LoFP LoFP / legitimate use of screen saver

Techniques

Sample rules

ScreenSaver Registry Key Set

Description

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Detection logic

condition: selection and registry and not filter
filter:
  Details|contains:
  - C:\Windows\System32\
  - C:\Windows\SysWOW64\
registry:
  Details|endswith: .scr
  TargetObject|contains: \Control Panel\Desktop\SCRNSAVE.EXE
selection:
  Image|endswith: \rundll32.exe