Technique on mitre.org

T1491.001: Internal Defacement

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_impact: PT-CR-1995: Desktop_Wallpaper_Change: The desktop wallpaper was changed on behalf of one of the following processes: reg.exe, powershell.exe, powershell_ise.exe, pwsh.exe, rundll32.exe, regsvr32.exe, msiexec.exe, dllhost.exe, wscript.exe. Some cryptolockers, for example, Rhysida, perform similar actions (using reg.exe) and also prevent users from changing the wallpaper containing the attackers' demands.

Detection

ID	DS0022	Data source and component	File: File Modification	Description	Monitor internal and websites for unplanned content changes.

ID	DS0022	Data source and component	File: File Creation	Description	Monitor for newly constructed files that may deface systems internal to an organization in an attempt to intimidate or mislead users.

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0015	Data source and component	Application Log: Application Log Content	Description	Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems internal to an organization in an attempt to intimidate or mislead users.

ID	Data source and component	Description
DS0022	File: File Modification	Monitor internal and websites for unplanned content changes.
DS0022	File: File Creation	Monitor for newly constructed files that may deface systems internal to an organization in an attempt to intimidate or mislead users.
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0015	Application Log: Application Log Content	Monitor for third-party application logging, messaging, and/or other artifacts that may deface systems internal to an organization in an attempt to intimidate or mislead users.

Mitigation

ID	M1053	Name	Data Backup	Description	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

ID	Name	Description
M1053	Data Backup	Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.