Potentially Suspicious Desktop Background Change Using Reg.EXE

 1title: Potentially Suspicious Desktop Background Change Using Reg.EXE
 2id: 8cbc9475-8d05-4e27-9c32-df960716c701
 3related:
 4    - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
 5      type: similar
 6status: test
 7description: |
 8    Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
 9    This is a common technique used by malware to change the desktop background to a ransom note or other image.    
10references:
11    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023-12-21
19tags:
20    - attack.persistence
21    - attack.defense-evasion
22    - attack.impact
23    - attack.t1112
24    - attack.t1491.001
25logsource:
26    product: windows
27    category: process_creation
28detection:
29    # TODO: Improve this to also focus on variation using PowerShell and other CLI tools
30    selection_reg_img:
31        - Image|endswith: '\reg.exe'
32        - OriginalFileName: 'reg.exe'
33    selection_reg_flag:
34        CommandLine|contains: 'add'
35    selection_keys:
36        CommandLine|contains:
37            - 'Control Panel\Desktop'
38            - 'CurrentVersion\Policies\ActiveDesktop'
39            - 'CurrentVersion\Policies\System'
40    selection_cli_reg_1:
41        CommandLine|contains|all:
42            - '/v NoChangingWallpaper'
43            - '/d 1' # Prevent changing desktop background
44    selection_cli_reg_2:
45        CommandLine|contains|all:
46            - '/v Wallpaper'
47            - '/t REG_SZ'
48    selection_cli_reg_3:
49        CommandLine|contains|all:
50            - '/v WallpaperStyle'
51            - '/d 2' # Stretch
52    condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
53falsepositives:
54    - Administrative scripts that change the desktop background to a company logo or other image.
55level: medium

References

• Emulating the Controversial and Intriguing Rhysida Ransomware

  

  AttackIQ has released two new attack graphs aimed at emulating the activities carried out by this infamous ransomware.

  
  Read More

• The Rhysida Ransomware: Activity Analysis and Ties to Vice Society - Check Point Research

  

  Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, […]

  
  Read More

• An Overview of the New Rhysida Ransomware

  

  In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper

  
  Read More

• https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI

  
  Read More

Related rules

• Potentially Suspicious Desktop Background Change Via Registry
• AWS SAML Provider Deletion Activity
• Activate Suppression of Windows Security Center Notifications
• Add DisallowRun Execution to Registry
• Allow RDP Remote Assistance Feature