Which SIEM platforms have a T1491.001 detection rule?

df00tech provides T1491.001 (Internal Defacement) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1491.001 detection?

The T1491.001 detection is rated high severity with high confidence.

What are common false positives for T1491.001?

Common false positives for T1491.001 include: Group Policy or Microsoft Intune/MDM solutions deploying corporate desktop wallpaper or compliance logon banners — these originate from gpsvc.exe, deviceenrollmentactivity.exe, or MDM management agents rather than ransomware processes, and occur in batches across many devices simultaneously; IT administrators manually configuring Windows logon legal notice text via reg.exe or PowerShell for CIS Benchmark, NIST, or STIG compliance requirements — review change tickets and originating workstation (should be a PAW or jump server); Disk management during system provisioning, OS imaging, or storage configuration scripts that include volume labeling as part of build automation.

T1491.001 Splunk · SPL

Detect Internal Defacement in Splunk

Q: What data sources are required to detect Internal Defacement (T1491.001)?

Detecting Internal Defacement requires the following data sources: Windows Registry: Registry Key Modification, File: File Creation, Process: Process Creation, Microsoft Defender for Endpoint.

Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.

MITRE ATT&CK

Tactic: Impact
Technique: T1491 Defacement
Sub-technique: T1491.001 Internal Defacement
Canonical reference: https://attack.mitre.org/techniques/T1491/001/

SPL Detection Query

Splunk (SPL)

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
(
  (EventCode=13
    (TargetObject="*\\Control Panel\\Desktop\\Wallpaper"
     OR TargetObject="*\\PersonalizationCSP\\DesktopImagePath"
     OR TargetObject="*\\PersonalizationCSP\\LockScreenImagePath"
     OR TargetObject="*\\PersonalizationCSP\\DesktopImageStatus"
     OR TargetObject="*\\Winlogon\\LegalNoticeText"
     OR TargetObject="*\\Winlogon\\LegalNoticeCaption"))
  OR
  (EventCode=11
    (TargetFilename="*README*" OR TargetFilename="*DECRYPT*" OR TargetFilename="*HOW_TO*"
     OR TargetFilename="*RESTORE_FILES*" OR TargetFilename="*YOUR_FILES*"
     OR TargetFilename="*RANSOM*" OR TargetFilename="*RECOVER_FILES*"
     OR TargetFilename="*FILES_ENCRYPTED*" OR TargetFilename="*HELP_DECRYPT*"
     OR TargetFilename="*HOW-TO-DECRYPT*" OR TargetFilename="*IMPORTANT_READ*")
    (TargetFilename="*.txt" OR TargetFilename="*.html" OR TargetFilename="*.hta"
     OR TargetFilename="*.bmp" OR TargetFilename="*.jpg" OR TargetFilename="*.png"))
  OR
  (EventCode=1
    (Image="*\\cmd.exe")
    CommandLine="*label *:*")
  OR
  (EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    (CommandLine="*SystemParametersInfo*" OR CommandLine="*SPI_SETDESKWALLPAPER*"
     OR CommandLine="*SetWallpaper*" OR CommandLine="*DesktopWallpaper*"))
)
| eval DefacementType=case(
    EventCode=13 AND match(TargetObject, "(?i)(Wallpaper|DesktopImagePath|DesktopImageStatus)"), "WallpaperChange",
    EventCode=13 AND match(TargetObject, "(?i)(LockScreen)"), "LockScreenChange",
    EventCode=13 AND match(TargetObject, "(?i)(LegalNotice)"), "LogonMessageChange",
    EventCode=11, "RansomNoteDropped",
    EventCode=1 AND match(CommandLine, "(?i)label\s+[a-zA-Z]:"), "DiskLabelModified",
    EventCode=1 AND (match(Image, "(?i)(powershell|pwsh)") OR match(CommandLine, "(?i)(SystemParametersInfo|SetWallpaper|DesktopWallpaper)")), "PSWallpaperSet",
    true(), "Defacement"
  )
| eval IndicatorValue=coalesce(TargetObject, TargetFilename, CommandLine, "-")
| eval InitiatingProcess=coalesce(Image, "-")
| eval NotLegitProc=if(match(Image, "(?i)(explorer|SystemSettings|SystemSettingsBroker|dllhost|winlogon)"), 0, 1)
| where DefacementType != "Defacement"
| where EventCode != 13 OR NotLegitProc=1
| table _time, host, User, DefacementType, IndicatorValue, InitiatingProcess, CommandLine
| sort - _time

