Detect Defacement in Sumo Logic CSE
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as part of defacement to cause user discomfort or to pressure compliance with accompanying messages. Internal defacement targets assets visible within an enterprise (desktop wallpapers, screensavers, logon banners), while external defacement targets publicly accessible web content (web server root files, CMS templates, hosted images).
MITRE ATT&CK
- Tactic
- Impact
- Technique
- T1491 Defacement
- Canonical reference
- https://attack.mitre.org/techniques/T1491/
Sumo Detection Query
// Branch 1: Web file write by suspicious process
(_sourceCategory=*sysmon* OR _sourceCategory=*windows*)
| where EventID = "11"
| parse field=TargetFilename "*" as file_path nodrop
| where TargetFilename matches "*\\inetpub\\wwwroot*"
OR TargetFilename matches "*\\htdocs*"
OR TargetFilename matches "*\\public_html*"
OR TargetFilename matches "*\\nginx\\html*"
OR TargetFilename matches "*/var/www/*"
OR TargetFilename matches "*/srv/http/*"
OR TargetFilename matches "*/usr/share/nginx/*"
| where TargetFilename matches "*.html"
OR TargetFilename matches "*.htm"
OR TargetFilename matches "*.php"
OR TargetFilename matches "*.asp"
OR TargetFilename matches "*.aspx"
OR TargetFilename matches "*.jsp"
OR TargetFilename matches "*.js"
OR TargetFilename matches "*.css"
| where Image matches "*cmd.exe"
OR Image matches "*powershell.exe"
OR Image matches "*pwsh.exe"
OR Image matches "*wscript.exe"
OR Image matches "*cscript.exe"
OR Image matches "*mshta.exe"
OR Image matches "*curl.exe"
OR Image matches "*wget.exe"
OR Image matches "*certutil.exe"
OR Image matches "*python.exe"
OR Image matches "*bash"
OR Image matches "*sh"
| eval defacement_type="WebFileModification"
| eval severity_score=2
| fields _messageTime, Computer, User, Image, CommandLine, TargetFilename, defacement_type, severity_score
// Run separately for Branch 2: Registry defacement
// (_sourceCategory=*sysmon*)
// | where EventID in ("12","13","14")
// | where TargetObject matches "*Control Panel\\Desktop*"
// OR TargetObject matches "*Winlogon*legalnotice*"
// OR TargetObject matches "*Personalization*"
// | where TargetObject matches "*Wallpaper*"
// OR TargetObject matches "*ScreenSaveActive*"
// OR TargetObject matches "*legalnoticecaption*"
// OR TargetObject matches "*legalnoticetext*"
// | where Image matches "*cmd.exe" OR Image matches "*powershell.exe" OR Image matches "*python.exe" OR Image matches "*bash"
// | eval defacement_type="RegistryWallpaperChange", severity_score=1
// | fields _messageTime, Computer, User, Image, CommandLine, TargetObject, Details, defacement_type, severity_score
// Run separately for Branch 3: Web server child shell
// (_sourceCategory=*sysmon*)
// | where EventID = "1"
// | where ParentImage matches "*w3wp.exe" OR ParentImage matches "*nginx.exe" OR ParentImage matches "*httpd.exe" OR ParentImage matches "*apache2" OR ParentImage matches "*tomcat"
// | where Image matches "*cmd.exe" OR Image matches "*powershell.exe" OR Image matches "*bash" OR Image matches "*sh" OR Image matches "*python.exe"
// | eval defacement_type="WebServerShellSpawn", severity_score=3
// | fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, defacement_type, severity_score
| sort by severity_score desc, _messageTime descSumo Logic CSE detection for T1491 Defacement. Branch 1 shown inline — uses Sysmon EventID 11 (File Create) to find web content files written to web root paths by suspicious script/shell processes. Branches 2 (registry wallpaper/logon banner changes) and 3 (web server spawning shells) are provided as commented queries to run separately due to Sumo Logic query language limitations with multi-branch union searches. All branches use real Sysmon source categories and field names.
Data Sources
Required Tables
False Positives & Tuning
- Web deployment automation using curl or PowerShell to push new content to web server directories as part of regular release cycles
- Group Policy applying wallpaper changes across the enterprise via logon scripts that run cmd.exe or PowerShell
- IIS application pools (w3wp.exe) executing managed code that shells out to script interpreters for legitimate application logic
- Content management systems that use background PHP or Python workers to process and write media files to the web root
- Security tools performing scheduled web content integrity checks that read and temporarily modify web files
Other platforms for T1491
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Replace Web Server Default Page (Windows IIS)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename=C:\inetpub\wwwroot\index.html, Image=cmd.exe. DeviceFileEvents: ActionType=FileModified, FolderPath contains \wwwroot\, InitiatingProcessFileName=cmd.exe. Security Event ID 4663 (if object access auditing enabled on wwwroot directory).
- Test 2Internal Defacement via Wallpaper Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKCU\Control Panel\Desktop\Wallpaper, Details=C:\Windows\Temp\defaced_wallpaper.jpg, Image=powershell.exe. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryKey contains Control Panel\Desktop, RegistryValueName=Wallpaper, InitiatingProcessFileName=powershell.exe.
- Test 3Web Shell Simulation — Web Server Spawning Command Shell
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, ParentImage=powershell.exe, CommandLine containing 'whoami'. DeviceProcessEvents: FileName=cmd.exe, InitiatingProcessFileName=powershell.exe. File creation event for webshell-test.txt.
- Test 4Linux Web Root File Replacement via Bash
Expected signal: Linux auditd: syscall=openat with path=/var/www/html/index.html and WRITE flag, uid/euid of calling user. Sysmon for Linux Event ID 11: FileCreate with TargetFilename=/var/www/html/index.html, Image=/usr/bin/bash. Linux file integrity monitoring (FIM) alert on /var/www/html/ if configured.
- Test 5Mass Internal Defacement via Logon Banner Registry Modification
Expected signal: Sysmon Event ID 13: RegistryValueSet with TargetObject=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption and LegalNoticeText, Image=reg.exe. Security Event ID 4657 (Registry value modified) if object access auditing is enabled on the Winlogon key. DeviceRegistryEvents: ActionType=RegistryValueSet, RegistryValueName=LegalNoticeCaption/LegalNoticeText.
References (10)
- https://attack.mitre.org/techniques/T1491/
- https://attack.mitre.org/techniques/T1491/001/
- https://attack.mitre.org/techniques/T1491/002/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceregistryevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a
- https://www.sans.org/white-papers/web-application-defacement-detection/
Unlock Pro Content
Get the full detection package for T1491 including response playbook, investigation guide, and atomic red team tests.