Detect Defacement in Google Chronicle
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/
YARA-L Detection Query
rule t1491_defacement_web_file_modification {
meta:
author = "Argus Detection Engineering"
description = "Detects T1491 Defacement - suspicious process writing web content files to web server directories"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1491"
severity = "HIGH"
priority = "HIGH"
created = "2026-04-13"
events:
$e.metadata.event_type = "FILE_CREATION"
(
re.regex($e.target.file.full_path, `(?i)(\\inetpub\\wwwroot|\\htdocs|\\public_html|\\nginx\\html|/var/www/|/srv/http/|/usr/share/nginx/)`) or
re.regex($e.target.file.full_path, `(?i)/home/www/`)
)
re.regex($e.target.file.full_path, `(?i)\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$`)
re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|python[23]?\.exe|perl\.exe|ruby\.exe|/bash$|/sh$)`)
condition:
$e
}
rule t1491_defacement_registry_wallpaper {
meta:
author = "Argus Detection Engineering"
description = "Detects T1491 Internal Defacement - registry modifications targeting wallpaper, screensaver, and logon banner keys by suspicious processes"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1491.001"
severity = "MEDIUM"
priority = "MEDIUM"
created = "2026-04-13"
events:
$e.metadata.event_type = "REGISTRY_MODIFICATION"
(
re.regex($e.target.registry.registry_key, `(?i)(\\Control Panel\\Desktop|\\Terminal Server\\Winlogon|\\Windows NT\\CurrentVersion\\Winlogon|\\Policies\\Microsoft\\Windows\\Personalization)`) and
re.regex($e.target.registry.registry_value_name, `(?i)(Wallpaper|ScreenSaveActive|SCRNSAVE\.EXE|legalnoticecaption|legalnoticetext)`)
)
re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|/bash$|/sh$)`)
condition:
$e
}
rule t1491_defacement_webserver_shell_spawn {
meta:
author = "Argus Detection Engineering"
description = "Detects T1491 Defacement - web server process spawning shell or script interpreter, indicating possible webshell execution"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1491.002"
severity = "CRITICAL"
priority = "CRITICAL"
created = "2026-04-13"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
re.regex($e.principal.process.file.full_path, `(?i)(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)`)
re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|/bash$|/sh$|python[23]?\.exe|perl\.exe)`)
condition:
$e
}Three Chronicle YARA-L 2.0 rules covering all T1491 Defacement branches: (1) suspicious processes writing web content files to web root paths, (2) registry wallpaper and logon banner key modifications by scripting tools, (3) web server processes spawning shell or interpreter children indicating webshell compromise. Uses UDM event types FILE_CREATION, REGISTRY_MODIFICATION, and PROCESS_LAUNCH with regex matching on full paths and process names via ECS-compatible UDM field model.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate automated deployments by CI/CD systems writing HTML, PHP, or asset files to web roots using curl or PowerShell scripts
- Enterprise desktop policy enforcement scripts that set wallpaper images or logon banners as part of onboarding or compliance workflows
- Web servers (Apache, Nginx) that legitimately invoke shell scripts as CGI handlers or maintenance hooks
- Content management systems with auto-update capabilities that write PHP or JS files as part of plugin or theme updates
- Penetration testing or red team exercises targeting web infrastructure with explicit change management approval
Other platforms for T1491
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace Web Server Default Page (Windows IIS)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).
- Test 2Internal Defacement via Wallpaper Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.
- Test 3Web Shell Simulation — Web Server Spawning Command Shell
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.
- Test 4Linux Web Root File Replacement via Bash
Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.
- Test 5Mass Internal Defacement via Logon Banner Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.
References (10)
- https://attack.mitre.org/techniques/T1491/
- https://attack.mitre.org/techniques/T1491/001/
- https://attack.mitre.org/techniques/T1491/002/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
- https://www.sans.org/white-papers/web-application-defacement-detection/
Unlock Pro Content
Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.