Detection rules › Sigma
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Persistence | T1112 Modify Registry |
| Defense Evasion | T1112 Modify Registry |
| Impact | T1491.001 Defacement: Internal Defacement |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: selection_keys
or:
TargetObject|contains: 'Control Panel\Desktop'
TargetObject|contains: 'CurrentVersion\Policies\ActiveDesktop'
TargetObject|contains: 'CurrentVersion\Policies\System'
Stage 2: 1 of selection_values_1
Details: 'DWORD (0x00000001)'
TargetObject|endswith: NoChangingWallpaper
Stage 3: 1 of selection_values_2
TargetObject|endswith: '\Wallpaper'
Stage 4: 1 of selection_values_3
Details: 2
TargetObject|endswith: '\WallpaperStyle'
Stage 5: not 1 of filter_main_*
or:
Details: '(Empty)'
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
Image|endswith: 'C:\Windows\Explorer.EXE'
Image|endswith: '\svchost.exe'
Stage 6: not 1 of filter_optional_ec2launch
Image: ['C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe', 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe']
TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | eq |
|
Image | ends_with |
|
Image | eq |
|
TargetObject | ends_with |
|
TargetObject | match |
|