Skip to content
Threat Feed
low advisory

Wallpaper Modification Detection

Detection of unauthorized or suspicious wallpaper modifications on endpoints can indicate malicious activity or policy violations.

Monitoring for wallpaper modifications on endpoints can be a valuable security practice. While not inherently malicious, unexpected or unauthorized changes to the desktop background can be an indicator of compromise or policy violations. This is particularly relevant in environments where standardized desktop configurations are enforced. Changes could be indicative of malware attempting to establish persistence or blend in with the environment, or of insider threats altering systems for personal gain or to mask malicious actions. The lack of explicit details in the provided source material suggests a generic approach to detecting wallpaper modifications, which may require more investigation to determine the precise method the attacker is using.

Attack Chain

  1. Initial Access: The attacker gains access to the endpoint through various means (e.g., phishing, exploiting a vulnerability).
  2. Privilege Escalation (if necessary): The attacker escalates privileges to gain the ability to modify system settings, potentially bypassing security controls.
  3. File Modification: The attacker modifies the wallpaper image file, which could be a bitmap (.bmp), JPEG (.jpg), or PNG (.png) located in a system directory (e.g., C:\Windows\Web\Wallpaper).
  4. Registry Modification: The attacker modifies the Windows Registry to point to the new wallpaper image. This typically involves changes under HKEY_CURRENT_USER\Control Panel\Desktop for the current user, or HKEY_USERS\.DEFAULT\Control Panel\Desktop for the default user profile. Relevant registry keys include Wallpaper and TileWallpaper.
  5. Script Execution: The attacker uses scripting languages (e.g., PowerShell, VBScript) to automate the wallpaper modification process. This might involve downloading the image, setting registry keys, and refreshing the desktop.
  6. Policy Violation/Covert Operation: The modified wallpaper serves as a signal to the attacker, a form of internal messaging, or to demoralize the employee.

Impact

Wallpaper modification can be an early indicator of more significant compromise. It may precede data exfiltration, deployment of ransomware, or other malicious activities. While the immediate impact of a changed wallpaper might seem minimal, it can signal a breakdown in security controls and an attacker's foothold within the environment. In some cases, the modified wallpaper could contain offensive or disruptive content, leading to workplace disruptions. The number of affected systems could range from a single endpoint to an entire organization, depending on the attacker's goals and capabilities.

Recommendation

  • Enable Sysmon process-creation logging to capture details about processes modifying the Windows Registry, particularly related to wallpaper settings (reference: logsource).
  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
  • Investigate any alerts generated by the Sigma rules in this brief to determine the root cause of wallpaper modifications.

Detection coverage 3

Wallpaper Registry Modification via PowerShell

medium

Detects wallpaper changes via modification of the registry using PowerShell

sigma tactics: defense_evasion techniques: T1562.001 sources: registry_set, windows

Wallpaper File Modification Detection

low

Detects changes to common wallpaper image files.

sigma tactics: defense_evasion techniques: T1562.001 sources: file_event, windows

Detect Setting Desktop Wallpaper Using Command Line

medium

Detects the use of command-line tools like 'reg' to set the desktop wallpaper.

sigma tactics: defense_evasion techniques: T1562.001 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →