🍎

T1491.001

Defacement Internal Defacement

Description from ATT&CK

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users, thus discrediting the integrity of the systems. This may take the form of modifications to internal websites or server login messages, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster)(Citation: Varonis) Disturbing or offensive images may be used as a part of Internal Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

Tests

Test #1 - Change Wallpaper

Adveraries use osascript to change the device wallpaper.

Input Arguments:

ArgumentTypeDefault Value
filePathstr/System/Library/Desktop Pictures/Solid Colors/Black.png
tell application "System Events" to tell every desktop to set picture to "/System/Library/Desktop Pictures/Solid Colors/Black.png"

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

References

T1489

Service Stop

T1518.001

Security Software Discovery

On this page

Description from ATT&CK
Tests
Test #1 - Change Wallpaper
References