Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Desktop Background Change Via Registry
2id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
3related:
4 - id: 8cbc9475-8d05-4e27-9c32-df960716c701
5 type: similar
6status: test
7description: |
8 Detects registry value settings that would replace the user's desktop background.
9 This is a common technique used by malware to change the desktop background to a ransom note or other image.
10references:
11 - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12 - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13 - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14 - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023-12-21
19modified: 2025-10-17
20tags:
21 - attack.defense-evasion
22 - attack.impact
23 - attack.t1112
24 - attack.t1491.001
25logsource:
26 product: windows
27 category: registry_set
28detection:
29 selection_keys:
30 TargetObject|contains:
31 - 'Control Panel\Desktop'
32 - 'CurrentVersion\Policies\ActiveDesktop'
33 - 'CurrentVersion\Policies\System'
34 selection_values_1:
35 TargetObject|endswith: 'NoChangingWallpaper'
36 Details: 'DWORD (0x00000001)' # Prevent changing desktop background
37 selection_values_2:
38 TargetObject|endswith: '\Wallpaper'
39 selection_values_3:
40 TargetObject|endswith: '\WallpaperStyle'
41 Details: '2' # Stretch
42 filter_main_svchost:
43 # Note: Excluding GPO changes
44 Image|endswith: '\svchost.exe'
45 filter_main_empty:
46 TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
47 Details: '(Empty)'
48 filter_main_explorer:
49 # Normally Explorer.exe is the process that changes the desktop background
50 Image|endswith: 'C:\Windows\Explorer.EXE'
51 filter_optional_ec2launch:
52 Image:
53 - 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
54 - 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
55 TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
56 condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
57falsepositives:
58 - Administrative scripts that change the desktop background to a company logo or other image.
59level: medium
References
-
AttackIQ has released two new attack graphs aimed at emulating the activities carried out by this infamous ransomware.
Read More -
Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, […]
Read More -
In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.
Read More -
Related rules
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
- Suspicious Volume Shadow Copy Vssapi.dll Load
- Removal of Potential COM Hijacking Registry Keys
- Service Binary in Suspicious Folder