Sigma detection rules

Home/Sigma rules

Sigma

4 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

4 shown of 4

high

Potential Ransomware Activity Using LegalNotice Message

Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages

status test author frack113 id 8b9606c9-28be-4a38-b146-0e313cc232c1

view Sigma YAML

title: Potential Ransomware Activity Using LegalNotice Message
id: 8b9606c9-28be-4a38-b146-0e313cc232c1
status: test
description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md
author: frack113
date: 2022-12-11
modified: 2023-08-17
tags:
    - attack.impact
    - attack.t1491.001
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption'
            - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText'
        Details|contains:
            - 'encrypted'
            - 'Unlock-Password'
            - 'paying'
    condition: selection
falsepositives:
    - Unknown
level: high

medium

Potentially Suspicious Desktop Background Change Using Reg.EXE

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

status test author Stephen Lincoln @slincoln-aiq (AttackIQ) id 8cbc9475-8d05-4e27-9c32-df960716c701

view Sigma YAML

title: Potentially Suspicious Desktop Background Change Using Reg.EXE
id: 8cbc9475-8d05-4e27-9c32-df960716c701
related:
    - id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
      type: similar
status: test
description: |
    Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background.
    This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
tags:
    - attack.persistence
    - attack.impact
    - attack.defense-impairment
    - attack.t1112
    - attack.t1491.001
logsource:
    product: windows
    category: process_creation
detection:
    # TODO: Improve this to also focus on variation using PowerShell and other CLI tools
    selection_reg_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_reg_flag:
        CommandLine|contains: 'add'
    selection_keys:
        CommandLine|contains:
            - 'Control Panel\Desktop'
            - 'CurrentVersion\Policies\ActiveDesktop'
            - 'CurrentVersion\Policies\System'
    selection_cli_reg_1:
        CommandLine|contains|all:
            - '/v NoChangingWallpaper'
            - '/d 1' # Prevent changing desktop background
    selection_cli_reg_2:
        CommandLine|contains|all:
            - '/v Wallpaper'
            - '/t REG_SZ'
    selection_cli_reg_3:
        CommandLine|contains|all:
            - '/v WallpaperStyle'
            - '/d 2' # Stretch
    condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
falsepositives:
    - Administrative scripts that change the desktop background to a company logo or other image.
level: medium

medium

Potentially Suspicious Desktop Background Change Via Registry

Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

status test author Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ) id 85b88e05-dadc-430b-8a9e-53ff1cd30aae

view Sigma YAML

title: Potentially Suspicious Desktop Background Change Via Registry
id: 85b88e05-dadc-430b-8a9e-53ff1cd30aae
related:
    - id: 8cbc9475-8d05-4e27-9c32-df960716c701
      type: similar
status: test
description: |
    Detects registry value settings that would replace the user's desktop background.
    This is a common technique used by malware to change the desktop background to a ransom note or other image.
references:
    - https://www.attackiq.com/2023/09/20/emulating-rhysida/
    - https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/
    - https://www.trendmicro.com/en_us/research/23/h/an-overview-of-the-new-rhysida-ransomware.html
    - https://www.virustotal.com/gui/file/a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6/behavior
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.WindowsDesktop::Wallpaper
    - https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.ControlPanelDisplay::CPL_Personalization_NoDesktopBackgroundUI
author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ)
date: 2023-12-21
modified: 2025-10-17
tags:
    - attack.persistence
    - attack.impact
    - attack.defense-impairment
    - attack.t1112
    - attack.t1491.001
logsource:
    product: windows
    category: registry_set
detection:
    selection_keys:
        TargetObject|contains:
            - 'Control Panel\Desktop'
            - 'CurrentVersion\Policies\ActiveDesktop'
            - 'CurrentVersion\Policies\System'
    selection_values_1:
        TargetObject|endswith: 'NoChangingWallpaper'
        Details: 'DWORD (0x00000001)' # Prevent changing desktop background
    selection_values_2:
        TargetObject|endswith: '\Wallpaper'
    selection_values_3:
        TargetObject|endswith: '\WallpaperStyle'
        Details: '2' # Stretch
    filter_main_svchost:
        # Note: Excluding GPO changes
        Image|endswith: '\svchost.exe'
    filter_main_empty:
        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
        Details: '(Empty)'
    filter_main_explorer:
        # Normally Explorer.exe is the process that changes the desktop background
        Image|endswith: 'C:\Windows\Explorer.EXE'
    filter_optional_ec2launch:
        Image:
            - 'C:\Program Files\Amazon\EC2Launch\EC2Launch.exe'
            - 'C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe'
        TargetObject|endswith: '\Control Panel\Desktop\Wallpaper'
    condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Administrative scripts that change the desktop background to a company logo or other image.
level: medium

low

Replace Desktop Wallpaper by Powershell

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

status test author frack113 id c5ac6a1e-9407-45f5-a0ce-ca9a0806a287

view Sigma YAML

title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: test
description: |
    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1491.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_1:
        ScriptBlockText|contains|all:
            - 'Get-ItemProperty'
            - 'Registry::'
            - 'HKEY_CURRENT_USER\Control Panel\Desktop\'
            - 'WallPaper'
    selection_2:
        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: low

Showing 1-4 of 4

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin