AN0229: Analytic 0229
Adversary modifies internal UI messages (e.g., login banners, desktop wallpapers) or hosted intranet web pages by creating or altering content files using scripts or unauthorized access. Often preceded by privilege escalation or web shell deployment.
Analyst context for executives and security teams
This analytic concerns unauthorized changes to internal-facing messages or content, such as login banners, desktop wallpapers, or intranet pages, on Windows environments. For leaders, the issue is not only cosmetic defacement: unauthorized modification of trusted internal communications can signal compromised administrative access, web content control, or prior intrusion activity such as privilege escalation or web shell deployment.
Executive priority
Treat this behavior as an integrity and incident-readiness concern. Security leaders should ask whether the organization can prove who changed internal UI messages or intranet content, when the change occurred, and whether the change followed abnormal privilege use. This matters for operational trust, audit evidence, internal communications during incidents, and rapid triage of potentially broader compromise.
Technical view
ATT&CK provides no official detection logic for AN0229, so SOC and IR teams should validate coverage around Windows content and configuration changes that affect login banners, wallpapers, and hosted intranet pages. Because the description notes that this activity is often preceded by privilege escalation or web shell deployment, investigations should correlate suspicious content modifications with recent administrative logons, privilege changes, script execution, and web server file writes where applicable.
Likely telemetry
- Windows file creation, modification, and deletion events for approved UI-message, wallpaper, and intranet content locations
- Windows administrative logon and account activity around the time of content changes
- Script execution telemetry related to content or configuration changes
- Web server file-write or content-management logs for hosted intranet pages
- Change-management records or authorized deployment logs for comparison
Detection direction
- Baseline legitimate change paths for login banners, desktop wallpaper deployment, and intranet content updates, then alert on changes outside approved processes.
- Correlate content modifications with recent privilege escalation indicators, unusual administrator activity, or script execution.
- Tune detections to reduce false positives from normal IT branding updates, group policy changes, content publishing, and planned maintenance.
- Identify blind spots where Windows endpoint logging, web server logging, or change-management evidence is not retained long enough to reconstruct who made the change.
Mitigation priorities
- Define and enforce authorized change processes for internal UI messages and intranet content.
- Restrict write access to banner, wallpaper, and intranet content locations to approved administrators or publishing services.
- Maintain audit logging and retention for administrative changes, script execution, and web content modification.
- Use incident response procedures to treat unexplained internal defacement or messaging changes as a potential sign of broader compromise, not merely a content issue.
Analyst notes and limits
This object is a detection analytic, not a technique, and no tactics, relationships, or official detection query were supplied. The most useful defensive work is therefore validation of local telemetry, ownership, and change-control evidence for the Windows locations and hosted content that could produce the described behavior.
The supplied ATT&CK fields do not provide detection logic, related techniques, procedures, or attribution. Any assessment of exposure, active exploitation, or detection coverage requires local environment data and cannot be inferred from this object alone.
Analytic 0229
Adversary modifies internal UI messages (e.g., login banners, desktop wallpapers) or hosted intranet web pages by creating or altering content files using scripts or unauthorized access. Often preceded by privilege escalation or web shell deployment.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9f24ecccb520… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0229Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.