Suspicious ScreenSave Change by Reg.exe

 1title: Suspicious ScreenSave Change by Reg.exe
 2id: 0fc35fc3-efe6-4898-8a37-0b233339524f
 3status: test
 4description: |
 5    Adversaries may establish persistence by executing malicious content triggered by user inactivity.
 6    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
 9    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
10author: frack113
11date: 2021-08-19
12modified: 2022-06-02
13tags:
14    - attack.privilege-escalation
15    - attack.t1546.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_reg:
21        Image|endswith: '\reg.exe'
22        CommandLine|contains:
23            - 'HKEY_CURRENT_USER\Control Panel\Desktop'
24            - 'HKCU\Control Panel\Desktop'
25    selection_option_1: # /force Active ScreenSaveActive
26        CommandLine|contains|all:
27            - '/v ScreenSaveActive'
28            - '/t REG_SZ'
29            - '/d 1'
30            - '/f'
31    selection_option_2: # /force  set ScreenSaveTimeout
32        CommandLine|contains|all:
33            - '/v ScreenSaveTimeout'
34            - '/t REG_SZ'
35            - '/d '
36            - '/f'
37    selection_option_3: # /force set ScreenSaverIsSecure
38        CommandLine|contains|all:
39            - '/v ScreenSaverIsSecure'
40            - '/t REG_SZ'
41            - '/d 0'
42            - '/f'
43    selection_option_4: # /force set a .scr
44        CommandLine|contains|all:
45            - '/v SCRNSAVE.EXE'
46            - '/t REG_SZ'
47            - '/d '
48            - '.scr'
49            - '/f'
50    condition: selection_reg and 1 of selection_option_*
51falsepositives:
52    - GPO
53level: medium