high severity high confidence

Multi-vector internal defacement detection using Sysmon event logs covering three primary signals: (1) Registry value set events (EventCode 13) monitoring wallpaper, lock screen, and Windows logon message registry keys — the mechanism used by Black Basta, BlackCat, Qilin, INC Ransomware, and Diavol to display ransom notes; (2) File creation events (EventCode 11) matching ransom note naming patterns (README, DECRYPT, HOW_TO, RESTORE_FILES) with common text and image extensions used by ransomware to leave payment instructions in every directory; (3) Process creation events (EventCode 1) for disk volume label commands (ShrinkLocker email-labeling technique) and PowerShell-based wallpaper changes via SystemParametersInfo API. Registry changes are filtered to exclude standard Windows wallpaper-setting processes to reduce false positives from legitimate personalization.

Data Sources

Windows Registry: Registry Key ModificationFile: File CreationProcess: Process CreationSysmon Event ID 1, 11, 13

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

Group Policy applying corporate wallpaper or logon banners via gpsvc.exe — registry changes appear from SYSTEM context and match affected policy registry paths; correlate with Event ID 5136 in Security log for authorized GPO changes
IT administrators setting LegalNoticeText/Caption for compliance baselines using reg.exe or PowerShell from a known administrative workstation — review against change management records
Software installers creating README or documentation files during package installation — typically originate from msiexec.exe, setup.exe, or a known installer image path targeting program directory subdirectories
Disk provisioning or storage automation scripts labeling volumes during system build — should be traceable to an approved provisioning account and imaging workflow timeframe

Download portable Sigma rule (.yml)

Other platforms for T1491.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Set Desktop Wallpaper via Registry to Simulate Ransom Note Display
Expected signal: Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=%TEMP%\ransom_wallpaper.txt, Image=reg.exe. Sysmon EventCode 1: Process Create for reg.exe with CommandLine containing 'Control Panel\Desktop' and '/v Wallpaper'. MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Control Panel\Desktop', RegistryValueName=Wallpaper, InitiatingProcessFileName=reg.exe.
Test 2Set Desktop Wallpaper via PowerShell SystemParametersInfo API
Expected signal: Sysmon EventCode 1: Process Create for powershell.exe with CommandLine containing 'SystemParametersInfo'. Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper with Details pointing to the test file (SystemParametersInfo updates this registry key). MDE DeviceProcessEvents: ProcessCommandLine contains 'SystemParametersInfo', FileName=powershell.exe.
Test 3Modify Windows Logon Legal Notice to Simulate Ransom Demand at Login
Expected signal: Sysmon EventCode 13 (two events): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and \LegalNoticeText, Image=reg.exe, User=[current user]. Requires elevation (HKLM write). MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Winlogon', RegistryValueName in (LegalNoticeCaption, LegalNoticeText), InitiatingProcessFileName=reg.exe.
Test 4Drop Ransom Note Files Across Multiple Directories
Expected signal: Sysmon EventCode 11 (six events): TargetFilename for each README_DECRYPT.txt file created across the six directories, Image=cmd.exe. MDE DeviceFileEvents: ActionType=FileCreated, FileName=README_DECRYPT.txt, InitiatingProcessFileName=cmd.exe, FolderPath showing six different directories. The hunting query (UniqueDirectories > 5) will trigger on this test.
Test 5Rename Disk Volume Label via CMD (ShrinkLocker Technique)
Expected signal: Sysmon EventCode 1: Process Create for cmd.exe or label.exe (label is a built-in cmd command that may appear as cmd.exe /c label). CommandLine contains 'label C:' and 'ArgusDefacementTest'. MDE DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine matches regex for 'label [drive]:'. Security Event ID 4688 if process creation auditing is enabled.

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Internal Defacement in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1491.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Impact

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1491.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Impact

Popular Detections

Get new detections in your inbox