Detectionmediumtest

Potentially Suspicious Desktop Background Change Via Registry

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln (AttackIQ)Created Thu Dec 21Updated Fri Oct 1785b88e05-dadc-430b-8a9e-53ff1cd30aaewindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection_keys:
        TargetObject|contains:
            - 'Control Panel\Desktop'
            - 'CurrentVersion\Policies\ActiveDesktop'
            - 'CurrentVersion\Policies\System'
    selection_values_1:
        TargetObject|endswith: 'NoChangingWallpaper'
        Details: 'DWORD (0x00000001)' # Prevent changing desktop background
    selection_values_2:
        TargetObject|endswith: '\Wallpaper'
    selection_values_3:
        TargetObject|endswith: '\WallpaperStyle'
        Details: '2' # Stretch
    filter_main_svchost:
        # Note: Excluding GPO changes
        Image|endswith: '\svchost.exe'
    filter_main_empty:
        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
        Details: '(Empty)'
    filter_main_explorer:
        # Normally Explorer.exe is the process that changes the desktop background
        Image|endswith: 'C:\Windows\Explorer.EXE'
    filter_optional_ec2launch:
        Image:
            - 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
            - 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*

False Positives

Administrative scripts that change the desktop background to a company logo or other image.

References

Resolving title…

attackiq.com

Resolving title…

research.checkpoint.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion TA0040 · Impact

Techniques

T1112 · Modify Registry

Sub-techniques

T1491.001 · Internal Defacement

Related Rules

SimilarDetectionmedium

Potentially Suspicious Desktop Background Change Using Reg.EXE

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

85b88e05-dadc-430b-8a9e-53ff1cd30aae

Status

test

Level

medium

Type

Detection

Created

Thu Dec 21

Modified

Fri Oct 17

Author

Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln (AttackIQ)

Path

rules/windows/registry/registry_set/registry_set_desktop_background_change.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.impactattack.t1112attack.t1491.001

View on GitHub