Sudden background/lock scren change RRS feed

  • Domanda

  • Hi community!

    I am currently analyzing anomalous behavior related to the sudden change of a bakcground/lock screen on a Windows 10 operating system. The user (not admin) does not remember having performed any action or knowing the brand of the image of the new configured wallpaper (it is the logo of another company), although at the level of commands and logs (via EDR) I can see that the following was executed:

    - C:\Windows\system32\desktopimgdownldr.exe /deskimgurl:https://WWW.DOMAIN.COM/Wallpaper2022V2.jpg /eventName:DesktopImageDownloadCancelEvent

    - C:\Windows\system32\desktopimgdownldr.exe /lockscreenurl:https://WWW.DOMAIN.COM/LockScreen2022V2.jpg /eventName:LockScreenImageDownloadCancelEvent

    The flow of processes would be given by a tree from major to minor as follows:
    1.   wininit.exe
    2.   services.exe
    3.   svchost.exe
    4.   omadmclient.exe
    5.   desktopimgdownldr.exe

    I have been looking for information and although it could be related to some type of LOLBAS attack, it does not seem to be the case since the use and the services executed seem to correspond to those of Windows and would be legitimate. Has anyone experienced a similar case? How could I confirm if it is a security incident or an accident? Could you carry out a proof of concept through the omadmclient.exe process that could confirm for me how to do it? Could you have made that change?

    Thank you very much in advance!
    giovedì 19 gennaio 2023 18:31

Tutte le risposte