Detect Internal Defacement in CrowdStrike LogScale
Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Sub-technique
- T1491.001 Internal Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/001/
LogScale Detection Query
// T1491.001 Internal Defacement - CrowdStrike LogScale
// Select all relevant Falcon event types upfront for efficiency
#event_simpleName in ["RegGenericValueSet", "RegKeyValueSet", "ProcessRollup2", "SyntheticProcessRollup2", "NewExecutableWritten", "ScriptFileWritten"]
| case {
// Branch 1: Registry defacement - wallpaper, lock screen, logon message keys
#event_simpleName in ["RegGenericValueSet", "RegKeyValueSet"]
| TargetPath = /(?i)(Control Panel\\Desktop\\Wallpaper|PersonalizationCSP\\(DesktopImagePath|LockScreenImagePath|DesktopImageStatus|LockScreenImageStatus)|Winlogon\\(LegalNoticeText|LegalNoticeCaption))/
| ImageFileName != /(?i)(explorer|SystemSettings|SystemSettingsBroker|dllhost|winlogon)\.exe$/
| DefacementType := "WallpaperOrLogonRegistryChange" ;
// Branch 2: Ransom note / defacement file creation (script and executable files visible to Falcon)
#event_simpleName in ["NewExecutableWritten", "ScriptFileWritten"]
| TargetFileName = /(?i)(README|DECRYPT|HOW_TO|RESTORE_FILES|YOUR_FILES|RANSOM|RECOVER_FILES|FILES_ENCRYPTED|HELP_DECRYPT|HOW-TO-DECRYPT|IMPORTANT_READ|RECOVERY_KEY|LOCKED)/
| DefacementType := "RansomNoteDropped" ;
// Branch 3: Disk volume label modification via cmd.exe
#event_simpleName in ["ProcessRollup2", "SyntheticProcessRollup2"]
| ImageFileName = /(?i)\\cmd\.exe$/
| CommandLine = /(?i)\blabel\s+[a-zA-Z]:/
| DefacementType := "DiskLabelModified" ;
// Branch 4: PowerShell wallpaper change via SystemParametersInfo Win32 API
#event_simpleName in ["ProcessRollup2", "SyntheticProcessRollup2"]
| ImageFileName = /(?i)\\(powershell|pwsh)\.exe$/
| CommandLine = /(?i)(SystemParametersInfo|SPI_SETDESKWALLPAPER|SetWallpaper|DesktopWallpaper)/
| DefacementType := "PSWallpaperSet" ;
// Drop events that match no defacement branch
* | DefacementType := ""
}
| DefacementType != ""
| table([_timeparsed, ComputerName, UserName, DefacementType, TargetPath, TargetFileName, CommandLine, ImageFileName, ParentBaseFileName])
| sort(field=_timeparsed, order=desc)CrowdStrike LogScale (Humio) detection query for T1491.001 Internal Defacement using Falcon Data Replicator (FDR) event types. RegGenericValueSet/RegKeyValueSet cover registry-based wallpaper and logon message tampering. NewExecutableWritten/ScriptFileWritten cover ransom notes for script and executable file types. ProcessRollup2/SyntheticProcessRollup2 cover both disk label modification via cmd.exe and PowerShell wallpaper API calls. IMPORTANT COVERAGE GAP: Falcon sensor does not natively emit file creation events for non-executable document or image files (txt, html, bmp, jpg, png); deploy Sysmon alongside Falcon and forward logs to LogScale for complete ransom note coverage of those file types.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise endpoint management tools (BigFix, Tanium, Kaseya) modifying wallpaper registry keys under their own agent process context will trigger the registry branch when those agent binaries are not excluded
- PowerShell-based device provisioning runbooks executing SystemParametersInfo as part of new hire workstation setup or VDI golden image preparation in authorized change windows
- Authorized red team or breach-and-attack simulation exercises (AttackIQ, SafeBreach, Cymulate) executing T1491.001 atomic tests against endpoints — cross-reference DefacementType=PSWallpaperSet events against approved change request tickets and pentest scope documentation
Other platforms for T1491.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set Desktop Wallpaper via Registry to Simulate Ransom Note Display
Expected signal: Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=%TEMP%\ransom_wallpaper.txt, Image=reg.exe. Sysmon EventCode 1: Process Create for reg.exe with CommandLine containing 'Control Panel\Desktop' and '/v Wallpaper'. MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Control Panel\Desktop', RegistryValueName=Wallpaper, InitiatingProcessFileName=reg.exe.
- Test 2Set Desktop Wallpaper via PowerShell SystemParametersInfo API
Expected signal: Sysmon EventCode 1: Process Create for powershell.exe with CommandLine containing 'SystemParametersInfo'. Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper with Details pointing to the test file (SystemParametersInfo updates this registry key). MDE DeviceProcessEvents: ProcessCommandLine contains 'SystemParametersInfo', FileName=powershell.exe.
- Test 3Modify Windows Logon Legal Notice to Simulate Ransom Demand at Login
Expected signal: Sysmon EventCode 13 (two events): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and \LegalNoticeText, Image=reg.exe, User=[current user]. Requires elevation (HKLM write). MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Winlogon', RegistryValueName in (LegalNoticeCaption, LegalNoticeText), InitiatingProcessFileName=reg.exe.
- Test 4Drop Ransom Note Files Across Multiple Directories
Expected signal: Sysmon EventCode 11 (six events): TargetFilename for each README_DECRYPT.txt file created across the six directories, Image=cmd.exe. MDE DeviceFileEvents: ActionType=FileCreated, FileName=README_DECRYPT.txt, InitiatingProcessFileName=cmd.exe, FolderPath showing six different directories. The hunting query (UniqueDirectories > 5) will trigger on this test.
- Test 5Rename Disk Volume Label via CMD (ShrinkLocker Technique)
Expected signal: Sysmon EventCode 1: Process Create for cmd.exe or label.exe (label is a built-in cmd command that may appear as cmd.exe /c label). CommandLine contains 'label C:' and 'ArgusDefacementTest'. MDE DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine matches regex for 'label [drive]:'. Security Event ID 4688 if process creation auditing is enabled.
References (13)
- https://attack.mitre.org/techniques/T1491/001/
- https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire
- https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
- https://www.minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/
- https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new
- https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://securelist.com/shrinklocker-ransomware-tools-and-targets/113108/
- https://www.splunk.com/en_us/blog/security/shrinklocker-ransomware-detection-on-the-radar.html
- https://www.cybereason.com/blog/threat-analysis-inc-ransomware
- https://www.secureworks.com/research/gold-ionic
- https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/
- https://cert.ee/en/2021/01/gamaredon-group-malware-distributed-in-ukraine/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md
Unlock Pro Content
Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.