Techniques
Sample rules
Potentially Suspicious Desktop Background Change Using Reg.EXE
- source: sigma
- technicques:
- t1112
- t1491
- t1491.001
Description
Detects the execution of “reg.exe” to alter registry keys that would replace the user’s desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Detection logic
condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
selection_cli_reg_1:
CommandLine|contains|all:
- /v NoChangingWallpaper
- /d 1
selection_cli_reg_2:
CommandLine|contains|all:
- /v Wallpaper
- /t REG_SZ
selection_cli_reg_3:
CommandLine|contains|all:
- /v WallpaperStyle
- /d 2
selection_keys:
CommandLine|contains:
- Control Panel\Desktop
- CurrentVersion\Policies\ActiveDesktop
- CurrentVersion\Policies\System
selection_reg_flag:
CommandLine|contains: add
selection_reg_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
Potentially Suspicious Desktop Background Change Via Registry
- source: sigma
- technicques:
- t1112
- t1491
- t1491.001
Description
Detects registry value settings that would replace the user’s desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Detection logic
condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_*
filter_main_svchost:
Image|endswith: \svchost.exe
selection_keys:
TargetObject|contains:
- Control Panel\Desktop
- CurrentVersion\Policies\ActiveDesktop
- CurrentVersion\Policies\System
selection_values_1:
Details: DWORD (0x00000001)
TargetObject|endswith: NoChangingWallpaper
selection_values_2:
TargetObject|endswith: \Wallpaper
selection_values_3:
Details: '2'
TargetObject|endswith: \WallpaperStyle