title: Internal Defacement (T1491.001)
id: df00tech-t1491-001
status: experimental
description: "Adversaries may deface systems internal to an organization in an attempt to intimidate or mislead users, discrediting the integrity of those systems. This manifests most commonly as ransomware operators setting desktop wallpaper to display ransom notes (Black Basta, BlackCat, Qilin, INC Ransomware, Diavol, RansomHub), dropping ransom note text or HTML files across the filesystem, modifying Windows logon legal notice messages, renaming disk volume labels to attacker contact information (ShrinkLocker), or changing lock screen images. Destructive APT groups such as Lazarus Group and Gamaredon have also used desktop wallpaper replacement to display threatening messages after rendering systems inoperable. Internal defacement occurs late in the attack lifecycle — after primary objectives such as data exfiltration or file encryption have been completed — because it reveals adversary presence and marks the point of no return for the victim."
references:
  - https://attack.mitre.org/techniques/T1491/001/
  - https://df00tech.com/detections/T1491.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1491.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Group Policy or Microsoft Intune/MDM solutions deploying corporate desktop wallpaper or compliance logon banners — these originate from gpsvc.exe, deviceenrollmentactivity.exe, or MDM management agents rather than ransomware processes, and occur in batches across many devices simultaneously"
  - "IT administrators manually configuring Windows logon legal notice text via reg.exe or PowerShell for CIS Benchmark, NIST, or STIG compliance requirements — review change tickets and originating workstation (should be a PAW or jump server)"
  - "Disk management during system provisioning, OS imaging, or storage configuration scripts that include volume labeling as part of build automation"
  - Security or deployment tooling that drops README or documentation files during software installation — these typically originate from msiexec.exe or a known installer process and target software installation directories
level: high