Suspicious Screensaver Binary File Creation
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Sigma rule (View on GitHub)
1title: Suspicious Screensaver Binary File Creation
2id: 97aa2e88-555c-450d-85a6-229bcd87efb8
3status: test
4description: |
5 Adversaries may establish persistence by executing malicious content triggered by user inactivity.
6 Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
9author: frack113
10date: 2021-12-29
11modified: 2022-11-08
12tags:
13 - attack.persistence
14 - attack.t1546.002
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 TargetFilename|endswith: '.scr'
21 filter_generic:
22 Image|endswith:
23 - '\Kindle.exe'
24 - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
25 filter_tiworker:
26 # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
27 Image|endswith: '\TiWorker.exe'
28 TargetFilename|endswith: '\uwfservicingscr.scr'
29 condition: selection and not 1 of filter_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Path To Screensaver Binary Modified
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted