Find sigma rule

Attack: Defacement: Internal Defacement

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary’s presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

MITRE

Tactic

impact

technique

T1491.001

Test : Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message

OS

windows

Description:

Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\ Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText.

SynAck Ransomware, Grief Ransomware, Maze Ransomware, Pysa Ransomware, Spook Ransomware, DopplePaymer Ransomware, Reedemer Ransomware, Kangaroo Ransomware

Executor

powershell

Sigma Rule

registry_set_legalnotice_susp_message.yml (id: 8b9606c9-28be-4a38-b146-0e313cc232c1)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test