T1491.001 Google Chronicle · YARA-L

Detect Internal Defacement in Google Chronicle

Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Sub-technique
T1491.001 Internal Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule internal_defacement_t1491_001 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1491.001 Internal Defacement: registry tampering of wallpaper/lock screen/logon keys from non-standard processes, ransom note file drops, disk volume label changes, and PowerShell SystemParametersInfo wallpaper API calls"
    mitre_attack_tactic = "Impact"
    mitre_attack_technique = "T1491.001"
    mitre_attack_technique_id = "T1491.001"
    severity = "CRITICAL"
    priority = "HIGH"
    false_positives = "GPO/MDM wallpaper policy enforcement, enterprise desktop management tools, IT provisioning scripts using non-standard process contexts"
    version = "1.0"

  events:
    (
      (
        $e.metadata.event_type = "REGISTRY_MODIFICATION"
        and (
          re.regex($e.target.registry.registry_key, `(?i)Control Panel\\Desktop\\Wallpaper$`)
          or re.regex($e.target.registry.registry_key, `(?i)PersonalizationCSP\\(DesktopImagePath|LockScreenImagePath|DesktopImageStatus|LockScreenImageStatus)$`)
          or re.regex($e.target.registry.registry_key, `(?i)Winlogon\\(LegalNoticeText|LegalNoticeCaption)$`)
        )
        and not re.regex($e.principal.process.file.full_path, `(?i)(explorer|SystemSettings|SystemSettingsBroker|dllhost|winlogon)\.exe$`)
      )
      or
      (
        $e.metadata.event_type = "FILE_CREATION"
        and re.regex($e.target.file.full_path, `(?i)(README|DECRYPT|HOW_TO|RESTORE_FILES|YOUR_FILES|RANSOM|RECOVER_FILES|FILES_ENCRYPTED|HELP_DECRYPT|HOW-TO-DECRYPT|IMPORTANT_READ|!!!READ|RECOVERY_KEY|LOCKED)`)
        and re.regex($e.target.file.full_path, `(?i)\.(txt|html|hta|bmp|jpg|png)$`)
      )
      or
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)\blabel\s+[a-zA-Z]:`)
      )
      or
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(SystemParametersInfo|SPI_SETDESKWALLPAPER|SetWallpaper|DesktopWallpaper)`)
      )
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 detection rule for T1491.001 Internal Defacement using UDM event types. REGISTRY_MODIFICATION branch detects wallpaper, lock screen, and logon legal notice key changes from non-standard initiating processes. FILE_CREATION branch detects ransom note drops matching known ransomware filename patterns with document/image extensions. Two PROCESS_LAUNCH branches catch cmd.exe disk label modification and PowerShell SystemParametersInfo wallpaper API calls. All regex patterns use case-insensitive matching via the (?i) flag on YARA-L re.regex() calls.

Data Sources

Google Chronicle UDM via Windows Sysmon forwarderMicrosoft Defender for Endpoint via Chronicle integrationChronicle Ingestion API with Windows event normalization

Required Tables

UDM Events: REGISTRY_MODIFICATION, FILE_CREATION, PROCESS_LAUNCH

False Positives & Tuning

  • MDM solutions (Microsoft Intune, Workspace ONE) applying corporate wallpaper compliance policies trigger REGISTRY_MODIFICATION on PersonalizationCSP keys via svchost.exe or management agent processes not present in the process exclusion regex
  • GPO-enforced logon banners applied by the Group Policy Client (gpsvc) modifying Winlogon\LegalNoticeText under svchost.exe context, which the exclusion pattern does not cover
  • Automated backup and recovery suites that store encryption key references in files named RECOVERY_KEY.txt as part of legitimate key escrow or disaster recovery documentation workflows
Download portable Sigma rule (.yml)

Other platforms for T1491.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set Desktop Wallpaper via Registry to Simulate Ransom Note Display

    Expected signal: Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=%TEMP%\ransom_wallpaper.txt, Image=reg.exe. Sysmon EventCode 1: Process Create for reg.exe with CommandLine containing 'Control Panel\Desktop' and '/v Wallpaper'. MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Control Panel\Desktop', RegistryValueName=Wallpaper, InitiatingProcessFileName=reg.exe.

  2. Test 2Set Desktop Wallpaper via PowerShell SystemParametersInfo API

    Expected signal: Sysmon EventCode 1: Process Create for powershell.exe with CommandLine containing 'SystemParametersInfo'. Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper with Details pointing to the test file (SystemParametersInfo updates this registry key). MDE DeviceProcessEvents: ProcessCommandLine contains 'SystemParametersInfo', FileName=powershell.exe.

  3. Test 3Modify Windows Logon Legal Notice to Simulate Ransom Demand at Login

    Expected signal: Sysmon EventCode 13 (two events): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and \LegalNoticeText, Image=reg.exe, User=[current user]. Requires elevation (HKLM write). MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Winlogon', RegistryValueName in (LegalNoticeCaption, LegalNoticeText), InitiatingProcessFileName=reg.exe.

  4. Test 4Drop Ransom Note Files Across Multiple Directories

    Expected signal: Sysmon EventCode 11 (six events): TargetFilename for each README_DECRYPT.txt file created across the six directories, Image=cmd.exe. MDE DeviceFileEvents: ActionType=FileCreated, FileName=README_DECRYPT.txt, InitiatingProcessFileName=cmd.exe, FolderPath showing six different directories. The hunting query (UniqueDirectories > 5) will trigger on this test.

  5. Test 5Rename Disk Volume Label via CMD (ShrinkLocker Technique)

    Expected signal: Sysmon EventCode 1: Process Create for cmd.exe or label.exe (label is a built-in cmd command that may appear as cmd.exe /c label). CommandLine contains 'label C:' and 'ArgusDefacementTest'. MDE DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine matches regex for 'label [drive]:'. Security Event ID 4688 if process creation auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1491Defacement

Related Sub-techniques

T1491.002External Defacement

Related Techniques

T1491DefacementT1491.002External DefacementT1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1489Service StopT1485.001Lifecycle-Triggered DeletionT1561Disk WipeT1561.002Disk Structure WipeT1484.001Group Policy ModificationT1059.001PowerShellT1112Modify Registry

Same Tactic: Impact

Popular Detections