Suspicious Screensaver Binary File Creation
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Sigma rule (View on GitHub)
1title: Suspicious Screensaver Binary File Creation
2id: 97aa2e88-555c-450d-85a6-229bcd87efb8
3status: test
4description: |
5 Adversaries may establish persistence by executing malicious content triggered by user inactivity.
6 Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
9author: frack113
10date: 2021-12-29
11modified: 2022-11-08
12tags:
13 - attack.privilege-escalation
14 - attack.persistence
15 - attack.t1546.002
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection:
21 TargetFilename|endswith: '.scr'
22 filter_generic:
23 Image|endswith:
24 - '\Kindle.exe'
25 - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
26 filter_tiworker:
27 # ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
28 Image|endswith: '\TiWorker.exe'
29 TargetFilename|endswith: '\uwfservicingscr.scr'
30 condition: selection and not 1 of filter_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Suspicious ScreenSave Change by Reg.exe
- Writing Local Admin Share
- Path To Screensaver Binary Modified
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group