T1491.001 IBM QRadar · QRadar

Detect Internal Defacement in IBM QRadar

Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Sub-technique
T1491.001 Internal Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  devicename AS HostName,
  username AS User,
  CASE
    WHEN eventid = 13 AND ("TargetObject" LIKE '%\\Control Panel\\Desktop\\Wallpaper'
      OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImagePath'
      OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImageStatus') THEN 'WallpaperChange'
    WHEN eventid = 13 AND "TargetObject" LIKE '%PersonalizationCSP\\LockScreen%' THEN 'LockScreenChange'
    WHEN eventid = 13 AND "TargetObject" LIKE '%Winlogon\\LegalNotice%' THEN 'LogonMessageChange'
    WHEN eventid = 11 THEN 'RansomNoteDropped'
    WHEN eventid = 1 AND "CommandLine" LIKE '%label %:%' THEN 'DiskLabelModified'
    WHEN eventid = 1 AND ("Image" LIKE '%\\powershell.exe' OR "Image" LIKE '%\\pwsh.exe') THEN 'PSWallpaperSet'
    ELSE 'UnknownDefacement'
  END AS DefacementType,
  "TargetObject" AS RegistryTarget,
  "TargetFilename" AS DroppedFile,
  "CommandLine" AS CommandLine,
  "Image" AS InitiatingProcess
FROM events
WHERE LOGSOURCETYPENAME(devicetype) LIKE '%Windows%'
  AND (
    (
      eventid = 13
      AND (
        "TargetObject" LIKE '%\\Control Panel\\Desktop\\Wallpaper'
        OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImagePath'
        OR "TargetObject" LIKE '%PersonalizationCSP\\LockScreenImagePath'
        OR "TargetObject" LIKE '%PersonalizationCSP\\DesktopImageStatus'
        OR "TargetObject" LIKE '%PersonalizationCSP\\LockScreenImageStatus'
        OR "TargetObject" LIKE '%Winlogon\\LegalNoticeText'
        OR "TargetObject" LIKE '%Winlogon\\LegalNoticeCaption'
      )
      AND "Image" NOT LIKE '%\\explorer.exe'
      AND "Image" NOT LIKE '%\\SystemSettings.exe'
      AND "Image" NOT LIKE '%\\SystemSettingsBroker.exe'
      AND "Image" NOT LIKE '%\\dllhost.exe'
      AND "Image" NOT LIKE '%\\winlogon.exe'
    )
    OR (
      eventid = 11
      AND (
        "TargetFilename" LIKE '%README%'
        OR "TargetFilename" LIKE '%DECRYPT%'
        OR "TargetFilename" LIKE '%HOW_TO%'
        OR "TargetFilename" LIKE '%RESTORE_FILES%'
        OR "TargetFilename" LIKE '%YOUR_FILES%'
        OR "TargetFilename" LIKE '%RANSOM%'
        OR "TargetFilename" LIKE '%RECOVER_FILES%'
        OR "TargetFilename" LIKE '%FILES_ENCRYPTED%'
        OR "TargetFilename" LIKE '%HELP_DECRYPT%'
        OR "TargetFilename" LIKE '%HOW-TO-DECRYPT%'
        OR "TargetFilename" LIKE '%IMPORTANT_READ%'
      )
      AND (
        "TargetFilename" LIKE '%.txt'
        OR "TargetFilename" LIKE '%.html'
        OR "TargetFilename" LIKE '%.hta'
        OR "TargetFilename" LIKE '%.bmp'
        OR "TargetFilename" LIKE '%.jpg'
        OR "TargetFilename" LIKE '%.png'
      )
    )
    OR (
      eventid = 1
      AND "Image" LIKE '%\\cmd.exe'
      AND "CommandLine" LIKE '%label %:%'
    )
    OR (
      eventid = 1
      AND ("Image" LIKE '%\\powershell.exe' OR "Image" LIKE '%\\pwsh.exe')
      AND (
        "CommandLine" LIKE '%SystemParametersInfo%'
        OR "CommandLine" LIKE '%SPI_SETDESKWALLPAPER%'
        OR "CommandLine" LIKE '%SetWallpaper%'
        OR "CommandLine" LIKE '%DesktopWallpaper%'
      )
    )
  )
LAST 24 HOURS
critical severity high confidence

