detection.wiki

Detection rules › Sigma

Potentially Suspicious Desktop Background Change Using Reg.EXE

Severity
medium
Author
Stephen Lincoln @slincoln-aiq (AttackIQ)
Source
upstream

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry
ImpactT1491.001 Defacement: Internal Defacement

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_reg_img

or:
Image|endswith: '\reg.exe'
OriginalFileName: reg.exe

Stage 2: all of selection_reg_flag

CommandLine|contains: add

Stage 3: selection_keys

or:
CommandLine|contains: 'Control Panel\Desktop'
CommandLine|contains: 'CurrentVersion\Policies\ActiveDesktop'
CommandLine|contains: 'CurrentVersion\Policies\System'

Stage 4: 1 of selection_cli_reg_1

CommandLine|contains: '/d 1'
CommandLine|contains: '/v NoChangingWallpaper'

Stage 5: 1 of selection_cli_reg_2

CommandLine|contains: '/t REG_SZ'
CommandLine|contains: '/v Wallpaper'

Stage 6: 1 of selection_cli_reg_3

CommandLine|contains: '/d 2'
CommandLine|contains: '/v WallpaperStyle'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • /d 1 corpus 2 (sigma 2)
  • /d 2
  • /t REG_SZ corpus 2 (sigma 2)
  • /v NoChangingWallpaper
  • /v Wallpaper
  • /v WallpaperStyle
  • Control Panel\Desktop
  • CurrentVersion\Policies\ActiveDesktop
  • CurrentVersion\Policies\System
  • add corpus 16 (sigma 16)
Imageends_with
  • \reg.exe corpus 46 (sigma 46)
OriginalFileNameeq
  • reg.exe corpus 29 (sigma 29)