Detectionmediumtest
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln (AttackIQ)Created Thu Dec 21Updated Fri Oct 1785b88e05-dadc-430b-8a9e-53ff1cd30aaewindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic8 selectors
detection:
selection_keys:
TargetObject|contains:
- 'Control Panel\Desktop'
- 'CurrentVersion\Policies\ActiveDesktop'
- 'CurrentVersion\Policies\System'
selection_values_1:
TargetObject|endswith: 'NoChangingWallpaper'
Details: 'DWORD (0x00000001)' # Prevent changing desktop background
selection_values_2:
TargetObject|endswith: '\Wallpaper'
selection_values_3:
TargetObject|endswith: '\WallpaperStyle'
Details: '2' # Stretch
filter_main_svchost:
# Note: Excluding GPO changes
Image|endswith: '\svchost.exe'
filter_main_empty:
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
Details: '(Empty)'
filter_main_explorer:
# Normally Explorer.exe is the process that changes the desktop background
Image|endswith: 'C:\Windows\Explorer.EXE'
filter_optional_ec2launch:
Image:
- 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
- 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Administrative scripts that change the desktop background to a company logo or other image.
MITRE ATT&CK
Techniques
Sub-techniques
Rule Metadata
Rule ID
85b88e05-dadc-430b-8a9e-53ff1cd30aae
Status
test
Level
medium
Type
Detection
Created
Thu Dec 21
Modified
Fri Oct 17
Path
rules/windows/registry/registry_set/registry_set_desktop_background_change.yml
Raw Tags
attack.persistenceattack.defense-evasionattack.impactattack.t1112attack.t1491.001