Techniques
Sample rules
Suspicious ScreenSave Change by Reg.exe
- source: sigma
- technicques:
- t1546
- t1546.002
Description
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Detection logic
condition: selection_reg and 1 of selection_option_*
selection_option_1:
CommandLine|contains|all:
- /v ScreenSaveActive
- /t REG_SZ
- /d 1
- /f
selection_option_2:
CommandLine|contains|all:
- /v ScreenSaveTimeout
- /t REG_SZ
- '/d '
- /f
selection_option_3:
CommandLine|contains|all:
- /v ScreenSaverIsSecure
- /t REG_SZ
- /d 0
- /f
selection_option_4:
CommandLine|contains|all:
- /v SCRNSAVE.EXE
- /t REG_SZ
- '/d '
- .scr
- /f
selection_reg:
CommandLine|contains:
- HKEY_CURRENT_USER\Control Panel\Desktop
- HKCU\Control Panel\Desktop
Image|endswith: \reg.exe