Replace Desktop Wallpaper by Powershell
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
Sigma rule (View on GitHub)
1title: Replace Desktop Wallpaper by Powershell
2id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
3status: test
4description: |
5 An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
6 This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
9author: frack113
10date: 2021-12-26
11tags:
12 - attack.impact
13 - attack.t1491.001
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection_1:
20 ScriptBlockText|contains|all:
21 - 'Get-ItemProperty'
22 - 'Registry::'
23 - 'HKEY_CURRENT_USER\Control Panel\Desktop\'
24 - 'WallPaper'
25 selection_2:
26 ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
27 condition: 1 of selection_*
28falsepositives:
29 - Unknown
30level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Potential Ransomware Activity Using LegalNotice Message
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted