T1491 IBM QRadar · QRadar

Detect Defacement in IBM QRadar

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Branch 1: Web file modifications by suspicious processes
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "FILE_PATH" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'WebFileModification' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12 -- Sysmon
  AND CATEGORYNAME(category) LIKE '%File%'
  AND (
    "FILE_PATH" ILIKE '%\inetpub\wwwroot%'
    OR "FILE_PATH" ILIKE '%\htdocs%'
    OR "FILE_PATH" ILIKE '%\public_html%'
    OR "FILE_PATH" ILIKE '%/var/www/%'
    OR "FILE_PATH" ILIKE '%/srv/http/%'
    OR "FILE_PATH" ILIKE '%/usr/share/nginx/%'
  )
  AND (
    "FILE_PATH" ILIKE '%.html'
    OR "FILE_PATH" ILIKE '%.htm'
    OR "FILE_PATH" ILIKE '%.php'
    OR "FILE_PATH" ILIKE '%.asp'
    OR "FILE_PATH" ILIKE '%.aspx'
    OR "FILE_PATH" ILIKE '%.jsp'
  )
  AND (
    LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','curl.exe','wget.exe','certutil.exe','python.exe','bash','sh')
  )
  AND starttime > NOW() - 24 HOURS
UNION ALL
-- Branch 2: Registry defacement (wallpaper / logon banner)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "REGISTRY_KEY" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'RegistryWallpaperChange' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) LIKE '%Registry%'
  AND (
    LOWER("REGISTRY_KEY") LIKE '%control panel\desktop%'
    OR LOWER("REGISTRY_KEY") LIKE '%winlogon%legalnotice%'
    OR LOWER("REGISTRY_KEY") LIKE '%personalization%'
  )
  AND (
    LOWER("REGISTRY_VALUE_NAME") IN ('wallpaper','screensaveactive','scrnsave.exe','legalnoticecaption','legalnoticetext')
  )
  AND LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','mshta.exe','python.exe','bash','sh')
  AND starttime > NOW() - 24 HOURS
UNION ALL
-- Branch 3: Web server spawning shell/script child process
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "PARENT_PROCESS_NAME" AS file_path,
  "PROCESS_NAME" AS initiating_process,
  QIDNAME(qid) AS event_name,
  'WebServerShellSpawn' AS defacement_type,
  logsourceid,
  logSourceName(logsourceid) AS log_source
FROM events
WHERE
  LOGSOURCETYPEID = 12
  AND CATEGORYNAME(category) LIKE '%Process%'
  AND LOWER("PARENT_PROCESS_NAME") IN ('w3wp.exe','nginx.exe','httpd.exe','apache2','tomcat')
  AND LOWER("PROCESS_NAME") IN ('cmd.exe','powershell.exe','pwsh.exe','wscript.exe','cscript.exe','bash','sh','python.exe')
  AND starttime > NOW() - 24 HOURS
ORDER BY event_time DESC
high severity medium confidence

QRadar AQL detection for T1491 Defacement covering three branches: suspicious process writing web files to web root directories, registry modifications for wallpaper and logon banners, and web server processes spawning interactive shells. Uses LOGSOURCETYPEID 12 for Sysmon log sources and AQL UNION to combine all three detection branches into a single result set ordered by time.

Data Sources

IBM QRadar SIEMSysmon logs forwarded to QRadarWindows Security Event logs

Required Tables

events

False Positives & Tuning

  • Automated deployment scripts using PowerShell or curl writing updated web content as part of a CI/CD pipeline
  • GPO scripts modifying desktop wallpaper or logon notice text during domain policy refresh cycles
  • Legitimate web server maintenance where httpd/nginx processes invoke shell scripts to rotate logs or update configurations
  • Security scanning tools that enumerate web server processes and may appear as child processes of web services
  • Web application self-update mechanisms (WordPress auto-update) that spawn PHP subprocesses to patch files in place
Download portable Sigma rule (.yml)

Other platforms for T1491

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Replace Web Server Default Page (Windows IIS)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).

  2. Test 2Internal Defacement via Wallpaper Registry Modification

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.

  3. Test 3Web Shell Simulation — Web Server Spawning Command Shell

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.

  4. Test 4Linux Web Root File Replacement via Bash

    Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.

  5. Test 5Mass Internal Defacement via Logon Banner Registry Modification

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1491.001Internal DefacementT1491.002External DefacementT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1565.001Stored Data ManipulationT1485Data DestructionT1484.001Group Policy ModificationT1078Valid AccountsT1059.004Unix ShellT1059.001PowerShell

Same Tactic: Impact

Popular Detections