Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Desktop Background Change Via Registry
2id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
3related:
4 - id: 8cbc9475-8d05-4e27-9c32-df960716c701
5 type: similar
6status: experimental
7description: |
8 Detects registry value settings that would replace the user's desktop background.
9 This is a common technique used by malware to change the desktop background to a ransom note or other image.
10references:
11 - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12 - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13 - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14 - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023-12-21
19tags:
20 - attack.defense-evasion
21 - attack.impact
22 - attack.t1112
23 - attack.t1491.001
24logsource:
25 product: windows
26 category: registry_set
27detection:
28 selection_keys:
29 TargetObject|contains:
30 - 'Control Panel\Desktop'
31 - 'CurrentVersion\Policies\ActiveDesktop'
32 - 'CurrentVersion\Policies\System'
33 selection_values_1:
34 TargetObject|endswith: 'NoChangingWallpaper'
35 Details: 'DWORD (0x00000001)' # Prevent changing desktop background
36 selection_values_2:
37 TargetObject|endswith: '\Wallpaper'
38 selection_values_3:
39 TargetObject|endswith: '\WallpaperStyle'
40 Details: '2' # Stretch
41 filter_main_svchost:
42 # Note: Excluding GPO changes
43 Image|endswith: '\svchost.exe'
44 condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_*
45falsepositives:
46 - Administrative scripts that change the desktop background to a company logo or other image.
47level: medium
References
Related rules
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Audit CVE Event