3rd party tool may used to changed the wallpaper of the machine

Techniques

T1491

Sample rules

Modification Of Wallpaper

source: splunk
technicques:
- T1491

Description

This analytic identifies suspicious modification of registry to deface or change the wallpaper of a compromised machines as part of its payload. This technique was commonly seen in ransomware like REVIL where it create a bitmap file contain a note that the machine was compromised and make it as a wallpaper.

Detection logic

`sysmon` EventCode =13  (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Image != "*\\explorer.exe") OR (TargetObject IN ("*\\Control Panel\\Desktop\\Wallpaper","*\\Control Panel\\Desktop\\WallpaperStyle") AND Details IN ("*\\temp\\*", "*\\users\\public\\*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode Image TargetObject Details Computer process_guid process_id user_id 
| rename Computer as dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `modification_of_wallpaper_filter`