LoFP LoFP / administrative scripts that change the desktop background to a company logo or other image.

Techniques

Sample rules

Potentially Suspicious Desktop Background Change Via Registry

Description

Detects registry value settings that would replace the user’s desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Detection logic

condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_*
filter_main_svchost:
  Image|endswith: \svchost.exe
selection_keys:
  TargetObject|contains:
  - Control Panel\Desktop
  - CurrentVersion\Policies\ActiveDesktop
  - CurrentVersion\Policies\System
selection_values_1:
  Details: DWORD (0x00000001)
  TargetObject|endswith: NoChangingWallpaper
selection_values_2:
  TargetObject|endswith: \Wallpaper
selection_values_3:
  Details: '2'
  TargetObject|endswith: \WallpaperStyle

Potentially Suspicious Desktop Background Change Using Reg.EXE

Description

Detects the execution of “reg.exe” to alter registry keys that would replace the user’s desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Detection logic

condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
selection_cli_reg_1:
  CommandLine|contains|all:
  - /v NoChangingWallpaper
  - /d 1
selection_cli_reg_2:
  CommandLine|contains|all:
  - /v Wallpaper
  - /t REG_SZ
selection_cli_reg_3:
  CommandLine|contains|all:
  - /v WallpaperStyle
  - /d 2
selection_keys:
  CommandLine|contains:
  - Control Panel\Desktop
  - CurrentVersion\Policies\ActiveDesktop
  - CurrentVersion\Policies\System
selection_reg_flag:
  CommandLine|contains: add
selection_reg_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe