Suspicious ScreenSave Change by Reg.exe

 1title: Suspicious ScreenSave Change by Reg.exe
 2id: 0fc35fc3-efe6-4898-8a37-0b233339524f
 3status: test
 4description: |
 5    Adversaries may establish persistence by executing malicious content triggered by user inactivity.
 6    Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
 9    - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
10author: frack113
11date: 2021-08-19
12modified: 2022-06-02
13tags:
14    - attack.persistence
15    - attack.privilege-escalation
16    - attack.t1546.002
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_reg:
22        Image|endswith: '\reg.exe'
23        CommandLine|contains:
24            - 'HKEY_CURRENT_USER\Control Panel\Desktop'
25            - 'HKCU\Control Panel\Desktop'
26    selection_option_1: # /force Active ScreenSaveActive
27        CommandLine|contains|all:
28            - '/v ScreenSaveActive'
29            - '/t REG_SZ'
30            - '/d 1'
31            - '/f'
32    selection_option_2: # /force  set ScreenSaveTimeout
33        CommandLine|contains|all:
34            - '/v ScreenSaveTimeout'
35            - '/t REG_SZ'
36            - '/d '
37            - '/f'
38    selection_option_3: # /force set ScreenSaverIsSecure
39        CommandLine|contains|all:
40            - '/v ScreenSaverIsSecure'
41            - '/t REG_SZ'
42            - '/d 0'
43            - '/f'
44    selection_option_4: # /force set a .scr
45        CommandLine|contains|all:
46            - '/v SCRNSAVE.EXE'
47            - '/t REG_SZ'
48            - '/d '
49            - '.scr'
50            - '/f'
51    condition: selection_reg and 1 of selection_option_*
52falsepositives:
53    - GPO
54level: medium