Potentially Suspicious Desktop Background Change Using Reg.EXE

 1title: Potentially Suspicious Desktop Background Change Using Reg.EXE
 2id: 8cbc9475-8d05-4e27-9c32-df960716c701
 3related:
 4    - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
 5      type: similar
 6status: experimental
 7description: |
 8    Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
 9    This is a common technique used by malware to change the desktop background to a ransom note or other image.    
10references:
11    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023/12/21
19tags:
20    - attack.defense_evasion
21    - attack.impact
22    - attack.t1112
23    - attack.t1491.001
24logsource:
25    product: windows
26    category: process_creation
27detection:
28    # TODO: Improve this to also focus on variation using PowerShell and other CLI tools
29    selection_reg_img:
30        - Image|endswith: '\reg.exe'
31        - OriginalFileName: 'reg.exe'
32    selection_reg_flag:
33        CommandLine|contains: 'add'
34    selection_keys:
35        CommandLine|contains:
36            - 'Control Panel\Desktop'
37            - 'CurrentVersion\Policies\ActiveDesktop'
38            - 'CurrentVersion\Policies\System'
39    selection_cli_reg_1:
40        CommandLine|contains|all:
41            - '/v NoChangingWallpaper'
42            - '/d 1' # Prevent changing desktop background
43    selection_cli_reg_2:
44        CommandLine|contains|all:
45            - '/v Wallpaper'
46            - '/t REG_SZ'
47    selection_cli_reg_3:
48        CommandLine|contains|all:
49            - '/v WallpaperStyle'
50            - '/d 2' # Stretch
51    condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
52falsepositives:
53    - Administrative scripts that change the desktop background to a company logo or other image.
54level: medium

References

• https://www.attackiq.com/2023/09/20/emulating-rhysida/

  
  Read More

• The Rhysida Ransomware: Activity Analysis and Ties to Vice Society - Check Point Research

  

  Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, […]

  
  Read More

• An Overview of the New Rhysida Ransomware

  

  In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• Desktop Wallpaper

  Specifies the desktop background ("wallpaper") displayed on all users' desktops.

  
  Read More

• Prevent changing desktop background

  Prevents users from adding or changing the background design of the desktop.

  
  Read More

Related rules

• Potentially Suspicious Desktop Background Change Via Registry
• Enable LM Hash Storage
• Reg Add Suspicious Paths
• RestrictedAdminMode Registry Value Tampering
• RestrictedAdminMode Registry Value Tampering - ProcCreation