Detect Defacement in Microsoft Sentinel
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/
KQL Detection Query
let WebRootPaths = dynamic([
"\\inetpub\\wwwroot\\", "\\htdocs\\", "\\www\\", "\\public_html\\",
"\\nginx\\html\\", "\\apache2\\htdocs\\", "/var/www/", "/srv/http/",
"/usr/share/nginx/", "/home/www/"
]);
let WebFileExtensions = dynamic([
".html", ".htm", ".php", ".asp", ".aspx", ".jsp",
".js", ".css", ".png", ".jpg", ".gif", ".svg", ".ico"
]);
let SuspiciousWriterProcesses = dynamic([
"cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
"mshta.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe",
"python.exe", "python3", "perl.exe", "ruby.exe", "bash", "sh"
]);
let RegistryDefacementKeys = dynamic([
"Wallpaper", "ScreenSaveActive", "SCRNSAVE.EXE",
"legalnoticecaption", "legalnoticetext"
]);
// Branch 1: Web content file modifications in web root directories
let WebFileDefacement = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath has_any (WebRootPaths)
| where FileName has_any (WebFileExtensions)
| where InitiatingProcessFileName has_any (SuspiciousWriterProcesses)
or InitiatingProcessParentFileName has_any (SuspiciousWriterProcesses)
| extend DefacementType = "WebContentModification"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DefacementType;
// Branch 2: Registry modifications for internal defacement (wallpaper, logon banner)
let RegistryDefacement = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any (
"\\Control Panel\\Desktop",
"SYSTEM\\CurrentControlSet\\Control\\Terminal Server",
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon",
"SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization"
)
| where RegistryValueName has_any (RegistryDefacementKeys)
| where InitiatingProcessFileName has_any (SuspiciousWriterProcesses)
or InitiatingProcessAccountName !in ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| extend DefacementType = "RegistryWallpaperChange"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName,
FileName=RegistryValueName, FolderPath=RegistryKey,
ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessParentFileName, DefacementType;
// Branch 3: Web server process writing unexpected files (index.html replacement)
let WebServerSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("w3wp.exe", "nginx.exe", "httpd.exe", "apache2", "tomcat")
| where FileName in~ (SuspiciousWriterProcesses)
| extend DefacementType = "WebServerChildProcess"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath="",
ActionType="ProcessSpawn", InitiatingProcessFileName,
InitiatingProcessCommandLine=ProcessCommandLine,
InitiatingProcessParentFileName, DefacementType;
union WebFileDefacement, RegistryDefacement, WebServerSpawn
| sort by Timestamp descDetects web content defacement and internal defacement activity across three signal branches. Branch 1 monitors file creation/modification events in web root directories (IIS wwwroot, Apache htdocs, nginx html, PHP public_html) initiated by shells or scripting engines rather than legitimate web processes. Branch 2 detects registry modifications to wallpaper, screensaver, and Windows logon notice keys initiated by suspicious processes — a pattern used in internal defacement campaigns. Branch 3 identifies web server worker processes (IIS w3wp.exe, nginx, Apache httpd) spawning command shells or scripting engines, indicating web shell execution that may precede or constitute defacement. Uses DeviceFileEvents, DeviceRegistryEvents, and DeviceProcessEvents from Microsoft Defender for Endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate web application deployments via CI/CD pipelines or deployment tools (Octopus Deploy, Jenkins) that write directly to web roots
- System administrators using PowerShell or cmd.exe to manually update web content or static assets during maintenance windows
- Content management system (CMS) plugins or update processes that use scripting engines to modify HTML/CSS/JS files
- IT policy tools (SCCM, Intune, GPO) legitimately modifying logon banners or desktop wallpaper for compliance branding
- Web application frameworks that spawn shells for legitimate tasks (asset compilation, template rendering)
Other platforms for T1491
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace Web Server Default Page (Windows IIS)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).
- Test 2Internal Defacement via Wallpaper Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.
- Test 3Web Shell Simulation — Web Server Spawning Command Shell
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.
- Test 4Linux Web Root File Replacement via Bash
Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.
- Test 5Mass Internal Defacement via Logon Banner Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.
References (10)
- https://attack.mitre.org/techniques/T1491/
- https://attack.mitre.org/techniques/T1491/001/
- https://attack.mitre.org/techniques/T1491/002/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
- https://www.sans.org/white-papers/web-application-defacement-detection/
Unlock Pro Content
Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.