Potentially Suspicious Desktop Background Change Via Registry

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Desktop Background Change Via Registry
 2id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
 3related:
 4    - id: 8cbc9475-8d05-4e27-9c32-df960716c701
 5      type: similar
 6status: experimental
 7description: |
 8    Detects registry value settings that would replace the user's desktop background.
 9    This is a common technique used by malware to change the desktop background to a ransom note or other image.    
10references:
11    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023-12-21
19tags:
20    - attack.defense-evasion
21    - attack.impact
22    - attack.t1112
23    - attack.t1491.001
24logsource:
25    product: windows
26    category: registry_set
27detection:
28    selection_keys:
29        TargetObject|contains:
30            - 'Control Panel\Desktop'
31            - 'CurrentVersion\Policies\ActiveDesktop'
32            - 'CurrentVersion\Policies\System'
33    selection_values_1:
34        TargetObject|endswith: 'NoChangingWallpaper'
35        Details: 'DWORD (0x00000001)' # Prevent changing desktop background
36    selection_values_2:
37        TargetObject|endswith: '\Wallpaper'
38    selection_values_3:
39        TargetObject|endswith: '\WallpaperStyle'
40        Details: '2' # Stretch
41    filter_main_svchost:
42        # Note: Excluding GPO changes
43        Image|endswith: '\svchost.exe'
44    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_*
45falsepositives:
46    - Administrative scripts that change the desktop background to a company logo or other image.
47level: medium

References

Related rules

to-top