detection.wiki

Defacement: Internal Defacement T1491.001

Tactic: Impact

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.

Events covered

3 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 13RegistryEvent (Value Set)
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 4 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (6 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
Details2contains 1, eq 1(Empty), 2, DWORD (0x00000001), encrypted, paying
Image2ends_with 2, eq 1\reg.exe, \svchost.exe, c:\program files (x86)\amazon\ec2launch\ec2launch.exe, c:\program files\amazon\ec2launch\ec2launch.exe
TargetObject2contains 2, ends_with 1\control panel\desktop\wallpaper, \software\microsoft\windows\currentversion\policies\syste..., \software\microsoft\windows\currentversion\policies\syste..., \wallpaper, \wallpaperstyle
CommandLine1contains 1/d 1, /d 2, /t reg_sz
OriginalFileName1eq 1reg.exe
ScriptBlockText1contains 1, match 1get-itemproperty, hkey_current_user\control panel\desktop\, registry::

Top indicator values (36 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
CommandLinecontains
/d 1
12
CommandLinecontains
/d 2
1
CommandLinecontains
/t reg_sz
12
CommandLinecontains
/v nochangingwallpaper
1
CommandLinecontains
/v wallpaper
1
CommandLinecontains
/v wallpaperstyle
1
CommandLinecontains
add
134
CommandLinecontains
control panel\desktop
1
CommandLinecontains
currentversion\policies\activedesktop
1
CommandLinecontains
currentversion\policies\system
1
Detailscontains
encrypted
1
Detailscontains
paying
1
Detailscontains
unlock-password
1
Detailseq
(Empty)
12
Detailseq
2
13
Detailseq
DWORD (0x00000001)
140
Imageends_with
\reg.exe
158
Imageends_with
\svchost.exe
123
Imageends_with
c:\windows\explorer.exe
1
Imageeq
c:\program files (x86)\amazon\ec2launch\ec2launch.exe
1
Imageeq
c:\program files\amazon\ec2launch\ec2launch.exe
1
OriginalFileNameeq
reg.exe
142
ScriptBlockTextcontains
get-itemproperty
12
ScriptBlockTextcontains
hkey_current_user\control panel\desktop\
1
ScriptBlockTextcontains
registry::
1
ScriptBlockTextcontains
wallpaper
1
ScriptBlockTextmatch
systemparametersinfo(20,0,*,3)
1
TargetObjectcontains
\software\microsoft\windows\currentversion\policies\system\legalnoticecaption
1
TargetObjectcontains
\software\microsoft\windows\currentversion\policies\system\legalnoticetext
1
TargetObjectcontains
control panel\desktop
1

Exclusions (6 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
Detailseq
(Empty)
1
Imageends_with
\svchost.exe
1
Imageends_with
c:\windows\explorer.exe
1
Imageeq
c:\program files (x86)\amazon\ec2launch\ec2launch.exe
1
Imageeq
c:\program files\amazon\ec2launch\ec2launch.exe
1
TargetObjectends_with
\control panel\desktop\wallpaper
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 4 rules