T1491.001 Sumo Logic CSE · Sumo

Detect Internal Defacement in Sumo Logic CSE

Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim.

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Sub-technique
T1491.001 Internal Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| parse regex "<EventID>(?P<EventID>\d+)<" nodrop
| parse regex "<TargetObject>(?P<TargetObject>[^<]+)<" nodrop
| parse regex "<TargetFilename>(?P<TargetFilename>[^<]+)<" nodrop
| parse regex "<CommandLine>(?P<CommandLine>[^<]+)<" nodrop
| parse regex "<Image>(?P<Image>[^<]+)<" nodrop
| parse regex "<User>(?P<User>[^<]+)<" nodrop
| parse regex "<Computer>(?P<Computer>[^<]+)<" nodrop
| where (
    (
      EventID = "13"
      AND (
        TargetObject matches "*\\Control Panel\\Desktop\\Wallpaper*"
        OR TargetObject matches "*PersonalizationCSP\\DesktopImagePath*"
        OR TargetObject matches "*PersonalizationCSP\\LockScreenImagePath*"
        OR TargetObject matches "*PersonalizationCSP\\DesktopImageStatus*"
        OR TargetObject matches "*PersonalizationCSP\\LockScreenImageStatus*"
        OR TargetObject matches "*Winlogon\\LegalNoticeText*"
        OR TargetObject matches "*Winlogon\\LegalNoticeCaption*"
      )
      AND NOT (
        Image matches "*\\explorer.exe"
        OR Image matches "*\\SystemSettings.exe"
        OR Image matches "*\\SystemSettingsBroker.exe"
        OR Image matches "*\\dllhost.exe"
        OR Image matches "*\\winlogon.exe"
      )
    )
    OR (
      EventID = "11"
      AND (
        TargetFilename matches "*README*"
        OR TargetFilename matches "*DECRYPT*"
        OR TargetFilename matches "*HOW_TO*"
        OR TargetFilename matches "*RESTORE_FILES*"
        OR TargetFilename matches "*YOUR_FILES*"
        OR TargetFilename matches "*RANSOM*"
        OR TargetFilename matches "*RECOVER_FILES*"
        OR TargetFilename matches "*FILES_ENCRYPTED*"
        OR TargetFilename matches "*HELP_DECRYPT*"
        OR TargetFilename matches "*HOW-TO-DECRYPT*"
        OR TargetFilename matches "*IMPORTANT_READ*"
        OR TargetFilename matches "*RECOVERY_KEY*"
        OR TargetFilename matches "*LOCKED*"
      )
      AND (
        TargetFilename matches "*.txt"
        OR TargetFilename matches "*.html"
        OR TargetFilename matches "*.hta"
        OR TargetFilename matches "*.bmp"
        OR TargetFilename matches "*.jpg"
        OR TargetFilename matches "*.png"
      )
    )
    OR (
      EventID = "1"
      AND Image matches "*\\cmd.exe"
      AND CommandLine matches "*label *:*"
    )
    OR (
      EventID = "1"
      AND (Image matches "*\\powershell.exe" OR Image matches "*\\pwsh.exe")
      AND (
        CommandLine matches "*SystemParametersInfo*"
        OR CommandLine matches "*SPI_SETDESKWALLPAPER*"
        OR CommandLine matches "*SetWallpaper*"
        OR CommandLine matches "*DesktopWallpaper*"
      )
    )
  )
| if (EventID = "13" AND (TargetObject matches "*Wallpaper*" OR TargetObject matches "*DesktopImage*"), "WallpaperChange",
    if (EventID = "13" AND TargetObject matches "*LockScreen*", "LockScreenChange",
      if (EventID = "13" AND TargetObject matches "*LegalNotice*", "LogonMessageChange",
        if (EventID = "11", "RansomNoteDropped",
          if (EventID = "1" AND Image matches "*\\cmd.exe", "DiskLabelModified", "PSWallpaperSet")
        )
      )
    )
  ) as DefacementType
| table _messagetime, Computer, User, DefacementType, TargetObject, TargetFilename, CommandLine, Image
| sort - _messagetime
critical severity high confidence

Sumo Logic query detecting T1491.001 Internal Defacement by parsing Windows Sysmon XML events from raw log ingestion. Regex-extracts Sysmon fields from the XML payload (EventID, TargetObject, TargetFilename, Image, CommandLine, User, Computer) and applies behavioral filters across all four defacement branches: registry tampering (EventID 13), file drops (EventID 11), disk label changes and PowerShell API calls (EventID 1). The DefacementType classification field aids triage and dashboard aggregation.

