T1491: Defacement
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_impact: PT-CR-1995: Desktop_Wallpaper_Change: The desktop wallpaper was changed on behalf of one of the following processes: reg.exe, powershell.exe, powershell_ise.exe, pwsh.exe, rundll32.exe, regsvr32.exe, msiexec.exe, dllhost.exe, wscript.exe. Some cryptolockers, for example, Rhysida, perform similar actions (using reg.exe) and also prevent users from changing the wallpaper containing the attackers' demands.
Subtechniques
Expert Required. The technique is detected only with the combination of «PT Product + Expert»
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. unauthorized, gratuitous, or anomalous traffic patterns attempting to access internal and external websites and services). Consider correlating with application monitoring for indication of unplanned service interruptions or unauthorized content changes. |
---|
ID | DS0022 | Data source and component | File: File Creation | Description | Monitor for newly constructed visual content for internal or external enterprise networks. |
---|
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor for third-party application logging, messaging, and/or other artifacts that may modify visual content available internally or externally to an enterprise network. |
---|
ID | DS0022 | Data source and component | File: File Modification | Description | Monitor for changes made to files for unexpected modifications to internal and external websites for unplanned content changes. |
---|
Mitigation
ID | M1053 | Name | Data Backup | Description | Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery. |
---|