Detect Internal Defacement in Microsoft Sentinel
Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Sub-technique
- T1491.001 Internal Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/001/
KQL Detection Query
let LegitWallpaperProcs = dynamic(["explorer.exe", "SystemSettings.exe", "SystemSettingsBroker.exe", "dllhost.exe", "winlogon.exe"]);
let RansomNoteKeywords = dynamic(["README", "DECRYPT", "HOW_TO", "RESTORE_FILES", "YOUR_FILES", "RANSOM", "HELP_DECRYPT", "HOW-TO-DECRYPT", "FILES_ENCRYPTED", "RECOVER_FILES", "IMPORTANT_READ", "!!!READ", "RECOVERY_KEY", "LOCKED"]);
// Branch 1: Desktop wallpaper, lock screen, and logon message registry changes from non-standard processes
let WallpaperRegistryChanges = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType == "RegistryValueSet"
| where (RegistryKey has "Control Panel\\Desktop" and RegistryValueName =~ "Wallpaper")
or (RegistryKey has "PersonalizationCSP" and RegistryValueName in~ ("DesktopImagePath", "LockScreenImagePath", "DesktopImageStatus", "LockScreenImageStatus"))
or (RegistryKey has "Winlogon" and RegistryValueName in~ ("LegalNoticeText", "LegalNoticeCaption"))
| where InitiatingProcessFileName !in~ (LegitWallpaperProcs)
| extend DefacementType = case(
RegistryValueName =~ "Wallpaper" or RegistryValueName has "DesktopImage", "WallpaperChange",
RegistryValueName has "LockScreen", "LockScreenChange",
RegistryValueName in~ ("LegalNoticeText", "LegalNoticeCaption"), "LogonMessageChange",
"RegistryDefacement"
)
| extend IndicatorDetail = strcat("Key: ", RegistryKey, " | Value: ", RegistryValueName, " | Data: ", RegistryValueData)
| project Timestamp, DeviceName, InitiatingProcessAccountName, DefacementType, IndicatorDetail,
InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 2: Ransom note and defacement file creation
let RansomNoteCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName has_any (RansomNoteKeywords)
| where FileName endswith ".txt" or FileName endswith ".html" or FileName endswith ".hta"
or FileName endswith ".bmp" or FileName endswith ".jpg" or FileName endswith ".png"
| extend DefacementType = "RansomNoteDropped"
| extend IndicatorDetail = strcat("File: ", FolderPath, "\\", FileName)
| project Timestamp, DeviceName, InitiatingProcessAccountName, DefacementType, IndicatorDetail,
InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 3: Disk volume label modification (ShrinkLocker ransomware pattern)
let DiskLabelChanges = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmd.exe"
| where ProcessCommandLine matches regex @"(?i)\blabel\s+[a-zA-Z]:"
| extend DefacementType = "DiskLabelModified"
| extend IndicatorDetail = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, DefacementType, IndicatorDetail,
InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 4: PowerShell-based wallpaper change via SystemParametersInfo API
let PSWallpaperSet = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("SystemParametersInfo", "SPI_SETDESKWALLPAPER", "SetWallpaper", "DesktopWallpaper")
or (ProcessCommandLine has "0x14" and ProcessCommandLine has "SystemParametersInfo")
| extend DefacementType = "PSWallpaperSet"
| extend IndicatorDetail = ProcessCommandLine
| project Timestamp, DeviceName, AccountName, DefacementType, IndicatorDetail,
InitiatingProcessFileName, InitiatingProcessCommandLine;
union WallpaperRegistryChanges, RansomNoteCreation, DiskLabelChanges, PSWallpaperSet
| sort by Timestamp descMulti-branch detection covering the four primary internal defacement vectors used by ransomware families and destructive APT groups: (1) Registry modifications to desktop wallpaper, lock screen image, and Windows logon legal notice paths from non-standard initiating processes — targeting HKCU\Control Panel\Desktop\Wallpaper, PersonalizationCSP enterprise policy paths, and Winlogon LegalNoticeText/Caption used to display ransom messages at login; (2) Ransom note file creation matching naming conventions of major ransomware families (README, DECRYPT, HOW_TO, RESTORE_FILES, FILES_ENCRYPTED); (3) Disk volume label modification via cmd.exe label command matching the ShrinkLocker technique of setting volume labels to attacker contact email; (4) PowerShell-based wallpaper manipulation via Windows SystemParametersInfo API calls. Each detection branch tags events with a DefacementType field to enable analyst prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Group Policy or Microsoft Intune/MDM solutions deploying corporate desktop wallpaper or compliance logon banners — these originate from gpsvc.exe, deviceenrollmentactivity.exe, or MDM management agents rather than ransomware processes, and occur in batches across many devices simultaneously
