Adversary modifies internal UI messages (e.g., login banners, desktop wallpapers) or hosted intranet web pages by creating or altering content files using scripts or unauthorized access. Often preceded by privilege escalation or web shell deployment.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | WinEventLog:Security | EventCode=4670, 4663 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| File Modification (DC0061) | WinEventLog:Sysmon | EventCode=2 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| FilePathPattern | Location of web content or system UI config files that may vary across deployments (e.g., %SystemRoot%\Web, %APPDATA%\wallpaper.jpg) |
| TimeWindow | Allowed hours for file/content modification events; defacement likely occurs during off-hours |
| UserContext | System or domain accounts used to perform the modifications may be anomalous |
Adversary leverages root or sudo access to alter system banners, web content directories (e.g., /var/www/html), or login configurations (/etc/issue). File creation or overwrites may coincide with suspicious script execution or cron job activity.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | open/write/unlink |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| User Account Modification (DC0010) | linux:syslog | sudo or su access prior to content change |
| Field | Description |
|---|---|
| TargetDirectories | Paths like /var/www/html, /etc/issue, or /etc/motd may vary across distros |
| UserContext | Non-web-admin users modifying site content or banners should be rare |
| TimeWindow | Defacement often happens outside normal maintenance hours |
Modification of user desktop backgrounds, login screen messages, or system banners by adversaries using admin privileges or script execution. May coincide with tampering in /Library/Desktop Pictures/ or use of AppleScript.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | macos:unifiedlog | loginwindow or desktopservices modified settings or files |
| Script Execution (DC0029) | macos:unifiedlog | osascript or AppleScript invocation modifying UI |
| Field | Description |
|---|---|
| ScriptNames | Uncommon scripts like AppleScript variants or osascript for wallpaper changes |
| UserContext | Normal users should not alter global visual settings |
Adversary modifies ESXi host login banner or MOTD file (/etc/motd), either through SSH or host console access. May involve configuration file overwrite or API calls from compromised vSphere clients.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | ESXiLogs:messages | changes to /etc/motd or /etc/vmware/welcome |
| Command Execution (DC0064) | esxi:hostd | modification of config files or shell command execution |
| Field | Description |
|---|---|
| LoginBannerFilePath | Target file paths (e.g., /etc/motd) may be changed via symbolic link or override |
| AccessOrigin | ESXi hostd vs. SSH-based defacement origin may affect visibility |