Control Panel\\Desktop\\Wallpaper'
        OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImagePath'
        OR "TargetObject" LIKE '%PersonalizationCSP\\LockScreenImagePath'
        OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImageStatus'
        OR "TargetObject" LIKE '%PersonalizationCSP\\LockScreenImageStatus'
        OR "TargetObject" LIKE '%Winlogon\\LegalNoticeText'
        OR "TargetObject" LIKE '%Winlogon\\LegalNoticeCaption'
      )
      AND "Image" NOT LIKE '%\\explorer.exe'
      AND "Image" NOT LIKE '%\\SystemSettings.exe'
      AND "Image" NOT LIKE '%\\SystemSettingsBroker.exe'
      AND "Image" NOT LIKE '%\\dllhost.exe'
      AND "Image" NOT LIKE '%\\winlogon.exe'
    )
    OR (
      eventid = 11
      AND (
        "TargetFilename" LIKE '%README%'
        OR "TargetFilename" LIKE '%DECRYPT%'
        OR "TargetFilename" LIKE '%HOW_TO%'
        OR "TargetFilename" LIKE '%RESTORE_FILES%'
        OR "TargetFilename" LIKE '%YOUR_FILES%'
        OR "TargetFilename" LIKE '%RANSOM%'
        OR "TargetFilename" LIKE '%RECOVER_FILES%'
        OR "TargetFilename" LIKE '%FILES_ENCRYPTED%'
        OR "TargetFilename" LIKE '%HELP_DECRYPT%'
        OR "TargetFilename" LIKE '%HOW-TO-DECRYPT%'
        OR "TargetFilename" LIKE '%IMPORTANT_READ%'
      )
      AND (
        "TargetFilename" LIKE '%.txt'
        OR "TargetFilename" LIKE '%.html'
        OR "TargetFilename" LIKE '%.hta'
        OR "TargetFilename" LIKE '%.bmp'
        OR "TargetFilename" LIKE '%.jpg'
        OR "TargetFilename" LIKE '%.png'
      )
    )
    OR (
      eventid = 1
      AND "Image" LIKE '%\\cmd.exe'
      AND "CommandLine" LIKE '%label %:%'
    )
    OR (
      eventid = 1
      AND ("Image" LIKE '%\\powershell.exe' OR "Image" LIKE '%\\pwsh.exe')
      AND (
        "CommandLine" LIKE '%SystemParametersInfo%'
        OR "CommandLine" LIKE '%SPI_SETDESKWALLPAPER%'
        OR "CommandLine" LIKE '%SetWallpaper%'
        OR "CommandLine" LIKE '%DesktopWallpaper%'
      )
    )
  )
LAST 24 HOURS

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Sysmon via Windows Event Log forwarding to QRadar

Required Tables

events

False Positives

Group Policy enforcement applying Winlogon LegalNoticeText or LegalNoticeCaption banner updates via gpupdate.exe or the Group Policy Client service (gpsvc.dll) hosted in svchost.exe, which may not appear in the exclusion list
Software deployment agents (Intune Management Extension, SCCM client) modifying PersonalizationCSP registry keys as part of device compliance enforcement, running under trusted but non-excluded process contexts
Corporate IT provisioning scripts run under service accounts that set wallpaper registry keys during device imaging — especially common in VDI environments using non-standard provisioning frameworks

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| parse regex "<EventID>(?P<EventID>\d+)<" nodrop
| parse regex "<TargetObject>(?P<TargetObject>[^<]+)<" nodrop
| parse regex "<TargetFilename>(?P<TargetFilename>[^<]+)<" nodrop
| parse regex "<CommandLine>(?P<CommandLine>[^<]+)<" nodrop
| parse regex "<Image>(?P<Image>[^<]+)<" nodrop
| parse regex "<User>(?P<User>[^<]+)<" nodrop
| parse regex "<Computer>(?P<Computer>[^<]+)<" nodrop
| where (
    (
      EventID = "13"
      AND (
        TargetObject matches "*\\Control Panel\\Desktop\\Wallpaper*"
        OR TargetObject matches "*PersonalizationCSP\\DesktopImagePath*"
        OR TargetObject matches "*PersonalizationCSP\\LockScreenImagePath*"
        OR TargetObject matches "*PersonalizationCSP\\DesktopImageStatus*"
        OR TargetObject matches "*PersonalizationCSP\\LockScreenImageStatus*"
        OR TargetObject matches "*Winlogon\\LegalNoticeText*"
        OR TargetObject matches "*Winlogon\\LegalNoticeCaption*"
      )
      AND NOT (
        Image matches "*\\explorer.exe"
        OR Image matches "*\\SystemSettings.exe"
        OR Image matches "*\\SystemSettingsBroker.exe"
        OR Image matches "*\\dllhost.exe"
        OR Image matches "*\\winlogon.exe"
      )
    )
    OR (
      EventID = "11"
      AND (
        TargetFilename matches "*README*"
        OR TargetFilename matches "*DECRYPT*"
        OR TargetFilename matches "*HOW_TO*"
        OR TargetFilename matches "*RESTORE_FILES*"
        OR TargetFilename matches "*YOUR_FILES*"
        OR TargetFilename matches "*RANSOM*"
        OR TargetFilename matches "*RECOVER_FILES*"
        OR TargetFilename matches "*FILES_ENCRYPTED*"
        OR TargetFilename matches "*HELP_DECRYPT*"
        OR TargetFilename matches "*HOW-TO-DECRYPT*"
        OR TargetFilename matches "*IMPORTANT_READ*"
        OR TargetFilename matches "*RECOVERY_KEY*"
        OR TargetFilename matches "*LOCKED*"
      )
      AND (
        TargetFilename matches "*.txt"
        OR TargetFilename matches "*.html"
        OR TargetFilename matches "*.hta"
        OR TargetFilename matches "*.bmp"
        OR TargetFilename matches "*.jpg"
        OR TargetFilename matches "*.png"
      )
    )
    OR (
      EventID = "1"
      AND Image matches "*\\cmd.exe"
      AND CommandLine matches "*label *:*"
    )
    OR (
      EventID = "1"
      AND (Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe")
      AND (
        CommandLine matches "*SystemParametersInfo*"
        OR CommandLine matches "*SPI_SETDESKWALLPAPER*"
        OR CommandLine matches "*SetWallpaper*"
        OR CommandLine matches "*DesktopWallpaper*"
      )
    )
  )
| if (EventID = "13" AND (TargetObject matches "*Wallpaper*" OR TargetObject matches "*DesktopImage*"), "WallpaperChange",
    if (EventID = "13" AND TargetObject matches "*LockScreen*", "LockScreenChange",
      if (EventID = "13" AND TargetObject matches "*LegalNotice*", "LogonMessageChange",
        if (EventID = "11", "RansomNoteDropped",
          if (EventID = "1" AND Image matches "*\\cmd.exe", "DiskLabelModified", "PSWallpaperSet")
        )
      )
    )
  ) as DefacementType
| table _messagetime, Computer, User, DefacementType, TargetObject, TargetFilename, CommandLine, Image
| sort - _messagetime

critical severity high confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (WinEventLog:Microsoft-Windows-Sysmon/Operational) Winlogbeat forwarding to Sumo Logic HTTP Source

Required Tables

Sumo Logic partitions matching _sourceCategory=*windows* or *sysmon*

False Positives

Automated endpoint provisioning workflows run by non-standard service accounts that create files named README.txt or RESTORE_FILES.html as part of recovery documentation bundled with legitimate backup software installers
Desktop management scripts deployed via RMM tools running under SYSTEM or service account context that set PersonalizationCSP wallpaper keys during device enrollment, where the initiating process binary is not in the exclusion list
Security awareness content management systems that programmatically swap desktop wallpapers as part of simulated phishing campaigns or policy enforcement drills, executing via scheduled tasks or scripting hosts

Google Chronicle / SecOps

yaral

rule internal_defacement_t1491_001 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1491.001 Internal Defacement: registry tampering of wallpaper/lock screen/logon keys from non-standard processes, ransom note file drops, disk volume label changes, and PowerShell SystemParametersInfo wallpaper API calls"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.001"
    mitre_attack_technique_id = "T1491.001"
    severity = "CRITICAL"
    priority = "HIGH"
    false_positives = "GPO/MDM wallpaper policy enforcement, enterprise desktop management tools, IT provisioning scripts using non-standard process contexts"
    version = "1.0"

  events:
    (
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and (
          re.regex($e.target.registry.registry_key, `(?i)Control Panel\\Desktop\\Wallpaper$`)
          or re.regex($e.target.registry.registry_key, `(?i)PersonalizationCSP\\(DesktopImagePath|LockScreenImagePath|DesktopImageStatus|LockScreenImageStatus)$`)
          or re.regex($e.target.registry.registry_key, `(?i)Winlogon\\(LegalNoticeText|LegalNoticeCaption)$`)
        )
        and not re.regex($e.principal.process.file.full_path, `(?i)(explorer|SystemSettings|SystemSettingsBroker|dllhost|winlogon)\.exe$`)
      )
      or
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)(README|DECRYPT|HOW_TO|RESTORE_FILES|YOUR_FILES|RANSOM|RECOVER_FILES|FILES_ENCRYPTED|HELP_DECRYPT|HOW-TO-DECRYPT|IMPORTANT_READ|!!!READ|RECOVERY_KEY|LOCKED)`)
        and re.regex($e.target.file.full_path, `(?i)\.(txt|html|hta|bmp|jpg|png)$`)
      )
      or
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\blabel\s+[a-zA-Z]:`)
      )
      or
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(SystemParametersInfo|SPI_SETDESKWALLPAPER|SetWallpaper|DesktopWallpaper)`)
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM via Windows Sysmon forwarder Microsoft Defender for Endpoint via Chronicle integration Chronicle Ingestion API with Windows event normalization