- IT administrators manually configuring Windows logon legal notice text via reg.exe or PowerShell for CIS Benchmark, NIST, or STIG compliance requirements — review change tickets and originating workstation (should be a PAW or jump server)
- Disk management during system provisioning, OS imaging, or storage configuration scripts that include volume labeling as part of build automation
- Security or deployment tooling that drops README or documentation files during software installation — these typically originate from msiexec.exe or a known installer process and target software installation directories
Other platforms for T1491.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Set Desktop Wallpaper via Registry to Simulate Ransom Note Display
Expected signal: Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=%TEMP%\ransom_wallpaper.txt, Image=reg.exe. Sysmon EventCode 1: Process Create for reg.exe with CommandLine containing 'Control Panel\Desktop' and '/v Wallpaper'. MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Control Panel\Desktop', RegistryValueName=Wallpaper, InitiatingProcessFileName=reg.exe.
- Test 2Set Desktop Wallpaper via PowerShell SystemParametersInfo API
Expected signal: Sysmon EventCode 1: Process Create for powershell.exe with CommandLine containing 'SystemParametersInfo'. Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper with Details pointing to the test file (SystemParametersInfo updates this registry key). MDE DeviceProcessEvents: ProcessCommandLine contains 'SystemParametersInfo', FileName=powershell.exe.
- Test 3Modify Windows Logon Legal Notice to Simulate Ransom Demand at Login
Expected signal: Sysmon EventCode 13 (two events): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and \LegalNoticeText, Image=reg.exe, User=[current user]. Requires elevation (HKLM write). MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Winlogon', RegistryValueName in (LegalNoticeCaption, LegalNoticeText), InitiatingProcessFileName=reg.exe.
- Test 4Drop Ransom Note Files Across Multiple Directories
Expected signal: Sysmon EventCode 11 (six events): TargetFilename for each README_DECRYPT.txt file created across the six directories, Image=cmd.exe. MDE DeviceFileEvents: ActionType=FileCreated, FileName=README_DECRYPT.txt, InitiatingProcessFileName=cmd.exe, FolderPath showing six different directories. The hunting query (UniqueDirectories > 5) will trigger on this test.
- Test 5Rename Disk Volume Label via CMD (ShrinkLocker Technique)
Expected signal: Sysmon EventCode 1: Process Create for cmd.exe or label.exe (label is a built-in cmd command that may appear as cmd.exe /c label). CommandLine contains 'label C:' and 'ArgusDefacementTest'. MDE DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine matches regex for 'label [drive]:'. Security Event ID 4688 if process creation auditing is enabled.
References (13)
- https://attack.mitre.org/techniques/T1491/001/
- https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire
- https://web.archive.org/web/20160303200515/https:/operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
- https://www.minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/
- https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new
- https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://securelist.com/shrinklocker-ransomware-tools-and-targets/113108/
- https://www.splunk.com/en_us/blog/security/shrinklocker-ransomware-detection-on-the-radar.html
- https://www.cybereason.com/blog/threat-analysis-inc-ransomware
- https://www.secureworks.com/research/gold-ionic
- https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/
- https://cert.ee/en/2021/01/gamaredon-group-malware-distributed-in-ukraine/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md
Unlock Pro Content
Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.