Potentially Suspicious Desktop Background Change Via Registry

 1title: Potentially Suspicious Desktop Background Change Via Registry
 2id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
 3related:
 4    - id: 8cbc9475-8d05-4e27-9c32-df960716c701
 5      type: similar
 6status: experimental
 7description: |
 8    Detects regsitry value settings that would replace the user's desktop background.
 9    This is a common technique used by malware to change the desktop background to a ransom note or other image.    
10references:
11    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
12    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
13    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
14    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
15    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
16    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
17author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
18date: 2023/12/21
19tags:
20    - attack.defense_evasion
21    - attack.impact
22    - attack.t1112
23    - attack.t1491.001
24logsource:
25    product: windows
26    category: registry_set
27detection:
28    selection_keys:
29        TargetObject|contains:
30            - 'Control Panel\Desktop'
31            - 'CurrentVersion\Policies\ActiveDesktop'
32            - 'CurrentVersion\Policies\System'
33    selection_values_1:
34        TargetObject|endswith: 'NoChangingWallpaper'
35        Details: 'DWORD (0x00000001)' # Prevent changing desktop background
36    selection_values_2:
37        TargetObject|endswith: '\Wallpaper'
38    selection_values_3:
39        TargetObject|endswith: '\WallpaperStyle'
40        Details: '2' # Stretch
41    filter_main_svchost:
42        # Note: Excluding GPO changes
43        Image|endswith: '\svchost.exe'
44    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_*
45falsepositives:
46    - Administrative scripts that change the desktop background to a company logo or other image.
47level: medium

References

• https://www.attackiq.com/2023/09/20/emulating-rhysida/

  
  Read More

• The Rhysida Ransomware: Activity Analysis and Ties to Vice Society - Check Point Research

  

  Introduction The Rhysida ransomware group was first revealed in May this year, and since then has been linked to several impactful intrusions, including an attack on the Chilean Army. Recently the group was also tied to an attack against Prospect Medical Holdings, affecting 17 hospitals and 166 clinics across the United States. After this attack, […]

  
  Read More

• An Overview of the New Rhysida Ransomware

  

  In this blog entry, we will provide details on Rhysida, including its targets and what we know about its infection chain.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

• Desktop Wallpaper

  Specifies the desktop background ("wallpaper") displayed on all users' desktops.

  
  Read More

• Prevent changing desktop background

  Prevents users from adding or changing the background design of the desktop.

  
  Read More

Related rules

• Potentially Suspicious Desktop Background Change Using Reg.EXE
• Enable LM Hash Storage
• Reg Add Suspicious Paths
• RestrictedAdminMode Registry Value Tampering
• RestrictedAdminMode Registry Value Tampering - ProcCreation