T1491 Splunk · SPL

Detect Defacement in Splunk

Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).

MITRE ATT&CK

Tactic
Impact
Technique
T1491 Defacement
Canonical reference
https://attack.mitre.org/techniques/T1491/

SPL Detection Query

Splunk (SPL)
spl 
| union
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
    | eval FolderPath=lower(TargetFilename)
    | where match(FolderPath, "(\\\\inetpub\\\\wwwroot|\\\\htdocs|\\\\public_html|\\\\nginx\\\\html|\/var\/www\/|\/srv\/http\/|\/usr\/share\/nginx)")
    | where match(FolderPath, "\.(html|htm|php|asp|aspx|jsp|js|css|png|jpg|gif|svg|ico)$")
    | eval InitProc=lower(Image)
    | where match(InitProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|curl\.exe|wget\.exe|certutil\.exe|python\.exe|bash|sh)")
    | eval DefacementType="WebFileModification"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, TargetFilename, DefacementType ],
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (12, 13, 14)
    | eval RegPath=lower(TargetObject)
    | where match(RegPath, "(\\\\control panel\\\\desktop|\\\\terminal server\\\\winlogon|\\\\windows nt\\\\currentversion\\\\winlogon|\\\\policies\\\\microsoft\\\\windows\\\\personalization)")
    | where match(RegPath, "(wallpaper|screensaveactive|scrnsave\.exe|legalnoticecaption|legalnoticetext)")
    | eval InitProc=lower(Image)
    | where match(InitProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|python\.exe|bash|sh)")
    | eval DefacementType="RegistryWallpaperChange"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, TargetObject, Details, DefacementType ],
  [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | eval ParentProc=lower(ParentImage)
    | eval ChildProc=lower(Image)
    | where match(ParentProc, "(w3wp\.exe|nginx\.exe|httpd\.exe|apache2|tomcat)")
    | where match(ChildProc, "(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|bash|sh|python\.exe)")
    | eval DefacementType="WebServerShellSpawn"
    | eval User=coalesce(User, "unknown")
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DefacementType ]
| eval SeverityScore=case(
    DefacementType="WebServerShellSpawn", 3,
    DefacementType="WebFileModification", 2,
    DefacementType="RegistryWallpaperChange", 1,
    true(), 1)
| sort - SeverityScore, - _time
high severity medium confidence

Detects defacement activity across three branches using Sysmon operational logs. Branch 1 uses Event ID 11 (FileCreate) to catch shells and scripting engines writing web content files (HTML, PHP, ASP, JSP, CSS) directly into web root directories. Branch 2 uses Event IDs 12/13/14 (Registry create/set/delete) to identify suspicious modification of Windows wallpaper and logon banner registry keys used in internal defacement. Branch 3 uses Event ID 1 (Process Create) to detect web server processes (IIS w3wp, nginx, Apache) spawning command shells — a strong indicator of web shell execution that often precedes or constitutes defacement. Results are ranked by a SeverityScore with web shell spawns rated highest.

Data Sources

File: File CreationWindows Registry: Windows Registry Key ModificationProcess: Process CreationSysmon Event ID 1Sysmon Event ID 11Sysmon Event ID 12/13/14

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • CI/CD deployment pipelines using shell commands to deploy web content updates to web root directories
  • Administrative scripts updating default IIS or Apache landing pages during server provisioning
  • Centralized IT management tools modifying corporate wallpaper and logon banners via Group Policy or Intune
  • Web application frameworks (Django, Rails, Node.js) spawning shell processes for asset compilation or task runners
  • Security scanning tools or web application firewalls writing logs or configuration files to web directories
Download portable Sigma rule (.yml)

Other platforms for T1491

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Replace Web Server Default Page (Windows IIS)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).

  2. Test 2Internal Defacement via Wallpaper Registry Modification

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.

  3. Test 3Web Shell Simulation — Web Server Spawning Command Shell

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.

  4. Test 4Linux Web Root File Replacement via Bash

    Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.

  5. Test 5Mass Internal Defacement via Logon Banner Registry Modification

    Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1491.001Internal DefacementT1491.002External DefacementT1190Exploit Public-Facing ApplicationT1505.003Web ShellT1565.001Stored Data ManipulationT1485Data DestructionT1484.001Group Policy ModificationT1078Valid AccountsT1059.004Unix ShellT1059.001PowerShell

Same Tactic: Impact

Popular Detections