title: Replace Desktop Wallpaper by Powershell
id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
status: experimental
author: frack113
date: 2021/12/26
description: |
    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md
logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
detection:
    selection_1:
        ScriptBlockText|contains|all:
            - 'Get-ItemProperty'
            - 'Registry::'
            - 'HKEY_CURRENT_USER\Control Panel\Desktop\' 
            - 'WallPaper'
    selection_2:
        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: low
tags:
    - attack.impact
    - attack.t1491.001