title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: test
description: |
    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
author: frack113
date: 2021-12-26
tags:
    - attack.impact
    - attack.t1491.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_1:
        ScriptBlockText|contains|all:
            - 'Get-ItemProperty'
            - 'Registry::'
            - 'HKEY_CURRENT_USER\Control Panel\Desktop\'
            - 'WallPaper'
    selection_2:
        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: low