Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potentially Suspicious Desktop Background Change Using Reg.EXE

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potentially Suspicious Desktop Background Change Using Reg.EXE

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potentially Suspicious Desktop Background Change Using Reg.EXE
id: 8cbc9475-8d05-4e27-9c32-df960716c701
related:
    - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
      type: similar
status: test
description: |
    Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
    This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.impact
    - attack.t1112
    - attack.t1491.001
logsource:
    product: windows
    category: process_creation
detection:
    # TODO: Improve this to also focus on variation using PowerShell and other CLI tools
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_flag:
        CommandLine|contains: 'add'
    selection_keys:
        CommandLine|contains:
            - 'Control Panel\Desktop'
            - 'CurrentVersion\Policies\ActiveDesktop'
            - 'CurrentVersion\Policies\System'
    selection_cli_reg_1:
        CommandLine|contains|all:
            - '/v NoChangingWallpaper'
            - '/d 1' # Prevent changing desktop background
    selection_cli_reg_2:
        CommandLine|contains|all:
            - '/v Wallpaper'
            - '/t REG_SZ'
    selection_cli_reg_3:
        CommandLine|contains|all:
            - '/v WallpaperStyle'
            - '/d 2' # Stretch
    condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
falsepositives:
    - Administrative scripts that change the desktop background to a company logo or other image.
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_reg_desktop_background_change.yml