Home/ATT&CK Technique/Internal Defacement
ATT&CK Technique

Internal Defacement

T1491.001 · impact

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper. Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.

Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.

ESXiLinuxmacOSWindows

Actors Using This

13
iranAgrius
russiaCadet Blizzard
iranCyberAv3ngers (IRGC-CEC)
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
malaysia_origin_with_international_affiliatesDragonForce
chinaAPT27
anonymous_offshoot_multi_ideology_driftGhostSec
north_koreaLazarus Group
russia_apt_sandwormNotPetya
israel_aligned_suspected_military_intelligencePredatory Sparrow
russia_speaking_organized_cybercrimeTA505
russia_speaking_organized_cybercrimeVice Society / Vanilla Tempest
russia_apt_cadet_blizzardWhisperGate

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
resource-development earlier
T1588.003 · Code Signing Certificates ×5.49
execution earlier
T1569 · System Services ×6.10T1569.002 · Service Execution ×3.88
discovery earlier
T1069.001 · Local Groups ×6.66T1069.002 · Domain Groups ×4.88
command-and-control earlier
T1571 · Non-Standard Port ×3.81
exfiltration earlier
T1048.002 · Exfiltration Over Asymmetric Encrypted Non-C2 Protocol ×6.10
impact same
T1491.002 · External Defacement ×8.45T1529 · System Shutdown/Reboot ×5.72T1561.001 · Disk Content Wipe ×5.63T1561.002 · Disk Structure Wipe ×5.49T1561 · Disk Wipe ×5.23T1495 · Firmware Corruption ×4.22T1491 · Defacement ×3.90
other same
T0809 · Data Destruction ×6.87

Atomic Tests

4
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
powershellwindowsReplace Desktop Wallpaper
Downloads an image from a URL and sets it as the desktop wallpaper. 
$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @' 
using System.Runtime.InteropServices; 
namespace Win32{

    public class Wallpaper{ 
        [DllImport("user32.dll", CharSet=CharSet.Auto)] 
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; 
         
         public static void SetWallpaper(string thePath){ 
            SystemParametersInfo(20,0,thePath,3); 
        }
    }
} 
'@
$wc = New-Object System.Net.WebClient  
try{  
    $wc.DownloadFile($url, $imgLocation)
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
catch [System.Net.WebException]{  
    Write-Host("Cannot download $url") 
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
finally{    
    $wc.Dispose()  
}
powershellelevatedwindowsConfigure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText. [SynAck Ransomware](https://www.trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/synack-ransomware-leverages-process-doppelg-nging-for-evasion-and-infection), [Grief Ransomware](https://redcanary.com/blog/grief-ransomware/), [Maze Ransomware](https://cyware.com/research-and-analysis/maze-ransomware-a-deadly-combination-of-data-theft-and-encryption-to-target-us-organizations-8f27), [Pysa Ransomware](https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-destructive-pysa-ransomware), [Spook Ransomware](https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-Spook-Ransomware/ta-p/204226), [DopplePaymer Ransomware](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Dopplepaymer&threatId=-2147221958), [Reedemer Ransomware](https://blog.cyble.com/2022/07/20/redeemer-ransomware-back-action/), [Kangaroo Ransomware](https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/) 
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force
command_promptwindowsESXi - Change Welcome Message on Direct Console User Interface (DCUI)
Changes the ESXi welcome message to potentially display ransom information. [Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#change%20display%20information) 
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system welcomemsg set -m 'RANSOMWARE-NOTIFICATION'"
powershellwindowsWindows - Display a simulated ransom note via Notepad (non-destructive)
Creates a temporary ransom-note text file and opens it in Notepad to simulate ransomware "note display" behavior without making destructive changes. SAFE and non-destructive. 
$notePath = Join-Path $env:TEMP "#{note_filename}"
$pidPath  = Join-Path $env:TEMP "#{pid_filename}"

$Title = "#{note_title}"
$Body  = "#{note_body}"

$header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
$content = $header + $Body

[System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)

$p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
$p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force

Mitigations

1
MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.
M1053Data Backup

Data Backup involves taking and securely storing backups of data from end-user systems and critical servers. It ensures that data remains available in the event of system compromise, ransomware attacks, or other disruptions. Backup processes should include hardening backup systems, implementing secure storage solutions, and keeping backups isolated from the corporate network to prevent compromise during active incidents.

Regular Backup Scheduling
  • Use Case: Ensure timely and consistent backups of critical data.
  • Implementation: Schedule daily incremental backups and weekly full backups for all critical servers and systems.
Immutable Backups
  • Use Case: Protect backups from modification or deletion, even by attackers.
  • Implementation: Use write-once-read-many (WORM) storage for backups, preventing ransomware from encrypting or deleting backup files.
Backup Encryption
  • Use Case: Protect data integrity and confidentiality during transit and storage.
  • Implementation: Encrypt backups using strong encryption protocols (e.g., AES-256) before storing them in local, cloud, or remote locations.
Offsite Backup Storage
  • Use Case: Ensure data availability during physical disasters or onsite breaches.
  • Implementation: Use cloud-based solutions like AWS S3, Azure Backup, or physical offsite storage to maintain a copy of critical data.
Backup Testing
  • Use Case: Validate backup integrity and ensure recoverability.
  • Implementation: Regularly test data restoration processes to ensure that backups are not corrupted and can be recovered quickly.

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 4
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

NIST 800-53AC-03, AC-06, CM-02, CP-02, CP-07, CP-09, CP-10, SI-03, SI-04, SI-07
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin