Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Desktop Background Change Via Registry
2id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
3related:
4 - id: 8cbc9475-8d05-4e27-9c32-df960716c701
5 type: similar
6status: test
7description: |
8 Detects registry value settings that would replace the user's desktop background.
9 This is a common technique used by malware to change the desktop background to a ransom note or other image.
10references:
11 - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12 - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13 - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14 - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16 - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023-12-21
19modified: 2025-10-17
20tags:
21 - attack.persistence
22 - attack.defense-evasion
23 - attack.impact
24 - attack.t1112
25 - attack.t1491.001
26logsource:
27 product: windows
28 category: registry_set
29detection:
30 selection_keys:
31 TargetObject|contains:
32 - 'Control Panel\Desktop'
33 - 'CurrentVersion\Policies\ActiveDesktop'
34 - 'CurrentVersion\Policies\System'
35 selection_values_1:
36 TargetObject|endswith: 'NoChangingWallpaper'
37 Details: 'DWORD (0x00000001)' # Prevent changing desktop background
38 selection_values_2:
39 TargetObject|endswith: '\Wallpaper'
40 selection_values_3:
41 TargetObject|endswith: '\WallpaperStyle'
42 Details: '2' # Stretch
43 filter_main_svchost:
44 # Note: Excluding GPO changes
45 Image|endswith: '\svchost.exe'
46 filter_main_empty:
47 TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
48 Details: '(Empty)'
49 filter_main_explorer:
50 # Normally Explorer.exe is the process that changes the desktop background
51 Image|endswith: 'C:\Windows\Explorer.EXE'
52 filter_optional_ec2launch:
53 Image:
54 - 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
55 - 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
56 TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
57 condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
58falsepositives:
59 - Administrative scripts that change the desktop background to a company logo or other image.
60level: medium
References
-
AttackIQ has released two new attack graphs aimed at emulating the activities carried out by this infamous ransomware.
Read More -
Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, […]
Read More -
In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.
Read More -
Related rules
- Potentially Suspicious Desktop Background Change Using Reg.EXE
- AWS SAML Provider Deletion Activity
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature