Potentially Suspicious Desktop Background Change Using Reg.EXE
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Desktop Background Change Using Reg.EXE
2id: 8cbc9475-8d05-4e27-9c32-df960716c701
3related:
4 - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
5 type: similar
6status: experimental
7description: |
8 Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
9 This is a common technique used by malware to change the desktop background to a ransom note or other image.
10references:
11 - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12 - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13 - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14 - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023-12-21
19tags:
20 - attack.defense-evasion
21 - attack.impact
22 - attack.t1112
23 - attack.t1491.001
24logsource:
25 product: windows
26 category: process_creation
27detection:
28 # TODO: Improve this to also focus on variation using PowerShell and other CLI tools
29 selection_reg_img:
30 - Image|endswith: '\reg.exe'
31 - OriginalFileName: 'reg.exe'
32 selection_reg_flag:
33 CommandLine|contains: 'add'
34 selection_keys:
35 CommandLine|contains:
36 - 'Control Panel\Desktop'
37 - 'CurrentVersion\Policies\ActiveDesktop'
38 - 'CurrentVersion\Policies\System'
39 selection_cli_reg_1:
40 CommandLine|contains|all:
41 - '/v NoChangingWallpaper'
42 - '/d 1' # Prevent changing desktop background
43 selection_cli_reg_2:
44 CommandLine|contains|all:
45 - '/v Wallpaper'
46 - '/t REG_SZ'
47 selection_cli_reg_3:
48 CommandLine|contains|all:
49 - '/v WallpaperStyle'
50 - '/d 2' # Stretch
51 condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
52falsepositives:
53 - Administrative scripts that change the desktop background to a company logo or other image.
54level: medium
References
Related rules
- Potentially Suspicious Desktop Background Change Via Registry
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Audit CVE Event