Query Details
Detect Suspicious Actions To Change Desktop Background
Query
**Detect suspicious actions to change Desktop Background** One of the key behaviors often observed during ransomware attacks includes altering the desktop background. These actions are designed to ensure that all users on the infected machine are made aware of the compromise. Fortunately, if your environment monitors for registry changes , you may be able to detect such activities promptly. This can enable quick response actions—such as alerting, isolating the device (using Detection Rules Actions), or initiating automated investigation. Changing a device background manually, is kind of expected user behaviour if you are allowing it. However, modify the associated register keys via command line, can be a good indicator about a Ransomware activity. Both of following cases, are commonly abused by ransomware (e.g., Rhysida,BlackCat) to control or lock desktop wallpaper settings. ``` DeviceProcessEvents | where ProcessCommandLine has_any ( "reg delete \"HKCU\\Control Panel\\Desktop\"", "reg add \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\ActiveDesktop\"", "NoChangingWallPaper" ) | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName, ReportId ```
Explanation
This query is designed to detect suspicious activities related to changing the desktop background on a Windows device, which can be an indicator of a ransomware attack. Here's a simple breakdown of what the query does:
-
Monitors Registry Changes: The query looks for specific command-line actions that modify Windows registry keys associated with desktop wallpaper settings. These changes are often used by ransomware to alert users of a compromise or to lock the desktop background.
-
Identifies Suspicious Commands: It searches for command-line executions that either delete or add specific registry entries related to desktop settings. The commands of interest include:
- Deleting the registry key for desktop settings.
- Adding a policy to prevent changing the wallpaper.
-
Targets Ransomware Behavior: The query is particularly focused on detecting behaviors associated with known ransomware families like Rhysida and BlackCat, which are known to manipulate desktop settings as part of their attack strategy.
-
Extracts Key Information: When such suspicious activities are detected, the query extracts and displays important details such as the timestamp of the event, the device name, the name of the process initiating the command, the full command line used, the account name executing the command, and a report ID for further investigation.
In summary, this query helps security teams quickly identify and respond to potential ransomware activities by flagging unusual registry modifications related to desktop backgrounds.
Details
Sergio Albea
Released: May 28, 2025
Tables
Keywords
Operators