Required Tables

UDM Events: REGISTRY_MODIFICATION, FILE_CREATION, PROCESS_LAUNCH

False Positives

MDM solutions (Microsoft Intune, Workspace ONE) applying corporate wallpaper compliance policies trigger REGISTRY_MODIFICATION on PersonalizationCSP keys via svchost.exe or management agent processes not present in the process exclusion regex
GPO-enforced logon banners applied by the Group Policy Client (gpsvc) modifying Winlogon\LegalNoticeText under svchost.exe context, which the exclusion pattern does not cover
Automated backup and recovery suites that store encryption key references in files named RECOVERY_KEY.txt as part of legitimate key escrow or disaster recovery documentation workflows

CrowdStrike LogScale (CQL)

cql

// T1491.001 Internal Defacement - CrowdStrike LogScale
// Select all relevant Falcon event types upfront for efficiency
#event_simpleName in ["RegGenericValueSet", "RegKeyValueSet", "ProcessRollup2", "SyntheticProcessRollup2", "NewExecutableWritten", "ScriptFileWritten"]
| case {
    // Branch 1: Registry defacement - wallpaper, lock screen, logon message keys
    #event_simpleName in ["RegGenericValueSet", "RegKeyValueSet"]
    | TargetPath = /(?i)(Control Panel\\Desktop\\Wallpaper|PersonalizationCSP\\(DesktopImagePath|LockScreenImagePath|DesktopImageStatus|LockScreenImageStatus)|Winlogon\\(LegalNoticeText|LegalNoticeCaption))/
    | ImageFileName != /(?i)(explorer|SystemSettings|SystemSettingsBroker|dllhost|winlogon)\.exe$/
    | DefacementType := "WallpaperOrLogonRegistryChange" ;

    // Branch 2: Ransom note / defacement file creation (script and executable files visible to Falcon)
    #event_simpleName in ["NewExecutableWritten", "ScriptFileWritten"]
    | TargetFileName = /(?i)(README|DECRYPT|HOW_TO|RESTORE_FILES|YOUR_FILES|RANSOM|RECOVER_FILES|FILES_ENCRYPTED|HELP_DECRYPT|HOW-TO-DECRYPT|IMPORTANT_READ|RECOVERY_KEY|LOCKED)/
    | DefacementType := "RansomNoteDropped" ;

    // Branch 3: Disk volume label modification via cmd.exe
    #event_simpleName in ["ProcessRollup2", "SyntheticProcessRollup2"]
    | ImageFileName = /(?i)\\cmd\.exe$/
    | CommandLine = /(?i)\blabel\s+[a-zA-Z]:/
    | DefacementType := "DiskLabelModified" ;

    // Branch 4: PowerShell wallpaper change via SystemParametersInfo Win32 API
    #event_simpleName in ["ProcessRollup2", "SyntheticProcessRollup2"]
    | ImageFileName = /(?i)\\(powershell|pwsh)\.exe$/
    | CommandLine = /(?i)(SystemParametersInfo|SPI_SETDESKWALLPAPER|SetWallpaper|DesktopWallpaper)/
    | DefacementType := "PSWallpaperSet" ;

    // Drop events that match no defacement branch
    * | DefacementType := ""
  }
| DefacementType != ""
| table([_timeparsed, ComputerName, UserName, DefacementType, TargetPath, TargetFileName, CommandLine, ImageFileName, ParentBaseFileName])
| sort(field=_timeparsed, order=desc)

critical severity medium confidence

Data Sources

CrowdStrike Falcon Data Replicator (FDR) via LogScale S3 ingestion or streaming API CrowdStrike LogScale (formerly Humio) with Falcon sensor events

Required Tables

Falcon event types: RegGenericValueSet, RegKeyValueSet, ProcessRollup2, SyntheticProcessRollup2, NewExecutableWritten, ScriptFileWritten

False Positives

Enterprise endpoint management tools (BigFix, Tanium, Kaseya) modifying wallpaper registry keys under their own agent process context will trigger the registry branch when those agent binaries are not excluded
PowerShell-based device provisioning runbooks executing SystemParametersInfo as part of new hire workstation setup or VDI golden image preparation in authorized change windows
Authorized red team or breach-and-attack simulation exercises (AttackIQ, SafeBreach, Cymulate) executing T1491.001 atomic tests against endpoints — cross-reference DefacementType=PSWallpaperSet events against approved change request tickets and pentest scope documentation

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Internal Defacement

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Impact

Popular Detections