Detect Internal Defacement in Elastic Security
Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Sub-technique
- T1491.001 Internal Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/001/
Elastic Detection Query
any where
(
(
event.category == "registry" and event.type == "change" and
(
registry.path like "*\\Control Panel\\Desktop\\Wallpaper" or
registry.path like "*\\PersonalizationCSP\\DesktopImagePath" or
registry.path like "*\\PersonalizationCSP\\LockScreenImagePath" or
registry.path like "*\\PersonalizationCSP\\DesktopImageStatus" or
registry.path like "*\\PersonalizationCSP\\LockScreenImageStatus" or
registry.path like "*\\Winlogon\\LegalNoticeText" or
registry.path like "*\\Winlogon\\LegalNoticeCaption"
) and
not process.name in~ ("explorer.exe", "SystemSettings.exe", "SystemSettingsBroker.exe", "dllhost.exe", "winlogon.exe")
) or
(
event.category == "file" and event.type == "creation" and
(
file.name like~ "*README*" or file.name like~ "*DECRYPT*" or
file.name like~ "*HOW_TO*" or file.name like~ "*RESTORE_FILES*" or
file.name like~ "*YOUR_FILES*" or file.name like~ "*RANSOM*" or
file.name like~ "*RECOVER_FILES*" or file.name like~ "*FILES_ENCRYPTED*" or
file.name like~ "*HELP_DECRYPT*" or file.name like~ "*HOW-TO-DECRYPT*" or
file.name like~ "*IMPORTANT_READ*" or file.name like~ "*!!!READ*" or
file.name like~ "*RECOVERY_KEY*" or file.name like~ "*LOCKED*"
) and
file.extension in~ ("txt", "html", "hta", "bmp", "jpg", "png")
) or
(
event.category == "process" and event.type == "start" and
process.name like~ "cmd.exe" and
process.command_line like~ "*label *:*"
) or
(
event.category == "process" and event.type == "start" and
process.name in~ ("powershell.exe", "pwsh.exe") and
(
process.command_line like~ "*SystemParametersInfo*" or
process.command_line like~ "*SPI_SETDESKWALLPAPER*" or
process.command_line like~ "*SetWallpaper*" or
process.command_line like~ "*DesktopWallpaper*"
)
)
)Detects T1491.001 Internal Defacement across four behavioral branches using Elastic ECS fields: (1) registry modifications to wallpaper, lock screen, or Windows logon legal notice keys from non-standard initiating processes; (2) ransom note or defacement file creation matching ransomware naming conventions with targeted extensions; (3) disk volume label modification via cmd.exe label command; (4) PowerShell-based wallpaper change via SystemParametersInfo Win32 API. Requires Elastic Endpoint Security or Winlogbeat with Sysmon forwarding.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise desktop management tools such as SCCM or Microsoft Intune applying GPO-enforced corporate wallpapers or legal notice banners via PersonalizationCSP or Winlogon registry keys using service or deployment agent processes not in the exclusion list
- IT helpdesk or remote management agents (ConnectWise, Kaseya, NinjaRMM) running PowerShell provisioning scripts that set branded wallpapers using SystemParametersInfo as part of onboarding automation
- Security awareness training platforms or authorized red team exercises using ransomware simulation toolkits that create files named README_DECRYPT or HOW_TO_RESTORE as benign test artifacts
Other platforms for T1491.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set Desktop Wallpaper via Registry to Simulate Ransom Note Display
Expected signal: Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=%TEMP%\ransom_wallpaper.txt, Image=reg.exe. Sysmon EventCode 1: Process Create for reg.exe with CommandLine containing 'Control Panel\Desktop' and '/v Wallpaper'. MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Control Panel\Desktop', RegistryValueName=Wallpaper, InitiatingProcessFileName=reg.exe.
- Test 2Set Desktop Wallpaper via PowerShell SystemParametersInfo API
Expected signal: Sysmon EventCode 1: Process Create for powershell.exe with CommandLine containing 'SystemParametersInfo'. Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper with Details pointing to the test file (SystemParametersInfo updates this registry key). MDE DeviceProcessEvents: ProcessCommandLine contains 'SystemParametersInfo', FileName=powershell.exe.
- Test 3Modify Windows Logon Legal Notice to Simulate Ransom Demand at Login
Expected signal: Sysmon EventCode 13 (two events): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and \LegalNoticeText, Image=reg.exe, User=[current user]. Requires elevation (HKLM write). MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Winlogon', RegistryValueName in (LegalNoticeCaption, LegalNoticeText), InitiatingProcessFileName=reg.exe.
- Test 4Drop Ransom Note Files Across Multiple Directories
Expected signal: Sysmon EventCode 11 (six events): TargetFilename for each README_DECRYPT.txt file created across the six directories, Image=cmd.exe. MDE DeviceFileEvents: ActionType=FileCreated, FileName=README_DECRYPT.txt, InitiatingProcessFileName=cmd.exe, FolderPath showing six different directories. The hunting query (UniqueDirectories > 5) will trigger on this test.
- Test 5Rename Disk Volume Label via CMD (ShrinkLocker Technique)
Expected signal: Sysmon EventCode 1: Process Create for cmd.exe or label.exe (label is a built-in cmd command that may appear as cmd.exe /c label). CommandLine contains 'label C:' and 'ArgusDefacementTest'. MDE DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine matches regex for 'label [drive]:'. Security Event ID 4688 if process creation auditing is enabled.
References (13)
- https://attack.mitre.org/techniques/T1491/001/
- https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire
- https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
- https://www.minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/
- https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new
- https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://securelist.com/shrinklocker-ransomware-tools-and-targets/113108/
- https://www.splunk.com/en_us/blog/security/shrinklocker-ransomware-detection-on-the-radar.html
- https://www.cybereason.com/blog/threat-analysis-inc-ransomware
- https://www.secureworks.com/research/gold-ionic
- https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/
- https://cert.ee/en/2021/01/gamaredon-group-malware-distributed-in-ukraine/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md
Unlock Pro Content
Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.