Detect Defacement in Elastic Security
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/
Elastic Detection Query
sequence by host.name with maxspan=5m
[file where event.action in ("creation", "overwrite", "rename") and
(
file.path : ("*\\inetpub\\wwwroot\\*", "*\\htdocs\\*", "*\\public_html\\*", "*\\nginx\\html\\*", "/var/www/*", "/srv/http/*", "/usr/share/nginx/*") or
file.path : ("/home/www/*")
) and
file.extension in ("html", "htm", "php", "asp", "aspx", "jsp", "js", "css", "png", "jpg", "gif", "svg", "ico") and
process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "python.exe", "python3", "perl.exe", "ruby.exe", "bash", "sh")]
OR
any where event.category == "registry" and event.action in ("modification", "creation") and
registry.path : ("*\\Control Panel\\Desktop\\Wallpaper", "*\\Control Panel\\Desktop\\ScreenSaveActive", "*\\Winlogon\\legalnoticecaption", "*\\Winlogon\\legalnoticetext", "*\\Personalization\\NoChangingWallPaper") and
process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "python.exe", "bash", "sh")
OR
sequence by host.name with maxspan=30s
[process where event.type == "start" and
process.parent.name in~ ("w3wp.exe", "nginx.exe", "httpd.exe", "apache2", "tomcat") and
process.name in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "bash", "sh", "python.exe", "python3")]Detects T1491 Defacement via three branches: (1) web content files written by suspicious processes in web root directories, (2) registry modifications targeting wallpaper and logon banner keys, (3) web server processes spawning shell/script interpreters as child processes indicating potential webshell execution or active compromise.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate web developers or deployment pipelines (CI/CD) writing files to web root directories using curl, wget, or PowerShell
- System administrators changing desktop wallpaper or logon banners via GPO scripts running as SYSTEM or a service account
- Web application frameworks (e.g., WordPress, Drupal auto-update) that invoke PHP or shell scripts to update their own web content
- Configuration management tools like Ansible or Chef invoking bash/sh to deploy web assets
- Developer workstations running local web servers (XAMPP, WAMP) where developers edit files directly
Other platforms for T1491
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace Web Server Default Page (Windows IIS)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).
- Test 2Internal Defacement via Wallpaper Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.
- Test 3Web Shell Simulation — Web Server Spawning Command Shell
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.
- Test 4Linux Web Root File Replacement via Bash
Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.
- Test 5Mass Internal Defacement via Logon Banner Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.
References (10)
- https://attack.mitre.org/techniques/T1491/
- https://attack.mitre.org/techniques/T1491/001/
- https://attack.mitre.org/techniques/T1491/002/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
- https://www.sans.org/white-papers/web-application-defacement-detection/
Unlock Pro Content
Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.