QRadar AQL query detecting T1491.001 Internal Defacement via Windows Sysmon events. Requires the Sysmon DSM or Windows Security DSM with custom properties configured for TargetObject, TargetFilename, Image, and CommandLine mapped from Sysmon XML payload fields. Covers EventID 13 (registry value set) for wallpaper and logon message tampering, EventID 11 (file create) for ransom note drops, and EventID 1 (process create) for disk label modification and PowerShell wallpaper API calls. The custom properties TargetObject, TargetFilename, Image, and CommandLine must be defined in the QRadar DSM editor and mapped to the corresponding Sysmon XML nodes.

Data Sources

Microsoft Windows Security Event Log (QRadar DSM)Sysmon via Windows Event Log forwarding to QRadar

Required Tables

events

False Positives & Tuning

  • Group Policy enforcement applying Winlogon LegalNoticeText or LegalNoticeCaption banner updates via gpupdate.exe or the Group Policy Client service (gpsvc.dll) hosted in svchost.exe, which may not appear in the exclusion list
  • Software deployment agents (Intune Management Extension, SCCM client) modifying PersonalizationCSP registry keys as part of device compliance enforcement, running under trusted but non-excluded process contexts
  • Corporate IT provisioning scripts run under service accounts that set wallpaper registry keys during device imaging — especially common in VDI environments using non-standard provisioning frameworks
Download portable Sigma rule (.yml)

Other platforms for T1491.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set Desktop Wallpaper via Registry to Simulate Ransom Note Display

    Expected signal: Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=%TEMP%\ransom_wallpaper.txt, Image=reg.exe. Sysmon EventCode 1: Process Create for reg.exe with CommandLine containing 'Control Panel\Desktop' and '/v Wallpaper'. MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Control Panel\Desktop', RegistryValueName=Wallpaper, InitiatingProcessFileName=reg.exe.

  2. Test 2Set Desktop Wallpaper via PowerShell SystemParametersInfo API

    Expected signal: Sysmon EventCode 1: Process Create for powershell.exe with CommandLine containing 'SystemParametersInfo'. Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper with Details pointing to the test file (SystemParametersInfo updates this registry key). MDE DeviceProcessEvents: ProcessCommandLine contains 'SystemParametersInfo', FileName=powershell.exe.

  3. Test 3Modify Windows Logon Legal Notice to Simulate Ransom Demand at Login

    Expected signal: Sysmon EventCode 13 (two events): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and \LegalNoticeText, Image=reg.exe, User=[current user]. Requires elevation (HKLM write). MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Winlogon', RegistryValueName in (LegalNoticeCaption, LegalNoticeText), InitiatingProcessFileName=reg.exe.

  4. Test 4Drop Ransom Note Files Across Multiple Directories

    Expected signal: Sysmon EventCode 11 (six events): TargetFilename for each README_DECRYPT.txt file created across the six directories, Image=cmd.exe. MDE DeviceFileEvents: ActionType=FileCreated, FileName=README_DECRYPT.txt, InitiatingProcessFileName=cmd.exe, FolderPath showing six different directories. The hunting query (UniqueDirectories > 5) will trigger on this test.

  5. Test 5Rename Disk Volume Label via CMD (ShrinkLocker Technique)

    Expected signal: Sysmon EventCode 1: Process Create for cmd.exe or label.exe (label is a built-in cmd command that may appear as cmd.exe /c label). CommandLine contains 'label C:' and 'ArgusDefacementTest'. MDE DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine matches regex for 'label [drive]:'. Security Event ID 4688 if process creation auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1491Defacement

Related Sub-techniques

T1491.002External Defacement

Related Techniques

T1491DefacementT1491.002External DefacementT1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1489Service StopT1485.001Lifecycle-Triggered DeletionT1561Disk WipeT1561.002Disk Structure WipeT1484.001Group Policy ModificationT1059.001PowerShellT1112Modify Registry

Same Tactic: Impact

Popular Detections