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (WinEventLog:Microsoft-Windows-Sysmon/Operational)Winlogbeat forwarding to Sumo Logic HTTP Source

Required Tables

Sumo Logic partitions matching _sourceCategory=*windows* or *sysmon*

False Positives & Tuning

  • Automated endpoint provisioning workflows run by non-standard service accounts that create files named README.txt or RESTORE_FILES.html as part of recovery documentation bundled with legitimate backup software installers
  • Desktop management scripts deployed via RMM tools running under SYSTEM or service account context that set PersonalizationCSP wallpaper keys during device enrollment, where the initiating process binary is not in the exclusion list
  • Security awareness content management systems that programmatically swap desktop wallpapers as part of simulated phishing campaigns or policy enforcement drills, executing via scheduled tasks or scripting hosts
Download portable Sigma rule (.yml)

Other platforms for T1491.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Set Desktop Wallpaper via Registry to Simulate Ransom Note Display

    Expected signal: Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=%TEMP%\ransom_wallpaper.txt, Image=reg.exe. Sysmon EventCode 1: Process Create for reg.exe with CommandLine containing 'Control Panel\Desktop' and '/v Wallpaper'. MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Control Panel\Desktop', RegistryValueName=Wallpaper, InitiatingProcessFileName=reg.exe.

  2. Test 2Set Desktop Wallpaper via PowerShell SystemParametersInfo API

    Expected signal: Sysmon EventCode 1: Process Create for powershell.exe with CommandLine containing 'SystemParametersInfo'. Sysmon EventCode 13: TargetObject=HKCU\Control Panel\Desktop\Wallpaper with Details pointing to the test file (SystemParametersInfo updates this registry key). MDE DeviceProcessEvents: ProcessCommandLine contains 'SystemParametersInfo', FileName=powershell.exe.

  3. Test 3Modify Windows Logon Legal Notice to Simulate Ransom Demand at Login

    Expected signal: Sysmon EventCode 13 (two events): TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and \LegalNoticeText, Image=reg.exe, User=[current user]. Requires elevation (HKLM write). MDE DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains 'Winlogon', RegistryValueName in (LegalNoticeCaption, LegalNoticeText), InitiatingProcessFileName=reg.exe.

  4. Test 4Drop Ransom Note Files Across Multiple Directories

    Expected signal: Sysmon EventCode 11 (six events): TargetFilename for each README_DECRYPT.txt file created across the six directories, Image=cmd.exe. MDE DeviceFileEvents: ActionType=FileCreated, FileName=README_DECRYPT.txt, InitiatingProcessFileName=cmd.exe, FolderPath showing six different directories. The hunting query (UniqueDirectories > 5) will trigger on this test.

  5. Test 5Rename Disk Volume Label via CMD (ShrinkLocker Technique)

    Expected signal: Sysmon EventCode 1: Process Create for cmd.exe or label.exe (label is a built-in cmd command that may appear as cmd.exe /c label). CommandLine contains 'label C:' and 'ArgusDefacementTest'. MDE DeviceProcessEvents: FileName=cmd.exe, ProcessCommandLine matches regex for 'label [drive]:'. Security Event ID 4688 if process creation auditing is enabled.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1491.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1491Defacement

Related Sub-techniques

T1491.002External Defacement

Related Techniques

T1491DefacementT1491.002External DefacementT1486Data Encrypted for ImpactT1490Inhibit System RecoveryT1489Service StopT1485.001Lifecycle-Triggered DeletionT1561Disk WipeT1561.002Disk Structure WipeT1484.001Group Policy ModificationT1059.001PowerShellT1112Modify Registry

Same Tactic: Impact

Popular Detections