Detect Defacement in CrowdStrike LogScale
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/
LogScale Detection Query
// Branch 1: Web file write by suspicious process (Sysmon-style via Falcon file events)
#event_simpleName=WriteFile
| ComputerName=*
| TargetFileName=/(?i)(\\inetpub\\wwwroot|\\htdocs|\\public_html|\\nginx\\html|\/var\/www\/|\/srv\/http\/|\/usr\/share\/nginx\/)/
| TargetFileName=/(?i)\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$/
| ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|bitsadmin\.exe|python[23]?\.exe|perl\.exe|ruby\.exe|\/bash$|\/sh$)/
| eval DefacementType="WebFileModification"
| eval SeverityScore=2
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, DefacementType, SeverityScore])
// Branch 2: Web server spawning shell child process
// #event_simpleName=ProcessRollup2
// | ParentBaseFileName=/(?i)(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)/
// | ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|\/bash$|\/sh$|python[23]?\.exe|perl\.exe)/
// | eval DefacementType="WebServerShellSpawn"
// | eval SeverityScore=3
// | table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DefacementType, SeverityScore])
// Branch 3: Registry wallpaper / logon banner modification
// #event_simpleName=RegGenericValueUpdate
// | RegObjectName=/(?i)(\\Control Panel\\Desktop|\\Winlogon|\\Personalization)/
// | RegValueName=/(?i)(Wallpaper|ScreenSaveActive|SCRNSAVE\.EXE|legalnoticecaption|legalnoticetext)/
// | ImageFileName=/(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python[23]?\.exe|\/bash$|\/sh$)/
// | eval DefacementType="RegistryWallpaperChange"
// | eval SeverityScore=1
// | table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RegObjectName, RegValueName, DefacementType, SeverityScore])
| sort(SeverityScore, order=desc)
| sort(@timestamp, order=desc)CrowdStrike LogScale (Falcon) detection for T1491 Defacement using Falcon telemetry event types. Branch 1 (active) uses WriteFile events to detect suspicious processes writing web content files to web root paths. Branches 2 and 3 are provided as commented queries using ProcessRollup2 (web server shell spawn) and RegGenericValueUpdate (registry wallpaper/logon banner changes). All branches use real LogScale CQL syntax with regex matching on Falcon ECS-compatible field names including #event_simpleName, ImageFileName, TargetFileName, and ParentBaseFileName.
Data Sources
Required Tables
False Positives & Tuning
- Automated software deployment pipelines using PowerShell or curl to update web application files in IIS or Apache web roots
- CrowdStrike sensor itself or other endpoint agents that write files to monitored directories as part of update or scan operations
- Web application frameworks performing self-update routines that invoke scripting engines to patch web content files in place
- System administrators remotely deploying web content using WinRM or SSH sessions that invoke PowerShell or bash
- WordPress, Drupal, or Joomla auto-update mechanisms that download and write plugin or theme files directly to the web root
Other platforms for T1491
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace Web Server Default Page (Windows IIS)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).
- Test 2Internal Defacement via Wallpaper Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.
- Test 3Web Shell Simulation — Web Server Spawning Command Shell
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.
- Test 4Linux Web Root File Replacement via Bash
Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.
- Test 5Mass Internal Defacement via Logon Banner Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.
References (10)
- https://attack.mitre.org/techniques/T1491/
- https://attack.mitre.org/techniques/T1491/001/
- https://attack.mitre.org/techniques/T1491/002/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
- https://www.sans.org/white-papers/web-application-defacement-detection/
Unlock Pro Content
Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.